cybergate | 13aa15ab17d492fb52bc682a7b0441e04e776c2d9bf74714b1185bc11a3306ce | Triage

Submit
Reports

Overview

overview

Static

static

0ad5bfd816...18.exe

windows7-x64

0ad5bfd816...18.exe

windows10-2004-x64

Sharing

General

Target

0ad5bfd816440bd66679386d9f7fc679_JaffaCakes118
Size

284KB
Sample

240501-byeqcaeg56
MD5

0ad5bfd816440bd66679386d9f7fc679
SHA1

9259763c09372b2dc127ebd36ebd40216126f8dc
SHA256

13aa15ab17d492fb52bc682a7b0441e04e776c2d9bf74714b1185bc11a3306ce
SHA512

b87cc1bee07d286a829520a1cc7af97b59bce68e4a1af9b9f03ea1cb256713ee0f4772eb3556281eb404ce5f99926da137e299a45a19d26869e65dfe98077a55
SSDEEP

6144:UmcD66R7I5JGmrpQsK3RD2u270jupCJsCxC:VcD66bZ2zkPaCx

Score

10^/10

cybergate vítima persistence stealer trojan upx

Static task

static1

vítima cybergate

2 signatures

Behavioral task

behavioral1

Sample

0ad5bfd816440bd66679386d9f7fc679_JaffaCakes118.exe

Resource

win7-20231129-en

cybergate vítima persistence stealer trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

0ad5bfd816440bd66679386d9f7fc679_JaffaCakes118.exe

Resource

win10v2004-20240419-en

cybergate vítima persistence stealer trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

hsshieldd2.no-ip.org:81

hsshieldd2.no-ip.org:83

hsshieldd2.no-ip.org:1453

hsshieldd2.no-ip.org:2626

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
wmprph.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Eu hackei seu pc:By HsshieldD2
message_box_title
Virus
password
123
regkey_hkcu
Explorer.exe
regkey_hklm
System

Targets

- Target
  
  0ad5bfd816440bd66679386d9f7fc679_JaffaCakes118
- Size
  
  284KB
- MD5
  
  0ad5bfd816440bd66679386d9f7fc679
- SHA1
  
  9259763c09372b2dc127ebd36ebd40216126f8dc
- SHA256
  
  13aa15ab17d492fb52bc682a7b0441e04e776c2d9bf74714b1185bc11a3306ce
- SHA512
  
  b87cc1bee07d286a829520a1cc7af97b59bce68e4a1af9b9f03ea1cb256713ee0f4772eb3556281eb404ce5f99926da137e299a45a19d26869e65dfe98077a55
- SSDEEP
  
  6144:UmcD66R7I5JGmrpQsK3RD2u270jupCJsCxC:VcD66bZ2zkPaCx
Score

10^/10

cybergate vítima persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

vítimacybergate

behavioral1

cybergatevítimapersistencestealertrojanupx

behavioral2

cybergatevítimapersistencestealertrojanupx

© 2018-2024

Terms | Privacy