cybergate | dcbaa5fdd8d79e2c3e88f8907253818313c8c3f0146f430976202ef48a96e48e | Triage

Submit
Reports

Overview

overview

Static

static

3

f75483e0ff...18.exe

windows7-x64

f75483e0ff...18.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

f75483e0fffea698db8e08a6b3f313eb_JaffaCakes118
Size

292KB
Sample

240418-fvggzsdc8z
MD5

f75483e0fffea698db8e08a6b3f313eb
SHA1

db8b3bd98adb71231e5c380188476aaebf2ae965
SHA256

dcbaa5fdd8d79e2c3e88f8907253818313c8c3f0146f430976202ef48a96e48e
SHA512

679e3664b6186cec2b3f5f85d6e2cc4e14cb6eca2416ce592d568d47c47e41f045a335f1a6f5324f75bcc99c38c59e7e187534abb7d0fd165bb5ccda8e925aa9
SSDEEP

6144:pe4dishZMFsH0/OeSRxN8gJtAzB8qn9FoBUWh80YfiqR:04dDPMFsH0GPRxNvJtAz9fBj0Yqs

Score

10^/10

cybergate danib0yyy persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

f75483e0fffea698db8e08a6b3f313eb_JaffaCakes118.exe

Resource

win7-20240220-en

cybergate danib0yyy persistence stealer trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

f75483e0fffea698db8e08a6b3f313eb_JaffaCakes118.exe

Resource

win10v2004-20240412-en

cybergate danib0yyy persistence stealer trojan upx

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

danib0yyy

C2

127.0.0.1:81

msconfig.sytes.net:80

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./key/
ftp_interval
60
ftp_password
oscarup147
ftp_port
21
ftp_server
ftp.drivehq.com
ftp_username
menred31
injected_process
explorer.exe
install_dir
win32
install_file
win32.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
No se puede ejecutar win32.exe
message_box_title
Error
password
22130828250.92956+8.25116985921079
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  f75483e0fffea698db8e08a6b3f313eb_JaffaCakes118
- Size
  
  292KB
- MD5
  
  f75483e0fffea698db8e08a6b3f313eb
- SHA1
  
  db8b3bd98adb71231e5c380188476aaebf2ae965
- SHA256
  
  dcbaa5fdd8d79e2c3e88f8907253818313c8c3f0146f430976202ef48a96e48e
- SHA512
  
  679e3664b6186cec2b3f5f85d6e2cc4e14cb6eca2416ce592d568d47c47e41f045a335f1a6f5324f75bcc99c38c59e7e187534abb7d0fd165bb5ccda8e925aa9
- SSDEEP
  
  6144:pe4dishZMFsH0/OeSRxN8gJtAzB8qn9FoBUWh80YfiqR:04dDPMFsH0GPRxNvJtAz9fBj0Yqs
Score

10^/10

cybergate danib0yyy persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatedanib0yyypersistencestealertrojanupx

behavioral2

cybergatedanib0yyypersistencestealertrojanupx

© 2018-2025

Terms | Privacy