cybergate | 49f20d016ca5d29565512ba2ca1bc493643f4e74d0ed2d88beba86f85472d2ca

General

Target

bf37b4f9a8adf1d63a0ccb03b2088a21_JaffaCakes118
Size

1.0MB
Sample

241203-zt9lxstpet
MD5

bf37b4f9a8adf1d63a0ccb03b2088a21
SHA1

7793d079ae652fcd080c0d0f072bedc9b602f380
SHA256

49f20d016ca5d29565512ba2ca1bc493643f4e74d0ed2d88beba86f85472d2ca
SHA512

f928d1cad4c739278cd3d2e99161dcab307c97ad50f1f301225c07517a8b0f074d18f8937e0b22794ddba1791633f3150d7ba7802bf9b3589b2cd344c9e5e163
SSDEEP

24576:BSu3grtJyezFSjaiHjaOeXqoE/Ju6LAfHyUZrg8y7u2R0bAWwrw+GUI:BSdSexmbjKXiR5LAfHyUZExmbAWiwyI

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

ksama_pepito

C2

ksamapepito.no-ip.org:90

192.168.1.15:90

Mutex

M16JNP7R7JKR45

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
azerty14
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  CYBER_~2.EXE
- Size
  
  368KB
- MD5
  
  c869cac87c55fdb2e6848db95b3b871e
- SHA1
  
  7fbd5e3f75e3ffb03ec2e79994cda6dcd6b91ba8
- SHA256
  
  fe7d4f23771f8ba5dba018d64bdba970f7b9d228116ad86c24315251e5f4d433
- SHA512
  
  0a97b78fa9223cb6f99ee030d6cd47c3884b8fabe844fa124261655e447fb7b09d85c689c8413b789541c0a401f428cf0833e49e88ef59fa9cb953677761a953
- SSDEEP
  
  6144:XT9Q8XsT+K9eRkfqQLxfX4DhV0btRDJRWEHKFGSiEQn89KwEtqz:g+K9eUqQ1fX4Dv0bfWEqFGJEV24
Score

10^/10

discovery cybergate ksama_pepito persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  DOTNET~1.EXE
- Size
  
  868KB
- MD5
  
  53406e9988306cbd4537677c5336aba4
- SHA1
  
  06becadb92a5fcca2529c0b93687c2a0c6d0d610
- SHA256
  
  fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425
- SHA512
  
  4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99
- SSDEEP
  
  24576:+tW4x8xAxCdUcyezFSjaBHFaNlsqK5/oh6iZf1LUXw/vxNI:d4x8xqCGexm8FCspg0iZf1LUXD
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
behavioral3 behavioral4