cybergate | b85b825a13d2b5277dcecb5020ffdcacdbd1b83a056409a670c1e0aa36c55718

General

Target

dc6dff6f88c7432e06d940cd226c9bb4_JaffaCakes118
Size

480KB
Sample

241210-b3kgdsypew
MD5

dc6dff6f88c7432e06d940cd226c9bb4
SHA1

4501951decc1859bbee9c1fa340a129672b4a4b1
SHA256

b85b825a13d2b5277dcecb5020ffdcacdbd1b83a056409a670c1e0aa36c55718
SHA512

bfbfa78350887d979b9255f157df51a408f4977333763a2e4caa4c8ea60f1031ea680ce987963647824e3d84ee98f68592542673a378b38c415b041f9e524da0
SSDEEP

12288:af6Zp4+vnvlpWiMJZu3f4AdUQAEvkMqwx5a6caYx:5p4+vnvlpDMJZUQAdbzXxcys

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

OPERATION7

C2

polluelos.no-ip.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
system32
install_file
syystem32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Not compatible with SO
message_box_title
Atheuz V1
password
admin
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  OP7_Atheuz/Atheuz.dll
- Size
  
  164KB
- MD5
  
  c2ce66f0b14aae86cc5698c3c6c17e49
- SHA1
  
  ab2b937fc9c99feff4f835f97a2ded7ba25a9051
- SHA256
  
  bfb6468a1e82f6a3b9edbc9597da49c28e53aac4dd32580f6a0cb05bbfb6e562
- SHA512
  
  b6219c2a41bf6fab987e14b22e7350f6896bb178fbc250c546d816ac78d59740885368c24f456009af05919e10427ddcc18b2b605101d705435bba2f9f109e74
- SSDEEP
  
  3072:JAY4qb9silgaBWYKrtyB/PqDZSuzc5nIdKS:GY1+LAMpDZjaa
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  OP7_Atheuz/OP7_Injector.exe
- Size
  
  510KB
- MD5
  
  5694f7da1daedb0591c5f76a098e57ef
- SHA1
  
  10d34b602dc7efae4603725e15f80a3ae335c535
- SHA256
  
  ebd82554ff28e53d135a3be94c51879106eff01f511f6755cd7bf54ba3432096
- SHA512
  
  501df940a9be6d92b7dacb9bbacc5b782535d42e830b1f241447d0d5c716208ecd0096942c330b9770f685b7526f9e0a08dfd72a07d43572a49d5069d46cbd62
- SSDEEP
  
  12288:YMDRxxcZ8V9gYLpvr25Bm9Z/pUz6N0k8Cy2LVaP7D0:BZcZ8V97r2OXFoA
Score

10^/10

cybergate operation7 discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4