cybergate | 31559c59bc37ce7dd19fc364f9b2ec6bf1f4f8b5d87b94841c95e0cdca57ee2c | Triage

Submit
Reports

Overview

overview

Static

static

3

638b30e053...98.exe

windows7-x64

638b30e053...98.exe

windows10-2004-x64

Sharing

General

Target

638b30e05302ffce2393a5fc6be3b698
Size

319KB
Sample

240117-zdagwsegd2
MD5

638b30e05302ffce2393a5fc6be3b698
SHA1

d8098b581dcfabb70d832ddaf592ee42a984617b
SHA256

31559c59bc37ce7dd19fc364f9b2ec6bf1f4f8b5d87b94841c95e0cdca57ee2c
SHA512

9497dea88a30aee1911d060b4c644910517d17d2c4b32ac1965f23caab41df8092e94370d94a245e976b04a137940061401e087ef32c0c69ecb39b608fee45e4
SSDEEP

6144:4rJ/Ug1TsNqkgnQanbvZkginiO5V882lWOTKbhbDQ1RFqNA8Q+y:uJXINZmQanbhZir5Vx2l32hDoFqG8Q+y

Score

10^/10

cybergate cyber persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

638b30e05302ffce2393a5fc6be3b698.exe

Resource

win7-20231215-en

cybergate cyber persistence stealer trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

638b30e05302ffce2393a5fc6be3b698.exe

Resource

win10v2004-20231222-en

cybergate cyber persistence stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

smnn.no-ip.org:777

Mutex

613GYEA4MPRMNG

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Hi Liam, Hacking...... Done!
message_box_title
Hi, Enjoy!
password
12345
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  638b30e05302ffce2393a5fc6be3b698
- Size
  
  319KB
- MD5
  
  638b30e05302ffce2393a5fc6be3b698
- SHA1
  
  d8098b581dcfabb70d832ddaf592ee42a984617b
- SHA256
  
  31559c59bc37ce7dd19fc364f9b2ec6bf1f4f8b5d87b94841c95e0cdca57ee2c
- SHA512
  
  9497dea88a30aee1911d060b4c644910517d17d2c4b32ac1965f23caab41df8092e94370d94a245e976b04a137940061401e087ef32c0c69ecb39b608fee45e4
- SSDEEP
  
  6144:4rJ/Ug1TsNqkgnQanbvZkginiO5V882lWOTKbhbDQ1RFqNA8Q+y:uJXINZmQanbhZir5Vx2l32hDoFqG8Q+y
Score

10^/10

cybergate cyber persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatecyberpersistencestealertrojanupx

behavioral2

cybergatecyberpersistencestealertrojanupx

© 2018-2024

Terms | Privacy