cybergate | ecba45cfd2a5b21e822487b035ea64f5e7f05963c54cf0c2f19b4e57272ed8fd | Triage

Sharing

General

Target

b16e27c0a879acd4b9b0114269b9c213
Size

316KB
Sample

240304-g5a9dsch96
MD5

b16e27c0a879acd4b9b0114269b9c213
SHA1

20b6bf8203445828c2df8b2880218ab8255e4b9a
SHA256

ecba45cfd2a5b21e822487b035ea64f5e7f05963c54cf0c2f19b4e57272ed8fd
SHA512

f51d0934773996a695d5fa9695a5a9cab6e3f75abb46d132e1e895e8e17c8269bba1332fd58dfb27d8cb19de86ab41adf73318c07f3d008898a013b8a7faf424
SSDEEP

6144:n/LJFK4LhrSeau3UG6q2EW3MlRCYN3UikMBgRilk1aaf2:/jBLoPuY33M+YNjkI1kAf

Score

10^/10

cybergate victime persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

victime

C2

127.0.0.1:82

gassper.no-ip.biz:82

Mutex

Pluguin

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./
ftp_interval
30
injected_process
explorer.exe
install_dir
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
message_box_title
LAMMER
password
123456
regkey_hkcu
Avirnt
regkey_hklm
Avgnt

Targets

- Target
  
  b16e27c0a879acd4b9b0114269b9c213
- Size
  
  316KB
- MD5
  
  b16e27c0a879acd4b9b0114269b9c213
- SHA1
  
  20b6bf8203445828c2df8b2880218ab8255e4b9a
- SHA256
  
  ecba45cfd2a5b21e822487b035ea64f5e7f05963c54cf0c2f19b4e57272ed8fd
- SHA512
  
  f51d0934773996a695d5fa9695a5a9cab6e3f75abb46d132e1e895e8e17c8269bba1332fd58dfb27d8cb19de86ab41adf73318c07f3d008898a013b8a7faf424
- SSDEEP
  
  6144:n/LJFK4LhrSeau3UG6q2EW3MlRCYN3UikMBgRilk1aaf2:/jBLoPuY33M+YNjkI1kAf
Score

10^/10

cybergate victime persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatevictimepersistencestealertrojanupx

behavioral2