cybergate | e9d55c4331c35c96310b5958b105c9ac27c5be848e01e55b12f9b4dc0cd252c4 | Triage

Sharing

General

Target

e9d55c4331c35c96310b5958b105c9ac27c5be848e01e55b12f9b4dc0cd252c4N
Size

1.3MB
Sample

241103-rfzksswcjh
MD5

815fe391b1f0021e5167e4590f1bfb60
SHA1

8b3910b95231b6a09dcb90b22afc6466e47b1451
SHA256

e9d55c4331c35c96310b5958b105c9ac27c5be848e01e55b12f9b4dc0cd252c4
SHA512

bcf59d2f0c87f46a127db4589d033e4aea04bfc11d50d24f967286ddb7c15f4afce2b1b5f9d22aca70902cc62c1f1be72cba24a123e7801c6cb9389d1bd60fff
SSDEEP

24576:umyRuH2ivDHnx4sM8xu9JUFMuXzJa24yRuH2ivDHnx4sM8xu9JUFMuXzJa2BL4A7:4RuHpVZM8xurUFM8aYRuHpVZM8xurUFP

Score

10^/10

cybergate vítima discovery evasion persistence privilege_escalation stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

hackerino.no-ip.biz:1234

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
smss.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  e9d55c4331c35c96310b5958b105c9ac27c5be848e01e55b12f9b4dc0cd252c4N
- Size
  
  1.3MB
- MD5
  
  815fe391b1f0021e5167e4590f1bfb60
- SHA1
  
  8b3910b95231b6a09dcb90b22afc6466e47b1451
- SHA256
  
  e9d55c4331c35c96310b5958b105c9ac27c5be848e01e55b12f9b4dc0cd252c4
- SHA512
  
  bcf59d2f0c87f46a127db4589d033e4aea04bfc11d50d24f967286ddb7c15f4afce2b1b5f9d22aca70902cc62c1f1be72cba24a123e7801c6cb9389d1bd60fff
- SSDEEP
  
  24576:umyRuH2ivDHnx4sM8xu9JUFMuXzJa24yRuH2ivDHnx4sM8xu9JUFMuXzJa2BL4A7:4RuHpVZM8xurUFM8aYRuHpVZM8xurUFP
Score

10^/10

cybergate vítima discovery evasion persistence privilege_escalation stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatevítimadiscoveryevasionpersistenceprivilege_escalationstealertrojanupx

behavioral2

cybergatevítimadiscoveryevasionpersistenceprivilege_escalationstealertrojanupx