General
-
Target
2fe46191358d59fca0bade9268b8517fe4146af224a095e9cf9e9deeb8f3c3d3.exe
-
Size
2.7MB
-
Sample
241205-pyj7qavmfz
-
MD5
3e2b65e524e90c30fe0e5e1b0554acc9
-
SHA1
1a53c2a6e8f97d71ec45e01d6e7b748ae5e09bcd
-
SHA256
2fe46191358d59fca0bade9268b8517fe4146af224a095e9cf9e9deeb8f3c3d3
-
SHA512
2cf8b7139199458a597d8ea6e1dad25462246e95d82fcf5a80582e301fcc0d292cb29ca702b53ab5b7f9fe87e44f1bd40042a4dd80d5e0a116dd7377080a054e
-
SSDEEP
49152:7UU8YuHT7TWPH+ERuznN/3WnpcVGDMb1K2/8vrYaKa8:IYuHT7TWPH+ERuznNfWyVGDQFWKa8
Malware Config
Extracted
cybergate
v3.4.2.2
BAT1
uzeyir.no-ip.biz:2000
oskarman.sytes.net:2000
5-4A15-E8WGoogle Extension Packcvdv
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_file
Googleinc.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
hakan1234
-
regkey_hkcu
Google Extension Pack
-
regkey_hklm
Google Extension Pack
Targets
-
-
Target
2fe46191358d59fca0bade9268b8517fe4146af224a095e9cf9e9deeb8f3c3d3.exe
-
Size
2.7MB
-
MD5
3e2b65e524e90c30fe0e5e1b0554acc9
-
SHA1
1a53c2a6e8f97d71ec45e01d6e7b748ae5e09bcd
-
SHA256
2fe46191358d59fca0bade9268b8517fe4146af224a095e9cf9e9deeb8f3c3d3
-
SHA512
2cf8b7139199458a597d8ea6e1dad25462246e95d82fcf5a80582e301fcc0d292cb29ca702b53ab5b7f9fe87e44f1bd40042a4dd80d5e0a116dd7377080a054e
-
SSDEEP
49152:7UU8YuHT7TWPH+ERuznN/3WnpcVGDMb1K2/8vrYaKa8:IYuHT7TWPH+ERuznNfWyVGDQFWKa8
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
UAC bypass
-
Windows security bypass
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6