General

  • Target

    055e63d6d3d92fa906cba6df2bfcf1e081c34b7a3570ff5f6474a6afbe337b7f

  • Size

    412KB

  • Sample

    240310-xqg2dsaf4t

  • MD5

    74b9f4ae55601a30c272415bac1b11eb

  • SHA1

    baed1f6249424266b32da6e63c749c3123be0ebb

  • SHA256

    055e63d6d3d92fa906cba6df2bfcf1e081c34b7a3570ff5f6474a6afbe337b7f

  • SHA512

    4213ac25aec6543ace7d83bd05072f5b569cb9078c81440330ad3f5328e4dd13bc22b4d60a45d909aea053ab69df771bc392f192d85b8145607ce1ea3a5b3ee3

  • SSDEEP

    6144:pcxI6kst7c9rQChJPcYE00/OSHa9X2ZfnT6ZNp/GCGJWZ+zxcnimZAPWaRDDrKOd:smGX0cROB5yrWpuCGJ1xc1ZFaLIim7

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

manouche.no-ip.org:1000

Mutex

1XGV121I885X3E

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Targets

    • Target

      055e63d6d3d92fa906cba6df2bfcf1e081c34b7a3570ff5f6474a6afbe337b7f

    • Size

      412KB

    • MD5

      74b9f4ae55601a30c272415bac1b11eb

    • SHA1

      baed1f6249424266b32da6e63c749c3123be0ebb

    • SHA256

      055e63d6d3d92fa906cba6df2bfcf1e081c34b7a3570ff5f6474a6afbe337b7f

    • SHA512

      4213ac25aec6543ace7d83bd05072f5b569cb9078c81440330ad3f5328e4dd13bc22b4d60a45d909aea053ab69df771bc392f192d85b8145607ce1ea3a5b3ee3

    • SSDEEP

      6144:pcxI6kst7c9rQChJPcYE00/OSHa9X2ZfnT6ZNp/GCGJWZ+zxcnimZAPWaRDDrKOd:smGX0cROB5yrWpuCGJ1xc1ZFaLIim7

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Detects binaries and memory artifacts referencing sandbox product IDs

    • UPX dump on OEP (original entry point)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Tasks