Overview

overview

10

Static

static

3

4b691362e3...41.exe

windows7-x64

10

4b691362e3...41.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4b691362e3b0af712303ec595ec36941

  • Size

    988KB

  • Sample

    240108-pemhqsadh4

  • MD5

    4b691362e3b0af712303ec595ec36941

  • SHA1

    15e7c2ab941b787b19ea80a7a035cb3a6a68dd0b

  • SHA256

    09f536d62b46ca2b7fa7644a972e9dc6308b29beebbad761ab513b3a34666139

  • SHA512

    3814491bc6472a7a1b7ebd08abd24659376459942d684519393706fe6451f4f3f5ecf83c9a41b7a2abe52f1413a1eb0c159a950d884e312fa0c557d57c908ad3

  • SSDEEP

    24576:LrLDeBdGq8/ljVVTL532sUTpvbyU3Nwc1anrjM:LrmShVTPGpve+Nwbrj

Score
10/10
cybergatesystempersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

System

C2

rambler.3utilities.com:25000

Mutex

L5V31564S5P2A3

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinRAR

  • install_file

    WinRARExten.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    priv

  • regkey_hkcu

    WinRARx

  • regkey_hklm

    WinRARx

Targets

    • Target

      4b691362e3b0af712303ec595ec36941

    • Size

      988KB

    • MD5

      4b691362e3b0af712303ec595ec36941

    • SHA1

      15e7c2ab941b787b19ea80a7a035cb3a6a68dd0b

    • SHA256

      09f536d62b46ca2b7fa7644a972e9dc6308b29beebbad761ab513b3a34666139

    • SHA512

      3814491bc6472a7a1b7ebd08abd24659376459942d684519393706fe6451f4f3f5ecf83c9a41b7a2abe52f1413a1eb0c159a950d884e312fa0c557d57c908ad3

    • SSDEEP

      24576:LrLDeBdGq8/ljVVTL532sUTpvbyU3Nwc1anrjM:LrmShVTPGpve+Nwbrj

    Score
    10/10
    cybergatesystempersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Adds policy Run key to start application

      persistence

    • Modifies Installed Components in the registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks