cybergate | 118ae0160ca6f9166d4eab797a8749bc1c95a06513d26663c414be24bc4eefd5

General

Target

baf7451a1ba439590125fab8f64b9aed_JaffaCakes118
Size

260KB
Sample

241203-a785waxmbn
MD5

baf7451a1ba439590125fab8f64b9aed
SHA1

63aed91de567241ea54c7d489fd4a721385191b3
SHA256

118ae0160ca6f9166d4eab797a8749bc1c95a06513d26663c414be24bc4eefd5
SHA512

7b42848bf08915547485c741edbbf2a35bf44f040e2b9db316a29dd4a563c4a3138a06ced7e059c984cdc2cf3ed2f8d7d9635d864818199da20e9a915e1e96f6
SSDEEP

6144:5lqc2zXc+P7FWhkSXzIcY5SDGcVxVqJFEmekTF9zDaq30x:5lqc2hcDiUqJ62nzGUK

Score

10^/10

Malware Config

Extracted

Family

cybergate

Botnet

FALSE

C2

ØØÎÙÏÏ¼¼êÕÎÈÉÝÐìÎÓÈÙßÈ¼¼êÕÎÈÉÝÐýÐÐÓß¼¼êÕÎÈÉÝÐúÎÙÙ¼¼¼ùÄÕÈìÎÓßÙÏÏ¼¼¼ðÏÝÿÐÓÏÙ¼¼ÿÎÅÌÈéÒÌÎÓÈÙßÈøÝÈÝ¼¼óÐÙõÒÕÈÕÝÐÕÆÙ¼¼¼ïÅÏúÎÙÙïÈÎÕÒÛ¼¼¼ìïÈÓÎÙÿÎÙÝÈÙõÒÏÈÝÒßÙ¼¼îÝÏùÒÉÑùÒÈÎÕÙÏý¼¼¼ïôûÙÈïÌÙßÕÝÐúÓÐØÙÎìÝÈÔý¼¼¼èÓýÏßÕÕ¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼üTRUE

16

1

CyberGate

Remote Administration anywhere in the world.

FALSE

TRUE

ftp.server.com

./logs/

ftp_user

ª÷Öº+Þ

21

30

Mutex

Attributes

enable_keylogger
false
enable_message_box
false
install_dir
FALSE
install_file
FALSE
install_flag
false
keylogger_enable_ftp
false
message_box_caption
6965cba8020d9cff26fa43c34a86f346
message_box_title
FALSE
password
FALSE
regkey_hkcu
FALSE
regkey_hklm
explorer.exe

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

127.0.0.1:103

77.2.18.83:103

Mutex

QJ7Q8GFCX773R3

Attributes

enable_keylogger
false
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate1

Targets

- Target
  
  server.exe
- Size
  
  270KB
- MD5
  
  00bddebb214d447dc45d3bf5f2a5b1a8
- SHA1
  
  2b1d0f660123e86bcb3f7924551f0b5ea9e8f71d
- SHA256
  
  b7efd29e3a753177b74bf02de5fef6609c6932492b38efccfbba2bb712a566a4
- SHA512
  
  ef442f4f9413b46378eab58ca7136da2f24fcc79e4036801eee1be35735b7c6df598dad9fd5deccc7d84adcc1485dbff1752d8f96d9812e1afc8d0a46d5a85c9
- SSDEEP
  
  6144:7MMZZjZ5zczQIn5Z32CzzVKiVWBgUURvrz553mGWR:4qZ15IzQmr2YciVWeRzzjWGW
Score

10^/10

cybergate remote discovery stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

CyberGate, Rebhip

Cybergate family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2