cybergate | bad9e59ca96315d8bbf48e7f247c9fd00954f094f6bcacab9af483d98f1ad5c9 | Triage

Sharing

General

Target

a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118
Size

1.1MB
Sample

241127-l6m2ssyqdt
MD5

a7503ad56f686432fbdc3ab0d45b0f92
SHA1

f3c47c68b54adb78499544ebc34744808789f7da
SHA256

bad9e59ca96315d8bbf48e7f247c9fd00954f094f6bcacab9af483d98f1ad5c9
SHA512

ba880e2ff032b6c620a1107a2390d440dbb02df68ba2581235859ef583b470276b133ecd4ba115305d08e3f9ef23a0fb5b65f959fe9f250f96155b50d1beb18f
SSDEEP

12288:rQdfp2v7g6ML1HbPifA27Wna1PLAXOgX0JwJtlyUH+llKLb0bCx:rQo7g6ML9e427rs2wTlyUHtLb0W

Score

10^/10

cybergate cyber discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.11.0 - Public Version

Botnet

cyber

C2

vip081247.no-ip.biz:82

Mutex

SRXA81Y15I78PF

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  a7503ad56f686432fbdc3ab0d45b0f92_JaffaCakes118
- Size
  
  1.1MB
- MD5
  
  a7503ad56f686432fbdc3ab0d45b0f92
- SHA1
  
  f3c47c68b54adb78499544ebc34744808789f7da
- SHA256
  
  bad9e59ca96315d8bbf48e7f247c9fd00954f094f6bcacab9af483d98f1ad5c9
- SHA512
  
  ba880e2ff032b6c620a1107a2390d440dbb02df68ba2581235859ef583b470276b133ecd4ba115305d08e3f9ef23a0fb5b65f959fe9f250f96155b50d1beb18f
- SSDEEP
  
  12288:rQdfp2v7g6ML1HbPifA27Wna1PLAXOgX0JwJtlyUH+llKLb0bCx:rQo7g6ML9e427rs2wTlyUHtLb0W
Score

10^/10

cybergate cyber discovery persistence stealer trojan
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatecyberdiscoverypersistencestealertrojan

behavioral2

cybergatecyberdiscoverypersistencestealertrojan