cybergate | NEAS[.]07206cbd129395cf5ad92a7c19356640_JC[.]exe | Triage

Sharing

General

Target

NEAS.07206cbd129395cf5ad92a7c19356640_JC.exe
Size

336KB
MD5

07206cbd129395cf5ad92a7c19356640
SHA1

e480f469cf50d65041df9a116464ac972f4becaa
SHA256

9476c98c6e38ddc1518f1f9fd7a9dbe310610fc7a8190dd32cc488d56b6ac9af
SHA512

b06faf3fb29c7297873b3f7e993c7c0093cfbcc7d552ba5b0a57012abb55534c7b238e8e65c775578a3addcc9ec5808139e3275c4fc0221d42f268f632abf53a
SSDEEP

6144:B4ABFhCpAuO/50BTnyZsSaXhh4XAS79hO9R0O91FG+7IM:SU5GLyWSKaAS79MEqfG

Score

10^/10

upx cyber cybergate

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

Cyber

C2

failsafe.zapto.org:82

Mutex

1TWF3ROUAC4T38

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Winlog
install_file
Winlogon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1337
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

Cybergate family
cybergate

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
sample	upx

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
NEAS.07206cbd129395cf5ad92a7c19356640_JC.exe

Files

NEAS.07206cbd129395cf5ad92a7c19356640_JC.exe
.exe windows:4 windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

UPX0
Size: 68KB - Virtual size: 68KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 263KB - Virtual size: 264KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE