cybergate | 5569a950fb2694e9188c9f3b6a50b1d186c3f9c03e56a0458d3fe292e96af114 | Triage

Submit
Reports

Overview

overview

Static

static

3

0849d031ed...18.exe

windows7-x64

0849d031ed...18.exe

windows10-2004-x64

Sharing

General

Target

0849d031ed269a1e1573f97ff7962507_JaffaCakes118
Size

571KB
Sample

241002-b2qa9a1brj
MD5

0849d031ed269a1e1573f97ff7962507
SHA1

2430913653658fb2dc348efc5f9316ab814d0e2b
SHA256

5569a950fb2694e9188c9f3b6a50b1d186c3f9c03e56a0458d3fe292e96af114
SHA512

97a61b09ee4520758f6cda590d9ce2884b9a3a044ef2a49df96dc0750e8c8aae31a0fa8e3e6425f9b71a0fee118cc91b856f8234d4e635ffe44b60dd268650d5
SSDEEP

12288:Zh+EK82tjA5g75lblK1z4idccuw+Ajc1Df1YDlbFnGKi54z56OU:gtjog7XbkBndRl+dT1YDFFnG7T

Score

10^/10

cybergate gizli discovery persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

0849d031ed269a1e1573f97ff7962507_JaffaCakes118.exe

Resource

win7-20240903-en

cybergate gizli discovery persistence stealer trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

0849d031ed269a1e1573f97ff7962507_JaffaCakes118.exe

Resource

win10v2004-20240802-en

cybergate gizli discovery persistence stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Gizli

C2

127.0.0.1:81

kanserr08.no-ip.biz:81

Mutex

3U5L643M115J

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
explorer.exe
install_file
system32dll.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
Windupt
regkey_hklm
Windupt

Targets

- Target
  
  0849d031ed269a1e1573f97ff7962507_JaffaCakes118
- Size
  
  571KB
- MD5
  
  0849d031ed269a1e1573f97ff7962507
- SHA1
  
  2430913653658fb2dc348efc5f9316ab814d0e2b
- SHA256
  
  5569a950fb2694e9188c9f3b6a50b1d186c3f9c03e56a0458d3fe292e96af114
- SHA512
  
  97a61b09ee4520758f6cda590d9ce2884b9a3a044ef2a49df96dc0750e8c8aae31a0fa8e3e6425f9b71a0fee118cc91b856f8234d4e635ffe44b60dd268650d5
- SSDEEP
  
  12288:Zh+EK82tjA5g75lblK1z4idccuw+Ajc1Df1YDlbFnGKi54z56OU:gtjog7XbkBndRl+dT1YDFFnG7T
Score

10^/10

cybergate gizli discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergategizlidiscoverypersistencestealertrojanupx

behavioral2

cybergategizlidiscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy