cybergate | ba254548876aa2bdf36b10f9d1944c76e3af022a89975d06e13cdd72ee7521d0

General

Target

4800b3d8716f8c6158f25b75c8d228d2_JaffaCakes118
Size

4.0MB
Sample

240515-zqqdwabe3y
MD5

4800b3d8716f8c6158f25b75c8d228d2
SHA1

5adae9c1bc4bef3e6eba6ffddfe999b4aff1a588
SHA256

ba254548876aa2bdf36b10f9d1944c76e3af022a89975d06e13cdd72ee7521d0
SHA512

9b003a7dd1bec846012146d252759230ca33fe01da739f10c80de6c114044c9f6c744315fb9a9d745fe86f35a18ce6df04e63f32b942a34ff0903802bd6ffa9f
SSDEEP

98304:nLe8nHR/6gTP3ofcwQRzNQbYDHglkTylQwIgPUEGv94w/1vo:nLfR/6ghZRzNQbYDAGeTI28V4w/

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

5.187.78.241:1600

Mutex

4K200OFEWRL68U

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
exploer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
12345
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  4800b3d8716f8c6158f25b75c8d228d2_JaffaCakes118
- Size
  
  4.0MB
- MD5
  
  4800b3d8716f8c6158f25b75c8d228d2
- SHA1
  
  5adae9c1bc4bef3e6eba6ffddfe999b4aff1a588
- SHA256
  
  ba254548876aa2bdf36b10f9d1944c76e3af022a89975d06e13cdd72ee7521d0
- SHA512
  
  9b003a7dd1bec846012146d252759230ca33fe01da739f10c80de6c114044c9f6c744315fb9a9d745fe86f35a18ce6df04e63f32b942a34ff0903802bd6ffa9f
- SSDEEP
  
  98304:nLe8nHR/6gTP3ofcwQRzNQbYDHglkTylQwIgPUEGv94w/1vo:nLfR/6ghZRzNQbYDAGeTI28V4w/
Score

10^/10

cybergate remote discovery evasion persistence spyware stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2