cybergate | 5a005ff758401a320e5b9008596349212820732e04baa8d440eda0c7dc26bc2b | Triage

Submit
Reports

Overview

overview

Static

static

3

b26b6ea0cd...cf.exe

windows7-x64

b26b6ea0cd...cf.exe

windows10-2004-x64

Sharing

General

Target

b26b6ea0cdc0baea693016f89665e7cf
Size

249KB
Sample

240304-sd2g2sdb3z
MD5

b26b6ea0cdc0baea693016f89665e7cf
SHA1

21565acd333a2fc7eaac28cf19da5dcb88617a10
SHA256

5a005ff758401a320e5b9008596349212820732e04baa8d440eda0c7dc26bc2b
SHA512

37174e679e520a8064124a6003b9c0c31e307c69069796ac7f184b21b2a943dfd4cc7018b7cc960ca8a3291c4e063e166a8097108930d827dd2920ef98ccd6a5
SSDEEP

6144:7RxfUwLeJqsNZfv2b0IqhpVPeCZpgmyIfIg5/xyow52nqej3PP:7RVJLeJqsjfvQ0BvRyK55ytODDPP

Score

10^/10

cybergate cyber persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

b26b6ea0cdc0baea693016f89665e7cf.exe

Resource

win7-20240220-en

cybergate cyber persistence stealer trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

b26b6ea0cdc0baea693016f89665e7cf.exe

Resource

win10v2004-20240226-en

cybergate cyber persistence stealer trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

kilebantick.myftp.org:82

Mutex

KFBIU7MK7M5044

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
kilebantick
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  b26b6ea0cdc0baea693016f89665e7cf
- Size
  
  249KB
- MD5
  
  b26b6ea0cdc0baea693016f89665e7cf
- SHA1
  
  21565acd333a2fc7eaac28cf19da5dcb88617a10
- SHA256
  
  5a005ff758401a320e5b9008596349212820732e04baa8d440eda0c7dc26bc2b
- SHA512
  
  37174e679e520a8064124a6003b9c0c31e307c69069796ac7f184b21b2a943dfd4cc7018b7cc960ca8a3291c4e063e166a8097108930d827dd2920ef98ccd6a5
- SSDEEP
  
  6144:7RxfUwLeJqsNZfv2b0IqhpVPeCZpgmyIfIg5/xyow52nqej3PP:7RVJLeJqsjfvQ0BvRyK55ytODDPP
Score

10^/10

cybergate cyber persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatecyberpersistencestealertrojanupx

behavioral2

cybergatecyberpersistencestealertrojanupx

© 2018-2024

Terms | Privacy