General

  • Target

    ae2a1d18269742e5a3ef375485528c8c832b0f24c5baa270d6e0bbd74bc6e09f

  • Size

    280KB

  • Sample

    230130-dywpzagg41

  • MD5

    95da40ff62c7a9e5949df7ea7f147c7a

  • SHA1

    a2fc847fa42e2df762c0e3f2d8b76c60e6a9a9d5

  • SHA256

    ae2a1d18269742e5a3ef375485528c8c832b0f24c5baa270d6e0bbd74bc6e09f

  • SHA512

    9ba0cf0248dcd05f963074fd7a3e9db4c96001f3b5c2e4899c1b51bc6f9c7c23131111be6e7ef289bc6e0cbd85b4ef232f29243adb857135073b85be1a2d1e2b

  • SSDEEP

    6144:X3O1ZWoxDNT/xQphU+MYerYcNC201Dxeb/AQAinBsoZ0HbKT:nOS4h/xQp6+MYerI201tebYQAinBO7KT

Malware Config

Extracted

Family

cybergate

Version

v1.01.17

Botnet

remote

C2

127.0.0.1:999

Mutex

CyberGate1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Targets

    • Target

      ae2a1d18269742e5a3ef375485528c8c832b0f24c5baa270d6e0bbd74bc6e09f

    • Size

      280KB

    • MD5

      95da40ff62c7a9e5949df7ea7f147c7a

    • SHA1

      a2fc847fa42e2df762c0e3f2d8b76c60e6a9a9d5

    • SHA256

      ae2a1d18269742e5a3ef375485528c8c832b0f24c5baa270d6e0bbd74bc6e09f

    • SHA512

      9ba0cf0248dcd05f963074fd7a3e9db4c96001f3b5c2e4899c1b51bc6f9c7c23131111be6e7ef289bc6e0cbd85b4ef232f29243adb857135073b85be1a2d1e2b

    • SSDEEP

      6144:X3O1ZWoxDNT/xQphU+MYerYcNC201Dxeb/AQAinBsoZ0HbKT:nOS4h/xQp6+MYerI201tebYQAinBO7KT

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks