cybergate | e75183c91ec9291fce99d006263a2c2172c8b3fccd7075f5d8ccef22b2b806af

General

Target

753a33b85dc44819aea2d41dcc531012_JaffaCakes118
Size

272KB
Sample

240726-w6q4kazfjd
MD5

753a33b85dc44819aea2d41dcc531012
SHA1

aaa453afff5b0d243401d915455fe8be772f1bfb
SHA256

e75183c91ec9291fce99d006263a2c2172c8b3fccd7075f5d8ccef22b2b806af
SHA512

7e1c5bb2e29601b32968244b05ccb0eca31812b12302c73fcd19bdda2296aabc7310bba33d301368ba24e56c633494c8e8849f5723c277ef173837d020e443fc
SSDEEP

6144:Uk4qmQ9CAF9+Kh0AVs/6ToOTqev85rtLEv9J:39B+Kh0mSpKtqtc9

Score

10^/10

Malware Config

Extracted

Family

cybergate

Botnet

TRUE

C2

ÝØðÕÞÎÝÎÅý¼¼ûÙÈìÎÓßýØØÎÙÏÏ¼¼êÕÎÈÉÝÐìÎÓÈÙßÈ¼¼êÕÎÈÉÝÐýÐÐÓß¼¼êÕÎÈÉÝÐúÎÙÙ¼¼¼ùÄÕÈìÎÓßÙÏÏ¼¼¼ðÏÝÿÐÓÏÙ¼¼ÿÎÅÌÈéÒÌÎÓÈÙßÈøÝÈÝ¼¼ÿÓèÝÏ×ñÙÑúÎÙÙ¼¼¼ïÅÏúÎÙÙïÈÎÕÒÛ¼¼¼ìïÈÓÎÙÿÎÙÝÈÙõÒÏÈÝÒßÙ¼¼îÝÏùÒÉÑùÒÈÎÕÙÏý¼¼¼ïôûÙÈïÌÙßÕÝÐúÓÐØÙÎìÝÈÔý¼¼¼èÓýÏßÕÕ¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼üFALSE

16

0

título da mensagem

texto da mensagem

TRUE

FALSE

ftp.server.com

./logs/

ftp_user

ª÷Öº+Þ

21

30

Mutex

Attributes

enable_keylogger
false
enable_message_box
false
install_dir
TRUE
install_file
TRUE
install_flag
true
keylogger_enable_ftp
false
message_box_caption
73c8ec8ce68b4c135a037821316868bc
message_box_title
FALSE
password
TRUE
regkey_hkcu
FALSE
regkey_hklm
explorer.exe

Extracted

Family

cybergate

Version

2.6

Botnet

SpY-NeT By MeLeK-J

C2

127.0.0.1:1453

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
SpYNeT By MeLeK-J.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Targets

- Target
  
  753a33b85dc44819aea2d41dcc531012_JaffaCakes118
- Size
  
  272KB
- MD5
  
  753a33b85dc44819aea2d41dcc531012
- SHA1
  
  aaa453afff5b0d243401d915455fe8be772f1bfb
- SHA256
  
  e75183c91ec9291fce99d006263a2c2172c8b3fccd7075f5d8ccef22b2b806af
- SHA512
  
  7e1c5bb2e29601b32968244b05ccb0eca31812b12302c73fcd19bdda2296aabc7310bba33d301368ba24e56c633494c8e8849f5723c277ef173837d020e443fc
- SSDEEP
  
  6144:Uk4qmQ9CAF9+Kh0AVs/6ToOTqev85rtLEv9J:39B+Kh0mSpKtqtc9
Score

10^/10

cybergate spy-net by melek-j discovery stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

CyberGate, Rebhip

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2