cybergate | c1f6c82a94a7efdbffd6130192256ab64a9caf8d9cb0613edc46f3eaf2a7cadb | Triage

Submit
Reports

Overview

overview

Static

static

c1f6c82a94...db.exe

windows7-x64

c1f6c82a94...db.exe

windows10-2004-x64

Sharing

General

Target

c1f6c82a94a7efdbffd6130192256ab64a9caf8d9cb0613edc46f3eaf2a7cadb
Size

401KB
Sample

230130-dzjf2afd88
MD5

b019df9dd9e96b7e32b668b100a21efa
SHA1

0514ccfc1dcb91eba65c5de3a12641d0e0d4a6eb
SHA256

c1f6c82a94a7efdbffd6130192256ab64a9caf8d9cb0613edc46f3eaf2a7cadb
SHA512

14ffd5425c6fdb37dbc379f44155c482f13ef9df8d0ea9b1803ae498b43e0cf0398b383de41b47aba489cc0619987fb2263fa501488a40ccd3fb78eddb4ec80f
SSDEEP

12288:YVthCrStUVt2159HbedfFdXUcksKeA3WeGVGO:YVtErSKVoj9qtEcRK3GGO

Score

10^/10

cybergate sality lammer backdoor evasion persistence stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

c1f6c82a94a7efdbffd6130192256ab64a9caf8d9cb0613edc46f3eaf2a7cadb.exe

Resource

win7-20221111-en

cybergate sality lammer backdoor evasion persistence stealer trojan upx

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

c1f6c82a94a7efdbffd6130192256ab64a9caf8d9cb0613edc46f3eaf2a7cadb.exe

Resource

win10v2004-20220812-en

cybergate sality lammer backdoor evasion persistence stealer trojan upx

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

Lammer

C2

127.0.0.1:81

Mutex

Pluguin

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
Pluguin.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
message_box_title
LAMMER
password
123
regkey_hkcu
Avirnt
regkey_hklm
Avgnt

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

- Target
  
  c1f6c82a94a7efdbffd6130192256ab64a9caf8d9cb0613edc46f3eaf2a7cadb
- Size
  
  401KB
- MD5
  
  b019df9dd9e96b7e32b668b100a21efa
- SHA1
  
  0514ccfc1dcb91eba65c5de3a12641d0e0d4a6eb
- SHA256
  
  c1f6c82a94a7efdbffd6130192256ab64a9caf8d9cb0613edc46f3eaf2a7cadb
- SHA512
  
  14ffd5425c6fdb37dbc379f44155c482f13ef9df8d0ea9b1803ae498b43e0cf0398b383de41b47aba489cc0619987fb2263fa501488a40ccd3fb78eddb4ec80f
- SSDEEP
  
  12288:YVthCrStUVt2159HbedfFdXUcksKeA3WeGVGO:YVtErSKVoj9qtEcRK3GGO
Score

10^/10

cybergate sality lammer backdoor evasion persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Modifies firewall policy service
  evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Modify Registry

Bypass User Account Control

Disabling Security Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cybergatesalitylammerbackdoorevasionpersistencestealertrojanupx

behavioral2

cybergatesalitylammerbackdoorevasionpersistencestealertrojanupx

© 2018-2024

Terms | Privacy