cybergate | 597f8e318142894e9c6479cdc206d61936895e0fbcee3a2a878fdccebd94e866 | Triage

Sharing

General

Target

441a6b0f774324a7132e4e5850d56c3d_JaffaCakes118
Size

443KB
Sample

241014-zjvp1szcjj
MD5

441a6b0f774324a7132e4e5850d56c3d
SHA1

b16a0a44b7b2f1bfdc38951b4b4668a6e4d91451
SHA256

597f8e318142894e9c6479cdc206d61936895e0fbcee3a2a878fdccebd94e866
SHA512

8e551f5519cc5de812c8182534369700c2c5dfd288d3143b6b2d3e42ab842bd5abd94f90c74d77f78d7df26953befab00f76e61ebfd58a596ad58cfb5a64cd4e
SSDEEP

12288:pypmCmHFReJqXE6lGi6IAE5LuBVzXI3rpo+i4/CLf8VRgz:8mHFr06lGiB5CbXI3e+zaEwz

Score

10^/10

cybergate vítima discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

C2

invisivelno-ip.no-ip.org:88

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
msn.exe
install_dir
install
install_file
sysms-dos.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
1234

Targets

- Target
  
  SERVER~1.EXE
- Size
  
  678KB
- MD5
  
  104f98781cda4984ff335a9012d8cc1d
- SHA1
  
  387def4502c5e0ba3b251104ecddfc198738342c
- SHA256
  
  2b8b0f6daa592854ed4e8715334cce139fe012477cae76128d7e7f08d22cc81e
- SHA512
  
  facb748b650b4cff502ed7fef1c24e710e0f70176d9fa4cac57649380e498fe7e5c532e47260544512b9ce855819dee5e027ef4c27972e819dae35461354857d
- SSDEEP
  
  12288:HcD663wQ4dLOSwCDfJqlE6uGiGSAlVLuBRzXA2oAMHVB66EYAUTS9D/ksSzQRS:H9LtwCc26uGi2VCHXSBzTaDMsAQRS
Score

10^/10

cybergate vítima discovery persistence stealer trojan
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatevítimadiscoverypersistencestealertrojan

behavioral2

cybergatevítimadiscoverypersistencestealertrojan