cybergate | c8d63fabb444fefb5199df3be8f67fb421fe96ec4301a3709253ee1a7729022a

General

Target

c8d63fabb444fefb5199df3be8f67fb421fe96ec4301a3709253ee1a7729022a
Size

1008KB
Sample

240313-a69p1shg73
MD5

65ba853b862ef14ef7e0f0fc2b899d45
SHA1

71427e66914058ea4fbba7e20b8e9f661401c273
SHA256

c8d63fabb444fefb5199df3be8f67fb421fe96ec4301a3709253ee1a7729022a
SHA512

bdf62ecf5e0e7316534886f80001c44909687649538bc2523820d06897ab821a78fd50891c318dc07a98154fce79a168a3260918e310d919fde0328da1046e93
SSDEEP

12288:+pqiC/2OGAtkCP4cejGSOpRKxC1T79AihWFkQ4eqHR1Jx0dWQLkpLHjwtQ:+po/2+ttPJLfpRKxC4IWWW6Hn

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

EL NUEVO FDP

C2

operspicaz.no-ip.biz:1982

infosfenix.no-ip.org :6001

Mutex

Java(TM) Plarform SE 9 U19

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./novo/
ftp_interval
30
injected_process
jusched.exe
install_dir
Java\jre6\bin
install_file
java(TM).exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Targets

- Target
  
  c8d63fabb444fefb5199df3be8f67fb421fe96ec4301a3709253ee1a7729022a
- Size
  
  1008KB
- MD5
  
  65ba853b862ef14ef7e0f0fc2b899d45
- SHA1
  
  71427e66914058ea4fbba7e20b8e9f661401c273
- SHA256
  
  c8d63fabb444fefb5199df3be8f67fb421fe96ec4301a3709253ee1a7729022a
- SHA512
  
  bdf62ecf5e0e7316534886f80001c44909687649538bc2523820d06897ab821a78fd50891c318dc07a98154fce79a168a3260918e310d919fde0328da1046e93
- SSDEEP
  
  12288:+pqiC/2OGAtkCP4cejGSOpRKxC1T79AihWFkQ4eqHR1Jx0dWQLkpLHjwtQ:+po/2+ttPJLfpRKxC4IWWW6Hn
Score

10^/10

cybergate el nuevo fdp stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Detects binaries and memory artifacts referencing sandbox product IDs
- UPX dump on OEP (original entry point)
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Detects binaries and memory artifacts referencing sandbox product IDs

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

AutoIT Executable

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2