cybergate | fbc2479b3b67ca3390cc869e75b33cc11d3eace74e88ea3e3fa16e7662a38df2 | Triage

Submit
Reports

Overview

overview

Static

static

3

b1950d65f5...18.exe

windows7-x64

3

b1950d65f5...18.exe

windows10-2004-x64

Sharing

General

Target

b1950d65f54c889fc1243e935a5b9afa_JaffaCakes118
Size

361KB
Sample

241129-qw57vayjct
MD5

b1950d65f54c889fc1243e935a5b9afa
SHA1

6dc9f9558fbcadaff7b6e1d3b18feb5027f9ea98
SHA256

fbc2479b3b67ca3390cc869e75b33cc11d3eace74e88ea3e3fa16e7662a38df2
SHA512

317dba6b225a22a22e837ba815116dfaa8635f9369653208740047d822923f28cc00631bafe19ed8ab4591dc9aca74f475a3287840e7a1cbbddd9289d611df57
SSDEEP

6144:meqe6hI9nmr8AcH0GhBl2kEnRJBujPhPyAucXfaBl6gSdvPa:0e6m5mZcH0Grl5ERJY9P786gSZS

Score

10^/10

cybergate hkkh discovery persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

b1950d65f54c889fc1243e935a5b9afa_JaffaCakes118.exe

Resource

win7-20240903-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

b1950d65f54c889fc1243e935a5b9afa_JaffaCakes118.exe

Resource

win10v2004-20241007-en

cybergate hkkh discovery persistence stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.07.0

Botnet

hkkh

C2

127.0.0.1:52055

imkansiz.dyndns.biz:52055

Mutex

J52MX8Y002DLX7

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
.//
ftp_interval
30
ftp_password
3393031
ftp_port
21
ftp_server
66.220.9.50
ftp_username
kartal5205
injected_process
explorer.exe
install_dir
installer
install_file
svchust.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
imkansiz
regkey_hklm
HKLM

Targets

- Target
  
  b1950d65f54c889fc1243e935a5b9afa_JaffaCakes118
- Size
  
  361KB
- MD5
  
  b1950d65f54c889fc1243e935a5b9afa
- SHA1
  
  6dc9f9558fbcadaff7b6e1d3b18feb5027f9ea98
- SHA256
  
  fbc2479b3b67ca3390cc869e75b33cc11d3eace74e88ea3e3fa16e7662a38df2
- SHA512
  
  317dba6b225a22a22e837ba815116dfaa8635f9369653208740047d822923f28cc00631bafe19ed8ab4591dc9aca74f475a3287840e7a1cbbddd9289d611df57
- SSDEEP
  
  6144:meqe6hI9nmr8AcH0GhBl2kEnRJBujPhPyAucXfaBl6gSdvPa:0e6m5mZcH0Grl5ERJY9P786gSZS
Score

10^/10

discovery cybergate hkkh persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

cybergatehkkhdiscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy