cybergate | 00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f | Triage

Submit
Reports

Overview

overview

Static

static

1

00634a9303...5f.exe

windows7-x64

00634a9303...5f.exe

windows10-2004-x64

Sharing

General

Target

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Size

563KB
Sample

230405-m4jr2afc5t
MD5

23939410486a7bd7ea857410d178fa1b
SHA1

4aa1823574ca22d3d5f0bbdd4e096fa6d7b08492
SHA256

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f
SHA512

71959b8a17e2d37b77edba82d47a2d3c26cda0d3bd746fdb2f5fe7793639ea3a761589f84a97058e11e77efbd5f5c05cdf527de7ee36ad524a6e14c4e3f3cd93
SSDEEP

12288:MgOLxkWo1XiA+j5uz4Rj/byFVHLAbRotcYT0Iw5p7ix:MPLlbpA4Rj/YNADlTix

Score

10^/10

cybergate vítima bootkit persistence stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

Resource

win7-20230220-en

cybergate vítima bootkit persistence stealer trojan upx

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

Resource

win10v2004-20230221-en

cybergate vítima persistence stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

hbooob.no-ip.biz:333

hbooob1.no-ip.biz:333

xp8.no-ip.biz:333

ad3s.no-ip.biz:333

fof0.no-ip.biz:333

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Googleo
install_file
Googleo.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
- Size
  
  563KB
- MD5
  
  23939410486a7bd7ea857410d178fa1b
- SHA1
  
  4aa1823574ca22d3d5f0bbdd4e096fa6d7b08492
- SHA256
  
  00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f
- SHA512
  
  71959b8a17e2d37b77edba82d47a2d3c26cda0d3bd746fdb2f5fe7793639ea3a761589f84a97058e11e77efbd5f5c05cdf527de7ee36ad524a6e14c4e3f3cd93
- SSDEEP
  
  12288:MgOLxkWo1XiA+j5uz4Rj/byFVHLAbRotcYT0Iw5p7ix:MPLlbpA4Rj/YNADlTix
Score

10^/10

cybergate vítima bootkit persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cybergatevítimabootkitpersistencestealertrojanupx

behavioral2

cybergatevítimapersistencestealertrojanupx

© 2018-2024

Terms | Privacy