cybergate | b3472ca8bd39c23f2b5856425edbfe30de978e601f5a5960a294690598e99abb | Triage

Submit
Reports

Overview

overview

Static

static

3

e4203939af...18.exe

windows7-x64

4

e4203939af...18.exe

windows10-2004-x64

Sharing

General

Target

e4203939af6005948bc7b307a65508da_JaffaCakes118
Size

539KB
Sample

241212-b3rwgazqdn
MD5

e4203939af6005948bc7b307a65508da
SHA1

1869ccf605e4af7b24468d50f2b78b6c6493a245
SHA256

b3472ca8bd39c23f2b5856425edbfe30de978e601f5a5960a294690598e99abb
SHA512

ac3f8a55c540911cb523d055696cc2e7b124c3dbeb76997587c215c9801e39400680f9d4d7dd745336aca0b6450dd155e90a60766aeeed177b8bd6211e29f4e3
SSDEEP

12288:Acnnmh337eUzDvFOZisuqNdR9rFv57mJOLZrd52UFDwX:vnQH66OHuqNdRdtAJi5d4Um

Score

10^/10

cybergate victim discovery persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e4203939af6005948bc7b307a65508da_JaffaCakes118.exe

Resource

win7-20240903-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

e4203939af6005948bc7b307a65508da_JaffaCakes118.exe

Resource

win10v2004-20241007-en

cybergate victim discovery persistence stealer trojan upx

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Victim

C2

zonk.no-ip.org:2000

tyoh.no-ip.org:2000

Mutex

***HSSD70322***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
system32
install_file
ekrn32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
3D7FAC21
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  e4203939af6005948bc7b307a65508da_JaffaCakes118
- Size
  
  539KB
- MD5
  
  e4203939af6005948bc7b307a65508da
- SHA1
  
  1869ccf605e4af7b24468d50f2b78b6c6493a245
- SHA256
  
  b3472ca8bd39c23f2b5856425edbfe30de978e601f5a5960a294690598e99abb
- SHA512
  
  ac3f8a55c540911cb523d055696cc2e7b124c3dbeb76997587c215c9801e39400680f9d4d7dd745336aca0b6450dd155e90a60766aeeed177b8bd6211e29f4e3
- SSDEEP
  
  12288:Acnnmh337eUzDvFOZisuqNdR9rFv57mJOLZrd52UFDwX:vnQH66OHuqNdRdtAJi5d4Um
Score

10^/10

discovery cybergate victim persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Suspicious use of NtCreateProcessExOtherParentProcess
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

cybergatevictimdiscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy