cybergate | 3c058a8e9c46df81f2cbc595282d8e46e25b0b4ecd883f901a30e59a660657ff | Triage

Submit
Reports

Overview

overview

Static

static

7

c4f764597e...5d.exe

windows7-x64

c4f764597e...5d.exe

windows10-2004-x64

Sharing

General

Target

c4f764597e9912dca5e7c462d99b965d
Size

665KB
Sample

240313-e2fctsee37
MD5

c4f764597e9912dca5e7c462d99b965d
SHA1

4b300b99f61cfec284fca6e1390eb30b7bba5803
SHA256

3c058a8e9c46df81f2cbc595282d8e46e25b0b4ecd883f901a30e59a660657ff
SHA512

edb16b61f68ae57c816eae37574512e1d556276a5abd9a2c1e4e2c70ab68dc9b22e31ba2012165ba32668d26b585665ee9ae9e11914357c314b926d99fcb68d3
SSDEEP

12288:qHLUMuiv9RgfSjAzRtyclz4pR1UMedz6lI1vV4u+0qsx:ItARZlkpR1Uhz+Q

Score

10^/10

cybergate lammer persistence stealer trojan upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

c4f764597e9912dca5e7c462d99b965d.exe

Resource

win7-20240215-en

cybergate lammer persistence stealer trojan upx

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

c4f764597e9912dca5e7c462d99b965d.exe

Resource

win10v2004-20240226-en

cybergate lammer persistence stealer trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

Lammer

C2

matrix-hacker.no-ip.biz:81

Mutex

Pluguin

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
virus.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
message_box_title
LAMMER
password
123
regkey_hkcu
win32
regkey_hklm
win32

Targets

- Target
  
  c4f764597e9912dca5e7c462d99b965d
- Size
  
  665KB
- MD5
  
  c4f764597e9912dca5e7c462d99b965d
- SHA1
  
  4b300b99f61cfec284fca6e1390eb30b7bba5803
- SHA256
  
  3c058a8e9c46df81f2cbc595282d8e46e25b0b4ecd883f901a30e59a660657ff
- SHA512
  
  edb16b61f68ae57c816eae37574512e1d556276a5abd9a2c1e4e2c70ab68dc9b22e31ba2012165ba32668d26b585665ee9ae9e11914357c314b926d99fcb68d3
- SSDEEP
  
  12288:qHLUMuiv9RgfSjAzRtyclz4pR1UMedz6lI1vV4u+0qsx:ItARZlkpR1Uhz+Q
Score

10^/10

cybergate lammer persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatelammerpersistencestealertrojanupx

behavioral2

cybergatelammerpersistencestealertrojanupx

© 2018-2024

Terms | Privacy