cybergate | 7be1b4c0f8feaabff9e4c421ca2437f74a5d8cfc11aae46fb8d5c58a5304b521

General

Target

09b0b7a09e2fef44cebefa08850b10a4_JaffaCakes118
Size

6.7MB
Sample

240430-nqagwabc6z
MD5

09b0b7a09e2fef44cebefa08850b10a4
SHA1

aa52806ab539101de736a778389b31be2acb2ad0
SHA256

7be1b4c0f8feaabff9e4c421ca2437f74a5d8cfc11aae46fb8d5c58a5304b521
SHA512

5d4c184b0eb7ce2e5e57229c99272a9f35f36ac5c430bf12f2525e301087d5d0baf9acc6a6d27519564fa3cf74127caf9c09e29a7f00d1560a128cbec43ce2ae
SSDEEP

196608:OcF/2zq0Qh3KaLf/tnjfNmmtode4VzFvUDJKD6m:Ok/2zqFLdjNmFde4D2zm

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

5.187.78.241:1600

Mutex

175C5UR55IDPMG

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
12345
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  09b0b7a09e2fef44cebefa08850b10a4_JaffaCakes118
- Size
  
  6.7MB
- MD5
  
  09b0b7a09e2fef44cebefa08850b10a4
- SHA1
  
  aa52806ab539101de736a778389b31be2acb2ad0
- SHA256
  
  7be1b4c0f8feaabff9e4c421ca2437f74a5d8cfc11aae46fb8d5c58a5304b521
- SHA512
  
  5d4c184b0eb7ce2e5e57229c99272a9f35f36ac5c430bf12f2525e301087d5d0baf9acc6a6d27519564fa3cf74127caf9c09e29a7f00d1560a128cbec43ce2ae
- SSDEEP
  
  196608:OcF/2zq0Qh3KaLf/tnjfNmmtode4VzFvUDJKD6m:Ok/2zqFLdjNmFde4D2zm
Score

10^/10

cybergate remote discovery evasion persistence spyware stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2