General
-
Target
c56fa4e2195ae25719d7eb9f2d8d9e04f12ba2250dfc1dc2190fd8b180f0b5f0N.exe
-
Size
2.7MB
-
Sample
241205-nq2alaynel
-
MD5
b55882231d4ae689ef2f437474bfcd50
-
SHA1
494c885ab75defe799e9ba46def362d571112564
-
SHA256
c56fa4e2195ae25719d7eb9f2d8d9e04f12ba2250dfc1dc2190fd8b180f0b5f0
-
SHA512
58ba7fcd5f75d4ce1042ba28b66caba309e7cac9588e26b5ad36b70054004dd83673cfe6d903fdea499c9f2ff1e8e800285d8ef54598fe71a1c0339f0387ebb2
-
SSDEEP
49152:7UU8YuHT7TWPH+ERuznN/3WnpcVGDMb1K2/8vrYaKa8:IYuHT7TWPH+ERuznNfWyVGDQFWKa8
Malware Config
Extracted
cybergate
v3.4.2.2
BAT1
uzeyir.no-ip.biz:2000
oskarman.sytes.net:2000
5-4A15-E8WGoogle Extension Packcvdv
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_file
Googleinc.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
hakan1234
-
regkey_hkcu
Google Extension Pack
-
regkey_hklm
Google Extension Pack
Targets
-
-
Target
c56fa4e2195ae25719d7eb9f2d8d9e04f12ba2250dfc1dc2190fd8b180f0b5f0N.exe
-
Size
2.7MB
-
MD5
b55882231d4ae689ef2f437474bfcd50
-
SHA1
494c885ab75defe799e9ba46def362d571112564
-
SHA256
c56fa4e2195ae25719d7eb9f2d8d9e04f12ba2250dfc1dc2190fd8b180f0b5f0
-
SHA512
58ba7fcd5f75d4ce1042ba28b66caba309e7cac9588e26b5ad36b70054004dd83673cfe6d903fdea499c9f2ff1e8e800285d8ef54598fe71a1c0339f0387ebb2
-
SSDEEP
49152:7UU8YuHT7TWPH+ERuznN/3WnpcVGDMb1K2/8vrYaKa8:IYuHT7TWPH+ERuznNfWyVGDQFWKa8
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
UAC bypass
-
Windows security bypass
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6