cybergate | 9358f8a7cc6c26ad6b55d24e121bad3463faa4e472d7a86e31d7abd306201482 | Triage

Submit
Reports

Overview

overview

Static

static

3

NEAS.6c5f9...70.exe

windows7-x64

NEAS.6c5f9...70.exe

windows10-2004-x64

Sharing

General

Target

NEAS.6c5f950b4d22bc875845bb6cb1500670.exe
Size

2.3MB
Sample

231111-blmkesdg75
MD5

6c5f950b4d22bc875845bb6cb1500670
SHA1

df4eeef16669f504251e1d7bb6c4f06b78755313
SHA256

9358f8a7cc6c26ad6b55d24e121bad3463faa4e472d7a86e31d7abd306201482
SHA512

a176544c0cdbddb38fb22f7cddc48a733d4a41d07f808a75a2c0507abed0f5266fdef62e602b98819d579d1b5111bca521b3b3e7261d61e32ae237d096ea270c
SSDEEP

49152:II9BtkzgldtZFLl+hFdzPFvvaamqh5SR7o6Hn3Sua:IIawdnChDzFKamqk77pa

Score

10^/10

cybergate victem adware persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

NEAS.6c5f950b4d22bc875845bb6cb1500670.exe

Resource

win7-20231023-en

cybergate victem adware persistence stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

NEAS.6c5f950b4d22bc875845bb6cb1500670.exe

Resource

win10v2004-20231023-en

cybergate victem adware persistence stealer trojan upx

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Trial version

Botnet

victem

C2

videomp4.duckdns.org:91

127.0.0.1:91

Mutex

ILL1SGQBL1QI62

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
UIsys
install_file
SYSui.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1234123456
regkey_hkcu
HKCUsysui
regkey_hklm
HKLMuisys

Targets

- Target
  
  NEAS.6c5f950b4d22bc875845bb6cb1500670.exe
- Size
  
  2.3MB
- MD5
  
  6c5f950b4d22bc875845bb6cb1500670
- SHA1
  
  df4eeef16669f504251e1d7bb6c4f06b78755313
- SHA256
  
  9358f8a7cc6c26ad6b55d24e121bad3463faa4e472d7a86e31d7abd306201482
- SHA512
  
  a176544c0cdbddb38fb22f7cddc48a733d4a41d07f808a75a2c0507abed0f5266fdef62e602b98819d579d1b5111bca521b3b3e7261d61e32ae237d096ea270c
- SSDEEP
  
  49152:II9BtkzgldtZFLl+hFdzPFvvaamqh5SR7o6Hn3Sua:IIawdnChDzFKamqk77pa
Score

10^/10

cybergate victem adware persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatevictemadwarepersistencestealertrojan

behavioral2

cybergatevictemadwarepersistencestealertrojanupx

© 2018-2024

Terms | Privacy