cybergate | e36f41ff31bf902879a4400b714a6cb7cb49a9cecb4fbd4829bd4883543944c0

Sharing

Copy URL

Twitter E-mail

General

Target

a45c50e6fee6463fa2a9ac8268283a5b_JaffaCakes118
Size

2.0MB
Sample

241126-11b5nsskex
MD5

a45c50e6fee6463fa2a9ac8268283a5b
SHA1

957f860d00e87778b510ae9ee9ea06f623207c7f
SHA256

e36f41ff31bf902879a4400b714a6cb7cb49a9cecb4fbd4829bd4883543944c0
SHA512

c011ede9147012c9d77b6a2bb4beb6777cf776f90c7cc53e0e4fd3e934dbe10738999928e8b40974f9350372794379a71e55613c21d12b0a71f8aecd013ed824
SSDEEP

49152:uKBvRfvQiLLaRw1f3GvM4EIZVwQnVGp6xlQAMa6+1sI5vy:nrHQin61EIjwGVGp6vw+1sI56

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

komaextra.zapto.org:85

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
scxhost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  Clear_glass_red_metalic_windows7/Choose Theme/Theme Setup1.exe
- Size
  
  169KB
- MD5
  
  06679d2853687d80f3f5e139e0fd1b96
- SHA1
  
  5c0f4fe9d025d7891df580d7292711ba37e2b3bb
- SHA256
  
  72572ddb1a3ce18646ad7d9a2a44dd5169e708ee2e05c5075ed4d02c04ebb753
- SHA512
  
  1403edb048e123ecf7aa9317ae0c367ee1871f67cee9960e40a82bafc58fcbd81c3e9f0c5c57fe47810d2e6a79e722a054d06b54274dc7d546561a6827d4e444
- SSDEEP
  
  3072:NikH6RwMZVxYwgJf+lOLPICU7/7Na15WGUmuQAR5IjWz+l7EoI0Hzn:NHH6+MZVCofFsu4WMIG
Score

5^/10

discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Clear_glass_red_metalic_windows7/Common Tasks/Bottom Common Tasks/Shellstyle.dll
- Size
  
  1.6MB
- MD5
  
  02f677d4cd30bed56fbef268ec5ff040
- SHA1
  
  7e9f3de906c54b6c94d08189890a4ddd51182f1b
- SHA256
  
  47f9677e88518440622947f7e39cbad399a15b1f99eb3c5a49453a4e9137cd7e
- SHA512
  
  a001c188665caedd47042c9a851bbcd61f89aa3f72fffc5f7a6fb96fc33ecb4f0a00473035dede2ff946915bbc20ef98a555fcf54b598733ce228d69517123f9
- SSDEEP
  
  6144:cUFgxiPki6aWaJrKJSgn/HJahh/KP/+apfT2W6psl5lU5th794T3uDFQ8M+Fn8kp:XFkrUKcg/YvinLWp25orVeE8Hu2G+v
Score

1^/10
behavioral3 behavioral4
- Target
  
  Clear_glass_red_metalic_windows7/Common Tasks/Left Dark Blue Common Tasks/Shellstyle.dll
- Size
  
  1.5MB
- MD5
  
  610c915cdd28f73dbd5e78ab2578a8d1
- SHA1
  
  0912c32bd5bd756d40a44427d7c089995c61c7ed
- SHA256
  
  a7b07ef1a03123dae13d8008fa205055def4e37c0150ba1edbd7ceae7bb619da
- SHA512
  
  f087f68c84cbabff0a5ba2f35b19e871c31227e5e71ef8e9421a7708af66fe941bfaa123859dab24cd9d372d1b63dc79d8b723cad9dbaa57c0df1c89771f34a6
- SSDEEP
  
  24576:uNk7//0woYrzE4OIHQSh3ulgDcQ85etgmqc:gAX0BYrzROIH/3ulgQsZ
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  Clear_glass_red_metalic_windows7/Setup App.exe
- Size
  
  384KB
- MD5
  
  343a70d716e59531f6a5c09693b59c4c
- SHA1
  
  8063b0b4d6abb2003d15b264c87ba41d56e7ffc4
- SHA256
  
  ee477f2802f5ea5db526db40599bb64991149490e643a34cc4a55a8c75f375c8
- SHA512
  
  68a8c3039d6cfd66aa7a2bd2ceb52ad0d127b0f001ff9fd42205746f7b0f9bb4eb465f34b12b5ec0965dafa99dc99593de02f5fbbe4a037dd27de824dfade173
- SSDEEP
  
  6144:efaWCNvcVKU0hsRKgU168uMWAGrcenaXAt4XwZt/hGFDpNo7Pr:eyBNkV2nZ68uMWAiA1AZHGNEz
Score

10^/10

cybergate server discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Suspicious use of SetThreadContext

CyberGate, Rebhip

Cybergate family

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8