General
-
Target
b47eccdc2e03ef0a375138edc7480883abf982d35f4d73ad6285935dc8d418d2N.exe
-
Size
1.7MB
-
Sample
241216-jq7p6aslgm
-
MD5
e7084fc660f902064165382eb2f24bf0
-
SHA1
0b6a4054b2ebcfce22c8d13a3bc455f2d3ea107a
-
SHA256
b47eccdc2e03ef0a375138edc7480883abf982d35f4d73ad6285935dc8d418d2
-
SHA512
4379fc498ff8a7f0c13caf265b8a565958aebdfe4de6e947659f74ebfcdc8354aab30b0fd5cc2fd30577c618d145ff5e2ac377eaef42030363bb433547b03234
-
SSDEEP
24576:cSgaua2SmgCET70Cv+6FbRUwqZ0yQ6wiO4bXB:cQ8Q/yi8
Malware Config
Extracted
cybergate
v1.07.5
ynl
ynl1.no-ip.biz:82
84OJ6227677457
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
Windows_Update
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Contact Admin...
-
message_box_title
Error
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
b47eccdc2e03ef0a375138edc7480883abf982d35f4d73ad6285935dc8d418d2N.exe
-
Size
1.7MB
-
MD5
e7084fc660f902064165382eb2f24bf0
-
SHA1
0b6a4054b2ebcfce22c8d13a3bc455f2d3ea107a
-
SHA256
b47eccdc2e03ef0a375138edc7480883abf982d35f4d73ad6285935dc8d418d2
-
SHA512
4379fc498ff8a7f0c13caf265b8a565958aebdfe4de6e947659f74ebfcdc8354aab30b0fd5cc2fd30577c618d145ff5e2ac377eaef42030363bb433547b03234
-
SSDEEP
24576:cSgaua2SmgCET70Cv+6FbRUwqZ0yQ6wiO4bXB:cQ8Q/yi8
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
UAC bypass
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4