cybergate | 0bbb796372cc6282e3d602f9079ea0d814121da02c9224faf25cc062be11a255

General

Target

be1333d4c69459b25928d46eb6bfb775_JaffaCakes118
Size

432KB
Sample

241203-s4r2as1ngz
MD5

be1333d4c69459b25928d46eb6bfb775
SHA1

6ad2f5b20e84e5914f2619a32ca2d2425e348b94
SHA256

0bbb796372cc6282e3d602f9079ea0d814121da02c9224faf25cc062be11a255
SHA512

43850c3205e07e7a1ac829108d928ac882636daba8f845b5701823330e6adc175014a975bec542679cdff8a61f3e64c026a8cad5e5e7ad7ab33a1bbbb8231b52
SSDEEP

12288:auVN7IK7cCcX/YtT8L4qV3FQSnt6E5m18BBWtbc/LcPnXrs:aoNUK7XcX/WT+R6Ym1gAhFXrs

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

ksama_pepito

C2

ksamapepito.no-ip.org:90

192.168.1.15:90

Mutex

O6184JK31YIF4Y

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
test.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
azerty14
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  Terraria.exe
- Size
  
  678KB
- MD5
  
  fcb443f5bfa48c387991736e6b2b5803
- SHA1
  
  8195908b47c087d4b1c5abc198632ed26a890d23
- SHA256
  
  d9325fb197488e9c06adf56c45007cce94f403e5e0f444229119b948cd361d78
- SHA512
  
  c883116976c01c9d1ec583f3f6748522833dc199307b6e2812ded179861193b905177f82cdff7cb7f741ac4a4976f35020a0b1a54959a7c310c003b63986b889
- SSDEEP
  
  12288:ldqhhwtMmi8PHsyA50a52usAccoJe44QAVm:ldqzCMmZHsyeQA
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  test.exe
- Size
  
  275KB
- MD5
  
  477b2b8d24e316c8bb3282983deeb292
- SHA1
  
  86f16f72ddf9d23d2205a73b9c795fe4c260e3dc
- SHA256
  
  6090f28960bab93657d958946d096874307422eb3497f02d30dbb2f9e5690e3d
- SHA512
  
  b34aad4936df83467837a96120223059ef35a79299ec8876db66e31b7202a8482e768ddc7ac77f02f5346b4461fe6a30822089fda180e89d73441e83ffc9cf6a
- SSDEEP
  
  6144:FMILuveX0F0YPXc8wJpEDvg8o+JH2cO6x8cO6kCz:FbgeX0vXCpUgFQH2f6xdk
Score

10^/10

cybergate ksama_pepito discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4