cybergate | a7ef6e980d3395dba5683da7dc80ae9922dd127ad9f249161a03bd332064a899 | Triage

Submit
Reports

Overview

overview

Static

static

3

zynga poke...12.exe

windows7-x64

zynga poke...12.exe

windows10-2004-x64

Sharing

General

Target

3cd6d346170638e7e0db26cc38a76c51_JaffaCakes118
Size

616KB
Sample

241013-atyf8atgrk
MD5

3cd6d346170638e7e0db26cc38a76c51
SHA1

d10d15de01e99a25ae5798d112f9f368926112c0
SHA256

a7ef6e980d3395dba5683da7dc80ae9922dd127ad9f249161a03bd332064a899
SHA512

050caab6d4af583238acb06f0df7aa3d273e88bc5c74d6da4ccf4af2037115aa9a0fbac75adf3319f1c8765b24c0e05b98924979a8012f8c98f605c677f308e8
SSDEEP

12288:AWowYoSkQn7MYc07mfgXU49fnATNNsKy+2r1YUKhh:AWowYAYMYctfyU49UNmKy+Aloh

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

zynga poker chips 2012.exe

Resource

win7-20240903-en

cybergate vítima discovery persistence stealer trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

zynga poker chips 2012.exe

Resource

win10v2004-20241007-en

cybergate vítima discovery persistence stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

C2

hako0.no-ip.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
5
ftp_password
ª÷Öº+Þ
ftp_port
21
ftp_server
ftp.server.com
ftp_username
ftp_user
injected_process
explorer.exe
install_dir
install
install_file
Windos.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  zynga poker chips 2012.exe
- Size
  
  671KB
- MD5
  
  a9d778ba1dc4d7222a875c14b14a941a
- SHA1
  
  0eeb7cc8d724da53cc3396f142d8fbfc685b029f
- SHA256
  
  afb93b964f7ee12ec0bfadffda16eb7ff3ec6488b6975e1d6315031eef339b9d
- SHA512
  
  e13336826ba0f00e3a4cd4b1e6a0ef37e94ed26047e0abc289240e2767cf7958d3aca98f0ef4e67c969da700909df8842e4614645c609f43d17d3e00734a4a21
- SSDEEP
  
  12288:b1dlZo5yUfltbzi4uC7yPD6GOo/K2ZxcqkX1B6c7C5GwCgvFJ8+KTH9B:b1dlZo5XgC7Y+6LcqkXqlGwLvFJITH9B
Score

10^/10

cybergate vítima discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatevítimadiscoverypersistencestealertrojanupx

behavioral2

cybergatevítimadiscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy