cybergate | 6e0092fe00df8f97e50b140c932d5388c5852a9ec4101d5ebd79b4ba08a7d1fd | Triage

Submit
Reports

Overview

overview

Static

static

3

d71e9ff96e...b4.exe

windows7-x64

d71e9ff96e...b4.exe

windows10-2004-x64

Sharing

General

Target

d71e9ff96e3ed64d380684f71d39d4b4
Size

976KB
Sample

240319-zzwl9agd4w
MD5

d71e9ff96e3ed64d380684f71d39d4b4
SHA1

c3c11ff1b8974fa79a55df63cc23ceb9a2435b84
SHA256

6e0092fe00df8f97e50b140c932d5388c5852a9ec4101d5ebd79b4ba08a7d1fd
SHA512

df875abf7f25823235806d6225c89fd3115bc6518ffa3b131c06a88501022c42e8be6cd907dbe5efc8256cc37e61003354ef8c5c8b1d91a8e75f4ef8917901e8
SSDEEP

24576:KHwQAN2K3yWds0JkKyVRD8x/00ZM/dj7xZzUxTljE:KHl1adsLP8pC5iC

Score

10^/10

cybergate microsoft persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

d71e9ff96e3ed64d380684f71d39d4b4.exe

Resource

win7-20240221-en

cybergate microsoft persistence stealer trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

d71e9ff96e3ed64d380684f71d39d4b4.exe

Resource

win10v2004-20240226-en

cybergate microsoft persistence stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

microsoft

C2

tommaso.no-ip.biz:3000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
windows live
install_file
microsoft.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123456
regkey_hkcu
acrobat
regkey_hklm
acrobat

Targets

- Target
  
  d71e9ff96e3ed64d380684f71d39d4b4
- Size
  
  976KB
- MD5
  
  d71e9ff96e3ed64d380684f71d39d4b4
- SHA1
  
  c3c11ff1b8974fa79a55df63cc23ceb9a2435b84
- SHA256
  
  6e0092fe00df8f97e50b140c932d5388c5852a9ec4101d5ebd79b4ba08a7d1fd
- SHA512
  
  df875abf7f25823235806d6225c89fd3115bc6518ffa3b131c06a88501022c42e8be6cd907dbe5efc8256cc37e61003354ef8c5c8b1d91a8e75f4ef8917901e8
- SSDEEP
  
  24576:KHwQAN2K3yWds0JkKyVRD8x/00ZM/dj7xZzUxTljE:KHl1adsLP8pC5iC
Score

10^/10

cybergate microsoft persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatemicrosoftpersistencestealertrojanupx

behavioral2

cybergatemicrosoftpersistencestealertrojanupx

© 2018-2024

Terms | Privacy