cybergate | 2626dd15e955b99ecc6471f89acf6e3cfbcebfaf8b751ecf607009f361b8bd80 | Triage

Submit
Reports

Overview

overview

Static

static

3

f84206e204...18.exe

windows7-x64

f84206e204...18.exe

windows10-2004-x64

Sharing

General

Target

f84206e204998b84d43ade95eadf648b_JaffaCakes118
Size

396KB
Sample

240418-sf1njahd9v
MD5

f84206e204998b84d43ade95eadf648b
SHA1

0a2c6da38ed3ee49aac4ad1ff33073ed0e685807
SHA256

2626dd15e955b99ecc6471f89acf6e3cfbcebfaf8b751ecf607009f361b8bd80
SHA512

f4e49440423aa275c371b8abc17c787743ec5656470ebf716673d4955923e77d53e1cd2782248496640d89be13539450e53a395c4e71a083e3a755d789612a9f
SSDEEP

6144:W5JX5IgHLk70CPq5/MCnoDRVSQ33QuA8e7PXZ5w62FSEywdVjRlTcTthCYlrG1SK:Wv5GLSesZ262FSE1dVfTKQYlrG11

Score

10^/10

cybergate remote persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

f84206e204998b84d43ade95eadf648b_JaffaCakes118.exe

Resource

win7-20240221-en

cybergate remote persistence stealer trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

f84206e204998b84d43ade95eadf648b_JaffaCakes118.exe

Resource

win10v2004-20240412-en

cybergate remote persistence stealer trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

faridbang.zapto.org:123

Mutex

53TT4765VG446A

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  f84206e204998b84d43ade95eadf648b_JaffaCakes118
- Size
  
  396KB
- MD5
  
  f84206e204998b84d43ade95eadf648b
- SHA1
  
  0a2c6da38ed3ee49aac4ad1ff33073ed0e685807
- SHA256
  
  2626dd15e955b99ecc6471f89acf6e3cfbcebfaf8b751ecf607009f361b8bd80
- SHA512
  
  f4e49440423aa275c371b8abc17c787743ec5656470ebf716673d4955923e77d53e1cd2782248496640d89be13539450e53a395c4e71a083e3a755d789612a9f
- SSDEEP
  
  6144:W5JX5IgHLk70CPq5/MCnoDRVSQ33QuA8e7PXZ5w62FSEywdVjRlTcTthCYlrG1SK:Wv5GLSesZ262FSE1dVfTKQYlrG11
Score

10^/10

cybergate remote persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergateremotepersistencestealertrojanupx

behavioral2

cybergateremotepersistencestealertrojanupx

© 2018-2024

Terms | Privacy