cybergate | 72d6ef640fdbc2478cd042dfce206cd1b7527fd8547bd211813fb872f0ea7563 | Triage

Sharing

General

Target

aa2127a9413747c34bb249f1e3be32cd_JaffaCakes118
Size

668KB
Sample

241127-3py66ssjak
MD5

aa2127a9413747c34bb249f1e3be32cd
SHA1

25b86b6f3bcbaf0589a6ae753f7de6c733b61bb0
SHA256

72d6ef640fdbc2478cd042dfce206cd1b7527fd8547bd211813fb872f0ea7563
SHA512

b6f0534242dd9b8e74e86d894345d87bc41c48e64fc99cf1d1c65635ca1160f1f0ab3f465f863e41edd4a69164ba82696576f5fee5e1af907eff56bf79200aba
SSDEEP

12288:tAsCBzgBdSyZcuRR8v/g/KJ2LowPvYF1O8iNcQegZ3PiVXz8:tAXqBdSyu2RmSKT5oRegZ3Pia

Score

10^/10

cybergate agesruoff discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

agesruOff

C2

brostobrosto.no-ip.biz:1232

brostobrosto.no-ip.biz:2523

brostobrosto.no-ip.biz:3423

brostobrosto.no-ip.biz:5423

brostobrosto.no-ip.biz:6543

brostobrosto.no-ip.biz:7863

brostobrosto.no-ip.biz:8744

brostobrosto.no-ip.biz:9521

brostobrosto.no-ip.biz:10747

brostobrosto.no-ip.biz:10766

brostobrosto.no-ip.biz:10777

brostobrosto.no-ip.biz:10888

brostobrosto.no-ip.biz:10999

brostobrosto.no-ip.biz:11045

brostobrosto.no-ip.biz:12456

brostobrosto.no-ip.biz:12466

brostobrosto.no-ip.biz:12477

brostobrosto.no-ip.biz:1600

Mutex

63S8UE14JKY047

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
ftp_password
gdsgasdrwerdghra
ftp_port
21
ftp_server
ftp.zarka.p.ht
ftp_username
u894415329
injected_process
explorer.exe
install_dir
ya
install_file
sys.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
a123123123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  passr‮txt.scr
- Size
  
  728KB
- MD5
  
  0664d25aa4673051f928413c80f497f2
- SHA1
  
  2bd0dbfd669ad21fe08f46b41a4647aae00cb5bb
- SHA256
  
  37923d2d98711a825fc77ffb5436739d8002002966540532ca831291cd089c62
- SHA512
  
  d82c216d0c56c690228bf48b6057a69d6e03873e08ce7d59396ff6d9285f411bdc527281335fc984885472733c5315b9a39a7392b1edce8f2ad8f1404a8c8231
- SSDEEP
  
  12288:YR9bytYqoRg+oT/WPHN2WrG11lTBv8lvihxUVwtjb496m9L16sfBjIvhRmiF:YvcYqqgV/YHMWr21bk4h2Vw5Q6OL1dBK
Score

10^/10

cybergate agesruoff discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateagesruoffdiscoverypersistencestealertrojanupx

behavioral2

cybergateagesruoffdiscoverypersistencestealertrojanupx