cybergate | bb01cb99860e17b60009a6bd2f5bad01ab5d7f7b44d0c87cbb6bf0ce99b59bab | Triage

Sharing

General

Target

dc4102860acb24a4ff8819eb99137954_JaffaCakes118
Size

484KB
Sample

241210-a57t2asmgr
MD5

dc4102860acb24a4ff8819eb99137954
SHA1

bbd2caa9efbab22b3c7915d1e8d15926313303d9
SHA256

bb01cb99860e17b60009a6bd2f5bad01ab5d7f7b44d0c87cbb6bf0ce99b59bab
SHA512

da6bd519763a1097098a8dbc30c4570cce6795a26271fcc069d03d177ecc8508907d597e4ec60302083b4218e674501bf138c7f8b187a37dfab44b7d07c38ce9
SSDEEP

6144:PG/FHQMiiImAAhwkQZsSfcQ+L3oo890Vk3mrdN1srVqj4wLPMSkQA/Vl1+iTy3:PcQMiiAAhwk5d83mrXAVqUIESfA/r

Score

10^/10

cybergate [email protected]discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

[email protected]

C2

lstreeet.no-ip.biz:15963

Mutex

WX8W4OLI7S1D75

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
winlogone.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
whore1
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  dc4102860acb24a4ff8819eb99137954_JaffaCakes118
- Size
  
  484KB
- MD5
  
  dc4102860acb24a4ff8819eb99137954
- SHA1
  
  bbd2caa9efbab22b3c7915d1e8d15926313303d9
- SHA256
  
  bb01cb99860e17b60009a6bd2f5bad01ab5d7f7b44d0c87cbb6bf0ce99b59bab
- SHA512
  
  da6bd519763a1097098a8dbc30c4570cce6795a26271fcc069d03d177ecc8508907d597e4ec60302083b4218e674501bf138c7f8b187a37dfab44b7d07c38ce9
- SSDEEP
  
  6144:PG/FHQMiiImAAhwkQZsSfcQ+L3oo890Vk3mrdN1srVqj4wLPMSkQA/Vl1+iTy3:PcQMiiAAhwk5d83mrXAVqUIESfA/r
Score

10^/10

cybergate [email protected]discovery persistence stealer trojan
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergate[email protected]discoverypersistencestealertrojan

behavioral2