cybergate | a2a003f9df3b1d412ee10213b2761f94a9f17e4351d6d03c543b11eb084ca0c6 | Triage

Submit
Reports

Overview

overview

Static

static

3

a2a003f9df...6N.exe

windows7-x64

a2a003f9df...6N.exe

windows10-2004-x64

Sharing

General

Target

a2a003f9df3b1d412ee10213b2761f94a9f17e4351d6d03c543b11eb084ca0c6N.exe
Size

484KB
Sample

241203-dlxfqssqdr
MD5

af088a1462c5609be5a03612e99f9bf0
SHA1

8e45c364a6f5a006d628ff13b163f6784f55eda6
SHA256

a2a003f9df3b1d412ee10213b2761f94a9f17e4351d6d03c543b11eb084ca0c6
SHA512

1f059735075156c3778db29d41e5e30abdd5dad6ff038184112962e42ecee9de88145819e727cfd9a2b3d66b5ba2e43ac59bfb6c5390df6d4b23646ccc978ef3
SSDEEP

12288:fRoDLKIX3HgugB6k0C1hBBLaNVigTYVZ3:O6IX3gugHBjgTYVZ3

Score

10^/10

cybergate fvaleria discovery persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

a2a003f9df3b1d412ee10213b2761f94a9f17e4351d6d03c543b11eb084ca0c6N.exe

Resource

win7-20240729-en

cybergate fvaleria discovery persistence stealer trojan

windows7-x64

17 signatures

120 seconds

Behavioral task

behavioral2

Sample

a2a003f9df3b1d412ee10213b2761f94a9f17e4351d6d03c543b11eb084ca0c6N.exe

Resource

win10v2004-20241007-en

cybergate fvaleria discovery persistence stealer trojan upx

windows10-2004-x64

19 signatures

120 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

FVALERIA

C2

buceta.sytes.net:2000

galo.no-ip.biz:2000

celsodns.no-ip.org :2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
explorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
Windows live messenger
regkey_hklm
Windows live messenger

Targets

- Target
  
  a2a003f9df3b1d412ee10213b2761f94a9f17e4351d6d03c543b11eb084ca0c6N.exe
- Size
  
  484KB
- MD5
  
  af088a1462c5609be5a03612e99f9bf0
- SHA1
  
  8e45c364a6f5a006d628ff13b163f6784f55eda6
- SHA256
  
  a2a003f9df3b1d412ee10213b2761f94a9f17e4351d6d03c543b11eb084ca0c6
- SHA512
  
  1f059735075156c3778db29d41e5e30abdd5dad6ff038184112962e42ecee9de88145819e727cfd9a2b3d66b5ba2e43ac59bfb6c5390df6d4b23646ccc978ef3
- SSDEEP
  
  12288:fRoDLKIX3HgugB6k0C1hBBLaNVigTYVZ3:O6IX3gugHBjgTYVZ3
Score

10^/10

cybergate fvaleria discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatefvaleriadiscoverypersistencestealertrojan

behavioral2

cybergatefvaleriadiscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy