cybergate | 698316fbde1ddf18e115da00a1bad3539410a804d6909d01f140bc9428decd7a | Triage

Submit
Reports

Overview

overview

Static

static

7

ac22834391...18.exe

windows7-x64

ac22834391...18.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

ac22834391f01037eb842c8015dce658_JaffaCakes118
Size

555KB
Sample

240819-xb7cqstdqm
MD5

ac22834391f01037eb842c8015dce658
SHA1

eb754733aa56c361379029db19e531a7f0749428
SHA256

698316fbde1ddf18e115da00a1bad3539410a804d6909d01f140bc9428decd7a
SHA512

db6b6f880a616acfd0726761edcd0c804336f03f7b414ee94b1dcada1d0b85a0774765fb4f55090f81f8a05dccfa6cd60c1c8627f5f31222f4d9168220f1d762
SSDEEP

12288:BBMmKGnhDT+JlCkuRRUX8HHeGVxTUzG8Sge2S8:3MmnDC+hl+f68Sv23

Score

10^/10

cybergate ares discovery persistence stealer trojan upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

ac22834391f01037eb842c8015dce658_JaffaCakes118.exe

Resource

win7-20240729-en

cybergate ares discovery persistence stealer trojan upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

ac22834391f01037eb842c8015dce658_JaffaCakes118.exe

Resource

win10v2004-20240802-en

cybergate ares discovery persistence stealer trojan upx

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ARES

C2

celsodns.no-ip.org:2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Windows live Messenger
install_file
Windows live Messenger.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
Windows live Messenger
regkey_hklm
Windows live Messenger

Targets

- Target
  
  ac22834391f01037eb842c8015dce658_JaffaCakes118
- Size
  
  555KB
- MD5
  
  ac22834391f01037eb842c8015dce658
- SHA1
  
  eb754733aa56c361379029db19e531a7f0749428
- SHA256
  
  698316fbde1ddf18e115da00a1bad3539410a804d6909d01f140bc9428decd7a
- SHA512
  
  db6b6f880a616acfd0726761edcd0c804336f03f7b414ee94b1dcada1d0b85a0774765fb4f55090f81f8a05dccfa6cd60c1c8627f5f31222f4d9168220f1d762
- SSDEEP
  
  12288:BBMmKGnhDT+JlCkuRRUX8HHeGVxTUzG8Sge2S8:3MmnDC+hl+f68Sv23
Score

10^/10

cybergate ares discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatearesdiscoverypersistencestealertrojanupx

behavioral2

cybergatearesdiscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy