cybergate | b01cf58e2f834c26c8ba38950e30cb9225b8654ff167d8cdd9e9d31eee5b7c4c | Triage

Submit
Reports

Overview

overview

Static

static

3

c948e25d9f...f5.exe

windows7-x64

c948e25d9f...f5.exe

windows10-2004-x64

Sharing

General

Target

c948e25d9ffc895cd05c2057e2d0c3f5
Size

748KB
Sample

240314-ww5tzabc5v
MD5

c948e25d9ffc895cd05c2057e2d0c3f5
SHA1

1450cc7f30616135428d72b231e61d81c4bacc06
SHA256

b01cf58e2f834c26c8ba38950e30cb9225b8654ff167d8cdd9e9d31eee5b7c4c
SHA512

aa9c79657df35356e4ae831c0db05f48d85fff0142cce7c9a926c9746231056c53583e55cf7e7601f8f1af5c5eaeb818116dda9cef7dddc50b4b1dedfcdd9e5c
SSDEEP

12288:5/xQ+W5vvJxeP7+KQAXCmUgJWGS8vCoi6BjriPHBAVgy1c8sKGMb1Rm987:lxcfxeRJX9UpqCUQPhL7KR5Rm4

Score

10^/10

cybergate öííé persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

c948e25d9ffc895cd05c2057e2d0c3f5.exe

Resource

win7-20240221-en

cybergate öííé persistence stealer trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

c948e25d9ffc895cd05c2057e2d0c3f5.exe

Resource

win10v2004-20231215-en

cybergate öííé persistence stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

starman.no-ip.biz:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
t?tulo da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  c948e25d9ffc895cd05c2057e2d0c3f5
- Size
  
  748KB
- MD5
  
  c948e25d9ffc895cd05c2057e2d0c3f5
- SHA1
  
  1450cc7f30616135428d72b231e61d81c4bacc06
- SHA256
  
  b01cf58e2f834c26c8ba38950e30cb9225b8654ff167d8cdd9e9d31eee5b7c4c
- SHA512
  
  aa9c79657df35356e4ae831c0db05f48d85fff0142cce7c9a926c9746231056c53583e55cf7e7601f8f1af5c5eaeb818116dda9cef7dddc50b4b1dedfcdd9e5c
- SSDEEP
  
  12288:5/xQ+W5vvJxeP7+KQAXCmUgJWGS8vCoi6BjriPHBAVgy1c8sKGMb1Rm987:lxcfxeRJX9UpqCUQPhL7KR5Rm4
Score

10^/10

cybergate öííé persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergateöííépersistencestealertrojanupx

behavioral2

cybergateöííépersistencestealertrojanupx

© 2018-2024

Terms | Privacy