cybergate | 2476f7b7ef5ad3c5c55b8f367d63875d1e3a3f402a7315e8071b9f4dd3566891 | Triage

Submit
Reports

Overview

overview

Static

static

848c9bf91f...18.exe

windows7-x64

848c9bf91f...18.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

848c9bf91f695c6af28cadaa862140e1_JaffaCakes118
Size

284KB
Sample

240810-desh7swhpe
MD5

848c9bf91f695c6af28cadaa862140e1
SHA1

369b43275f03407c3d01e50ef4d30555488aee8e
SHA256

2476f7b7ef5ad3c5c55b8f367d63875d1e3a3f402a7315e8071b9f4dd3566891
SHA512

9852d61c378b500d349843125cc32f9c66634b934e7700389868a5c126a9863ced8c3f4f8af630bfd2a3af4e1adbf9ab9015767e810f0bc37376a91300dd4eea
SSDEEP

6144:3k4qm4VgWSUQq0SHSVOBZ9SydFhekft7WNzDGvgreQ:U9wZbq0Sy0gWFxNWN2vgreQ

Score

10^/10

cybergate öííé discovery persistence stealer trojan upx

Static task

static1

upx öííé cybergate

3 signatures

Behavioral task

behavioral1

Sample

848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe

Resource

win7-20240705-en

cybergate öííé discovery persistence stealer trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe

Resource

win10v2004-20240802-en

cybergate öííé discovery persistence stealer trojan upx

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

127.0.0.1:288

127.6.5.1:81

127.0.0.1:71

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
5
ftp_password
ª÷Öº+Þ
ftp_port
21
ftp_server
ftp.server.com
ftp_username
ftp_user
injected_process
svchost.exe
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
download file
message_box_title
4shared
password
abcd1234

Targets

- Target
  
  848c9bf91f695c6af28cadaa862140e1_JaffaCakes118
- Size
  
  284KB
- MD5
  
  848c9bf91f695c6af28cadaa862140e1
- SHA1
  
  369b43275f03407c3d01e50ef4d30555488aee8e
- SHA256
  
  2476f7b7ef5ad3c5c55b8f367d63875d1e3a3f402a7315e8071b9f4dd3566891
- SHA512
  
  9852d61c378b500d349843125cc32f9c66634b934e7700389868a5c126a9863ced8c3f4f8af630bfd2a3af4e1adbf9ab9015767e810f0bc37376a91300dd4eea
- SSDEEP
  
  6144:3k4qm4VgWSUQq0SHSVOBZ9SydFhekft7WNzDGvgreQ:U9wZbq0Sy0gWFxNWN2vgreQ
Score

10^/10

cybergate öííé discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

upxöííécybergate

behavioral1

cybergateöííédiscoverypersistencestealertrojanupx

behavioral2

cybergateöííédiscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy