cybergate | 0443a5f690c28931b5ec8a92813a4b83fa779f17510f6b8429b3de7e6a2a9a4c

General

Target

0443a5f690c28931b5ec8a92813a4b83fa779f17510f6b8429b3de7e6a2a9a4cN.exe
Size

560KB
Sample

241220-c3eftaxpam
MD5

e290c89e9132cb47416d6e0dfb94ffd0
SHA1

0ca1464e1a5104059b7b32a0ab582fb00551bb15
SHA256

0443a5f690c28931b5ec8a92813a4b83fa779f17510f6b8429b3de7e6a2a9a4c
SHA512

ff9037a740c7d923439dd166e99aa80a5c403cef6362f2bef165f1f15c0191ee3d20ff154b7de9db21e4d220a24a95944a5c5f6e73fced991936fceb673e69e6
SSDEEP

12288:36Wq4aaE6KwyF5L0Y2D1PqLX3mkSUc3v2qXk22IulGJLXIWJLhh:VthEVaPqLXWUg34ELXvnh

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Ns14

C2

gvt.zapto.org:88

oxiuru.dyndns.tv:88

Mutex

J3YD4344577G2O

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
imation

Targets

- Target
  
  0443a5f690c28931b5ec8a92813a4b83fa779f17510f6b8429b3de7e6a2a9a4cN.exe
- Size
  
  560KB
- MD5
  
  e290c89e9132cb47416d6e0dfb94ffd0
- SHA1
  
  0ca1464e1a5104059b7b32a0ab582fb00551bb15
- SHA256
  
  0443a5f690c28931b5ec8a92813a4b83fa779f17510f6b8429b3de7e6a2a9a4c
- SHA512
  
  ff9037a740c7d923439dd166e99aa80a5c403cef6362f2bef165f1f15c0191ee3d20ff154b7de9db21e4d220a24a95944a5c5f6e73fced991936fceb673e69e6
- SSDEEP
  
  12288:36Wq4aaE6KwyF5L0Y2D1PqLX3mkSUc3v2qXk22IulGJLXIWJLhh:VthEVaPqLXWUg34ELXvnh
Score

10^/10

cybergate ns14 discovery stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Cybergate family

Checks computer location settings

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2