cybergate | c34f21a18110de52e0b5ca87b84218b5c0815a303131a2c5d07782b80b45dec4 | Triage

Submit
Reports

Overview

overview

Static

static

3

932b4c1db2...83.exe

windows7-x64

932b4c1db2...83.exe

windows10-2004-x64

Sharing

General

Target

932b4c1db2fd7667a03b896b85fa3c83
Size

539KB
Sample

240205-2ef26shhb2
MD5

932b4c1db2fd7667a03b896b85fa3c83
SHA1

2fbee861cb72bb830ac40191d779bff6cd02d3c1
SHA256

c34f21a18110de52e0b5ca87b84218b5c0815a303131a2c5d07782b80b45dec4
SHA512

6bc357b8e4d29ac8621031becca518c2869053b4e53a822959c30c8762742006f9061d396cfe955d9ce0e61c631d9312294b51b51776935fe9e24f1471e1d854
SSDEEP

12288:i2Zg0YNjaiqy7PMMe0umZRuZYkeKbs0BXMl0:i2ZnQjaiqy7PMWjudh9B

Score

10^/10

cybergate server persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

932b4c1db2fd7667a03b896b85fa3c83.exe

Resource

win7-20231215-en

cybergate server persistence stealer trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

932b4c1db2fd7667a03b896b85fa3c83.exe

Resource

win10v2004-20231215-en

cybergate server persistence stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

C2

127.0.0.1:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
spynet
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU

Targets

- Target
  
  932b4c1db2fd7667a03b896b85fa3c83
- Size
  
  539KB
- MD5
  
  932b4c1db2fd7667a03b896b85fa3c83
- SHA1
  
  2fbee861cb72bb830ac40191d779bff6cd02d3c1
- SHA256
  
  c34f21a18110de52e0b5ca87b84218b5c0815a303131a2c5d07782b80b45dec4
- SHA512
  
  6bc357b8e4d29ac8621031becca518c2869053b4e53a822959c30c8762742006f9061d396cfe955d9ce0e61c631d9312294b51b51776935fe9e24f1471e1d854
- SSDEEP
  
  12288:i2Zg0YNjaiqy7PMMe0umZRuZYkeKbs0BXMl0:i2ZnQjaiqy7PMWjudh9B
Score

10^/10

cybergate server persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergateserverpersistencestealertrojanupx

behavioral2

cybergateserverpersistencestealertrojanupx

© 2018-2024

Terms | Privacy