cybergate | ceb26fb1d559479288fca759b94abfc057cf243209ce3f5b8b66214632b7be82 | Triage

Sharing

General

Target

fc4b5adfc9359a368bae1fc2cca76194_JaffaCakes118
Size

421KB
Sample

241218-t1bqkswlem
MD5

fc4b5adfc9359a368bae1fc2cca76194
SHA1

ebb4912d09a8111c746b23af726ddbdebc425c2c
SHA256

ceb26fb1d559479288fca759b94abfc057cf243209ce3f5b8b66214632b7be82
SHA512

45652c45623ecb8d6f8e9a0912563550f3ee0b0fd5f1d43fd4fae8446b3b445dc13245630bca1024bb6757a133d9c9aabb416d8edf25251a3f51834864c94876
SSDEEP

6144:tYYixxn4UcDWoV6ycqbBmFB8Xq2PvcsZC2qAMQAi07M3yVFK/bAgbL7BJd:+YcN4UcDW6XBmkXq2HpYiMQJNyf8nnHd

Score

10^/10

cybergate sql discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

sql

C2

188.72.215.36:5020

Mutex

27MRYFFW7BXO6A

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
ftp_password
rally1986
ftp_port
21
ftp_server
38.99.168.77
ftp_username
coder
injected_process
explorer.exe
install_dir
sql
install_file
sql.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
rally2
regkey_hkcu
sql
regkey_hklm
sql

Targets

- Target
  
  fc4b5adfc9359a368bae1fc2cca76194_JaffaCakes118
- Size
  
  421KB
- MD5
  
  fc4b5adfc9359a368bae1fc2cca76194
- SHA1
  
  ebb4912d09a8111c746b23af726ddbdebc425c2c
- SHA256
  
  ceb26fb1d559479288fca759b94abfc057cf243209ce3f5b8b66214632b7be82
- SHA512
  
  45652c45623ecb8d6f8e9a0912563550f3ee0b0fd5f1d43fd4fae8446b3b445dc13245630bca1024bb6757a133d9c9aabb416d8edf25251a3f51834864c94876
- SSDEEP
  
  6144:tYYixxn4UcDWoV6ycqbBmFB8Xq2PvcsZC2qAMQAi07M3yVFK/bAgbL7BJd:+YcN4UcDW6XBmkXq2HpYiMQJNyf8nnHd
Score

10^/10

cybergate sql discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatesqldiscoverypersistencestealertrojan

behavioral2

cybergatesqldiscoverypersistencestealertrojanupx