cybergate | 1221916ed2f4bcab2141e378aa0670601742fdad787c0b7d59dc93f977125ea8 | Triage

Submit
Reports

Overview

overview

Static

static

3

9cef9c564f...7e.exe

windows7-x64

9cef9c564f...7e.exe

windows10-2004-x64

Sharing

General

Target

9cef9c564fe95f153b0e43c202739b7e
Size

414KB
Sample

240215-evtxmsha48
MD5

9cef9c564fe95f153b0e43c202739b7e
SHA1

9f5c7c9b4cd0ecaff3af42f44a307d01ad6178d3
SHA256

1221916ed2f4bcab2141e378aa0670601742fdad787c0b7d59dc93f977125ea8
SHA512

c01d46061f02dd80c10dfec665dd29ea4229a95632fd69f5f67fb38d11998d8b58aeb6dbb895d03c64f1fafd6076e72ee62d3fe060aa88c42b9bcbd3c460eb8f
SSDEEP

12288:UmYHmslihk6SwLYW/jonlGTWTW3gRnQff8nDg0Q3GbLMC:UX+K6SAklGEWQJWfW80Q2

Score

10^/10

cybergate newspread persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

9cef9c564fe95f153b0e43c202739b7e.exe

Resource

win7-20231215-en

cybergate newspread persistence stealer trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

9cef9c564fe95f153b0e43c202739b7e.exe

Resource

win10v2004-20231215-en

cybergate newspread persistence stealer trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

NewSpread

C2

82.242.250.193:81

82.242.250.193:82

82.242.250.193:83

Mutex

54FD21S2F2D56S65D5H55EQ855GH5Y2R2ED55G

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Java
install_file
JavaUdpater.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
JavaUpdater
regkey_hklm
Java

Targets

- Target
  
  9cef9c564fe95f153b0e43c202739b7e
- Size
  
  414KB
- MD5
  
  9cef9c564fe95f153b0e43c202739b7e
- SHA1
  
  9f5c7c9b4cd0ecaff3af42f44a307d01ad6178d3
- SHA256
  
  1221916ed2f4bcab2141e378aa0670601742fdad787c0b7d59dc93f977125ea8
- SHA512
  
  c01d46061f02dd80c10dfec665dd29ea4229a95632fd69f5f67fb38d11998d8b58aeb6dbb895d03c64f1fafd6076e72ee62d3fe060aa88c42b9bcbd3c460eb8f
- SSDEEP
  
  12288:UmYHmslihk6SwLYW/jonlGTWTW3gRnQff8nDg0Q3GbLMC:UX+K6SAklGEWQJWfW80Q2
Score

10^/10

cybergate newspread persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatenewspreadpersistencestealertrojanupx

behavioral2

cybergatenewspreadpersistencestealertrojanupx

© 2018-2024

Terms | Privacy