cybergate | 26cdd5d1fcdc190bcc49735d64c3f9c0fdd7d2fdcd558e314595e224272249d5 | Triage

Submit
Reports

Overview

overview

Static

static

3

e13e9b2901...a8.exe

windows7-x64

e13e9b2901...a8.exe

windows10-2004-x64

Sharing

General

Target

e13e9b29014e4d2c4c78fe088c9975a8
Size

364KB
Sample

231228-qqgx3ahaan
MD5

e13e9b29014e4d2c4c78fe088c9975a8
SHA1

e0a5d774fe94d67aa5be908652a761c84901e570
SHA256

26cdd5d1fcdc190bcc49735d64c3f9c0fdd7d2fdcd558e314595e224272249d5
SHA512

979d670efe4b6e8ae9d1bab0f870cb1742386e7b48d2873bebce68262d1ea78b4d9c645526629d8f94387773b2a557f47f942892be25863c5f0293c916e486cb
SSDEEP

6144:+QgLpzbsoOWV6L/oKuc2pFQ8f1z58sa0L1wboWK6qgf:YLpzbbOm6RgG8f19r+b3Mgf

Score

10^/10

cybergate bot persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e13e9b29014e4d2c4c78fe088c9975a8.exe

Resource

win7-20231215-en

cybergate bot persistence stealer trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

e13e9b29014e4d2c4c78fe088c9975a8.exe

Resource

win10v2004-20231215-en

cybergate bot persistence stealer trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

Bot

C2

log2.no-ip.biz:1222

Mutex

Eugene

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./
ftp_interval
480
ftp_password
warez123
ftp_port
21
ftp_server
nuclear.netau.net
ftp_username
a9546010
injected_process
explorer.exe
install_dir
install
install_file
winupd.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
132435
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  e13e9b29014e4d2c4c78fe088c9975a8
- Size
  
  364KB
- MD5
  
  e13e9b29014e4d2c4c78fe088c9975a8
- SHA1
  
  e0a5d774fe94d67aa5be908652a761c84901e570
- SHA256
  
  26cdd5d1fcdc190bcc49735d64c3f9c0fdd7d2fdcd558e314595e224272249d5
- SHA512
  
  979d670efe4b6e8ae9d1bab0f870cb1742386e7b48d2873bebce68262d1ea78b4d9c645526629d8f94387773b2a557f47f942892be25863c5f0293c916e486cb
- SSDEEP
  
  6144:+QgLpzbsoOWV6L/oKuc2pFQ8f1z58sa0L1wboWK6qgf:YLpzbbOm6RgG8f19r+b3Mgf
Score

10^/10

cybergate bot persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatebotpersistencestealertrojanupx

behavioral2

cybergatebotpersistencestealertrojanupx

© 2018-2024

Terms | Privacy