cybergate | 5343d0e0ca1729b3de64756e4cab745ee79f5939e1f785a967add2d76b55789a | Triage

Submit
Reports

Overview

overview

Static

static

3

e331363b3f...18.exe

windows7-x64

e331363b3f...18.exe

windows10-2004-x64

Sharing

General

Target

e331363b3f22a08e56bfca8c5d77fe3b_JaffaCakes118
Size

420KB
Sample

241211-zrw8tayjes
MD5

e331363b3f22a08e56bfca8c5d77fe3b
SHA1

94cf20ac50216168854720c0624fa7b9bb2e4ce9
SHA256

5343d0e0ca1729b3de64756e4cab745ee79f5939e1f785a967add2d76b55789a
SHA512

17fded0c6bd58d8c29bde829b8d891d88ea2e6733522aa30e628a085329649488d45f2c287e1bfac769c0c2fd5a556006ed60b17b2d669b09a9588d37ba0edc9
SSDEEP

12288:R3SMpG5CYPmUjd/AUJxTy2MePqgv5N1Rf:R3SMs5CYZjd/AUJDrPb

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e331363b3f22a08e56bfca8c5d77fe3b_JaffaCakes118.exe

Resource

win7-20240903-en

cybergate cyber discovery persistence stealer trojan upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

e331363b3f22a08e56bfca8c5d77fe3b_JaffaCakes118.exe

Resource

win10v2004-20241007-en

cybergate cyber discovery persistence stealer trojan upx

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

Cyber

C2

howudoin.no-ip.biz:82

Mutex

2V56O7OR44TI70

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
csrss.exe
install_dir
Microsoft
install_file
Windows Updare.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  e331363b3f22a08e56bfca8c5d77fe3b_JaffaCakes118
- Size
  
  420KB
- MD5
  
  e331363b3f22a08e56bfca8c5d77fe3b
- SHA1
  
  94cf20ac50216168854720c0624fa7b9bb2e4ce9
- SHA256
  
  5343d0e0ca1729b3de64756e4cab745ee79f5939e1f785a967add2d76b55789a
- SHA512
  
  17fded0c6bd58d8c29bde829b8d891d88ea2e6733522aa30e628a085329649488d45f2c287e1bfac769c0c2fd5a556006ed60b17b2d669b09a9588d37ba0edc9
- SSDEEP
  
  12288:R3SMpG5CYPmUjd/AUJxTy2MePqgv5N1Rf:R3SMs5CYZjd/AUJDrPb
Score

10^/10

cybergate cyber discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatecyberdiscoverypersistencestealertrojanupx

behavioral2

cybergatecyberdiscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy