cybergate | f8362987559c18f86c3140f587c9afe2fb672bf8e7c9cef72a40b023340ba1d6

Sharing

Copy URL

Twitter E-mail

General

Target

Pictures.rar
Size

32.9MB
Sample

241217-t73smssqgz
MD5

ee72786ed638b0a1ff4aaeab2930b124
SHA1

9f4cc855008182d693fd95dfc1a01dfa86122e6b
SHA256

f8362987559c18f86c3140f587c9afe2fb672bf8e7c9cef72a40b023340ba1d6
SHA512

d69eb9647d110c91431392e2dfd8bdafab7fd41400ed60432335213657f3e526428ab4fd0db12c7a584959a37d9a17892c9a3b0042dc87a6a3e18f3f08a8a9e2
SSDEEP

786432:LuXBszdWeJLr859RPyUE9ykGTxJM3O/vKxhNR58SzCFKvLYYdhwe1x3H1A4jwU:ixQhAdO+xhyNR58SzpzYgxx3H24EU

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

127.0.0.1:999

Mutex

CyberGate1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate

Extracted

Family

darkcomet

Botnet

Guest16_min

127.0.0.1:1604

Mutex

DCMIN_MUTEX-6NVM9VT

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
UK2Bgjd1gQ7p
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Targets

- Target
  
  CyberGate Excel v2.5.5.1 - Trial/CyberGate Excel v2.5.5.1 - Trial/CyberGate Excel_v2.5.5.1-trial.exe
- Size
  
  20.0MB
- MD5
  
  e439e5634e7ec43b46bcf1d54c6ad292
- SHA1
  
  055cfa10a8be6ef9e49786c1206f2f855b2dd637
- SHA256
  
  7dfb0ece83deed38190bb57a9aab44a101203fa7e0b3e633e7c7231173a43fd1
- SHA512
  
  06a91704625a572255ed256286da965443d01c7d581d69dd91164144f7ce2113f3830a749c99f7d63b2b04572ae31e699455c888d5015df3391860e6beb41ed5
- SSDEEP
  
  393216:9oePeqDgO0luPusB1mRqUcEpjBVNT4kzzFUC:9o9OsuPTB1m4zER9T4kR
Score

5^/10

discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  CyberGate Excel v2.5.5.1 - Trial/CyberGate Excel v2.5.5.1 - Trial/server.exe
- Size
  
  405KB
- MD5
  
  2bafc6be6147f7c66138becbde526cc0
- SHA1
  
  b756233a6e0b20278fedf1caa030f504e54a8384
- SHA256
  
  b693b56c3ed54d8e250c8a7347f421df3bbe097bdd581696624257c5c656b8a3
- SHA512
  
  59e1d61c735949045a41410904337603a9b93f0a6b7d64b5f288920442cb01f6015341dd570a8169e0bef4d631d3fd5a2b7990b8c5f47c1d2a51403e67c59eb2
- SSDEEP
  
  12288:VkqfGzfVnl6VCB+lHOWbtOBEtV1H8UTAti5:VkqfGhoAyx2Vc5
Score

10^/10

xtremerat discovery persistence rat spyware upx
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4
- Target
  
  CyberGate v1.07.5/CyberGate v1.07.5/CyberGate v1.07.5.exe
- Size
  
  2.3MB
- MD5
  
  fc6ee683f28c4d867b069841b45cde8b
- SHA1
  
  7ba5b8f07bd86a85b583f8c92d27bb94792b6373
- SHA256
  
  d2119d9dce199cab558514bb1de19a59b207a9d654d0ed1477fa2d98f20e3dc3
- SHA512
  
  a74f81bb2fa4806abb61e7c8b66fe60b2827120a5558ced95076d3af37e517a4395f28750875fb7cca197258502d8eee3221ee6c4a9fd76e5ec95c4ec5563f56
- SSDEEP
  
  49152:jBcY9bLMtRGHMTy+hjt2cTl4XRsme9qwwoHXi3Ic+8R1Hg3wx:iftRmsy+l4cIe9qn2XsIcHrx
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  CyberGate v1.07.5/CyberGate v1.07.5/server.exe
- Size
  
  296KB
- MD5
  
  8af5123bd112bc7ab914541510debe78
- SHA1
  
  e3933efe1c86d97ad198a1065065184edca1f0d8
- SHA256
  
  3a503f261baea1d0cdd69d3dd8b397d7a403b8b987da910b633a1d89743842d0
- SHA512
  
  81b10a53567aab61ee1ec54e0a11a1dabb99ca636c84d1842db847dc63b437c1b0feca337c848b04e1d5b9d222aad84a6386b848ec2467c07933a8ce85692c82
- SSDEEP
  
  6144:fOpslFlq2hdBCkWYxuukP1pjSKSNVkq/MVJbz:fwsldTBd47GLRMTbz
Score

10^/10

cybergate remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral7 behavioral8
- Target
  
  CyberGate v1.07.5/CyberGate v1.07.5/sqlite3.dll
- Size
  
  171KB
- MD5
  
  744dcc4cbbfbb18fe3878c4e769ec48f
- SHA1
  
  c1f2c56ee2d91203a01d3465f185295477a1217d
- SHA256
  
  33eb31a2a576e663474a895ff0190316c64a93d9ce05a55df0d53f9beeb61163
- SHA512
  
  706630be2ca09e574a7794e32e515a0a3f993643d034647b8cb976c1e7045e87e30362757cc65fcdb95f4a4327f0dcda3edc82ba84e5ed9115870a037e13af21
- SSDEEP
  
  3072:4yOtgCNPbAHuzueAlwsKmiiEHpmBt7tjBwHH1ELXvSsmB8teUOhKJz4ZKJNCT1xe:FOtRsOz2xKmGH8JBwn+2smB1Uf8Kurb
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral10 behavioral9
- Target
  
  Dark Comet 5.3/Dark Comet/Celesty Binder/Celesty.exe
- Size
  
  2.7MB
- MD5
  
  c3009ee63bc661d9ea75eaeb256448ca
- SHA1
  
  45eb01150756df432e25eed44d976442473356de
- SHA256
  
  0bb88564a22bfd6d9ad6e4d8efa9077792a7b6094c2a0f865d70c43e11507352
- SHA512
  
  96f5847fbeef95df1309e97a4bc3d786a5f5c19b87e804f12d88b4473a0b50291c40407a3d95a2d5d78031f03be76da47f1846a73c7802ddae46a38ac4634e67
- SSDEEP
  
  49152:vOY/SiSf6KSIshmgTlxRQv9rn0KtX2pyJz0qGoy/:tKZshhYv9ptXZJe/
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Dark Comet 5.3/Dark Comet/DarkComet.exe
- Size
  
  11.3MB
- MD5
  
  d761f3aa64064a706a521ba14d0f8741
- SHA1
  
  ab7382bcfdf494d0327fccce9c884592bcc1adeb
- SHA256
  
  21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
- SHA512
  
  d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f
- SSDEEP
  
  196608:TPvqxSrDTVokQwhM/kSEMTQINokXJw7lW740VeqQPR:LCxSrFokQw2NjUYuWU0t
Score

10^/10

darkcomet discovery rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral13 behavioral14
- Target
  
  Dark Comet 5.3/Dark Comet/Spoof extensions/Spoofer.exe
- Size
  
  2.0MB
- MD5
  
  894b256f41dc579a5b32828ed2f7e3db
- SHA1
  
  06fa1a4dd30780e404c8f2e7a615fd54d6f2ae68
- SHA256
  
  12dbd354b4cc073ea7f80cc0d74bd96118362e9c120df7800cf0f9e863569f98
- SHA512
  
  bede5a2c6e87ac6d432903109cca97fcbf60fdba082ba137a04c6ca6490a548f20910b6560821816b76744235fa19f5fcbe256c1ad9b87c2c1b8b20e5c5ac409
- SSDEEP
  
  24576:cuAzSWYlsCSe+I3n6HgjigeCNOu6kpBiSSgmq8uWYkzJy90qeHqywdbMQTTRwQ+0:KU1Zp6kpkSSgmSWJyqqe3wdbBTubz
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  Dark Comet 5.3/Dark Comet/server.exe
- Size
  
  658KB
- MD5
  
  e7cf9689cad376e6e7268bf25a30b63a
- SHA1
  
  ebfec08757cc240580cdf3e49d7e10844b4a26ca
- SHA256
  
  01883999ea47a8fba7b188d36915d6514cf6299692684547f7b9820310bc5f72
- SHA512
  
  37a1f48cf0adfdbd60eb4fc2664e05e9c95f3b069a21992efab4e8dc6ddd0e8c5e33ea5417817eb1e86bbcf6fd99ef67de220a553d1f55d7e7d519b09a87680a
- SSDEEP
  
  12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hU:eZ1xuVVjfFoynPaVBUR8f+kN10EBK
Score

10^/10

darkcomet guest16_min discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral17 behavioral18
- Target
  
  Dark Comet 5.3/Dark Comet/sqlite3.dll
- Size
  
  510KB
- MD5
  
  d3979db259f55d59b4edb327673c1905
- SHA1
  
  0697e8f35b5951c61a3a632d74fd96843c941628
- SHA256
  
  043e5570299c6099756c1809c5632eabeab95ed3c1a55c86843c0ec218940e5a
- SHA512
  
  0b87c89aafd3e627c7d6bed0b833601fea1917a76a972061f32a2d9e4aa2e9e85b5e8a67cb330ca44aff17915d0fe2793798451a109d3f0b5014eed06b73bb45
- SSDEEP
  
  12288:eiTjR6kna/KzsHIoufPiL5JXjKaarzWovTSmja9q96fQkw8dw:em8NCzsooOPiXT6rSov2mjVw3w
Score

3^/10

discovery
behavioral19 behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Suspicious use of NtSetInformationThreadHideFromDebugger

XtremeRAT

Xtremerat family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

CyberGate, Rebhip

Cybergate family

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

UPX packed file

Darkcomet

Darkcomet family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Darkcomet

Darkcomet family

Modifies WinLogon for persistence

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20