cybergate | 8fb0f1ac23d239b7816b5233a8cc4eeebd567c8a9139ae99d17c4cccfd5d62f9 | Triage

Submit
Reports

Overview

overview

Static

static

3

e0e9111cc8...32.exe

windows7-x64

e0e9111cc8...32.exe

windows10-2004-x64

Sharing

General

Target

e0e9111cc84964665aeb2f278a9a1e32
Size

799KB
Sample

240327-ge9n9sgh41
MD5

e0e9111cc84964665aeb2f278a9a1e32
SHA1

a65efd4e598b0c5db7c1d3baab5c77425c85532d
SHA256

8fb0f1ac23d239b7816b5233a8cc4eeebd567c8a9139ae99d17c4cccfd5d62f9
SHA512

4e8f9758aa94978f098062ccb926ccb2fa9df1e40b784c272c2f3f2afebb8f0b27df193ac27c78ae52e0ec5ba9cd6f90ed11f4c01f0adbd6a0e88be46e250c5d
SSDEEP

24576:pHlPVw+oCK0JlrjV3RGTJL1a0RbswI6QOkwBcwvIKr32NxY:pHHKaThGTJL1akA6pJvIZY

Score

10^/10

cybergate remote persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e0e9111cc84964665aeb2f278a9a1e32.exe

Resource

win7-20240221-en

cybergate remote persistence stealer trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

e0e9111cc84964665aeb2f278a9a1e32.exe

Resource

win10v2004-20240226-en

cybergate remote persistence stealer trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

Botnet

remote

C2

sameg.no-ip.biz:35576

Mutex

15K756DO3EMO05

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU

Targets

- Target
  
  e0e9111cc84964665aeb2f278a9a1e32
- Size
  
  799KB
- MD5
  
  e0e9111cc84964665aeb2f278a9a1e32
- SHA1
  
  a65efd4e598b0c5db7c1d3baab5c77425c85532d
- SHA256
  
  8fb0f1ac23d239b7816b5233a8cc4eeebd567c8a9139ae99d17c4cccfd5d62f9
- SHA512
  
  4e8f9758aa94978f098062ccb926ccb2fa9df1e40b784c272c2f3f2afebb8f0b27df193ac27c78ae52e0ec5ba9cd6f90ed11f4c01f0adbd6a0e88be46e250c5d
- SSDEEP
  
  24576:pHlPVw+oCK0JlrjV3RGTJL1a0RbswI6QOkwBcwvIKr32NxY:pHHKaThGTJL1akA6pJvIZY
Score

10^/10

cybergate remote persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergateremotepersistencestealertrojanupx

behavioral2

cybergateremotepersistencestealertrojanupx

© 2018-2024

Terms | Privacy