cybergate | edc9ad9b9ebb530c92c74eae5739584f28592bf9f5e69000c3fb2ebe1777aecc | Triage

Submit
Reports

Overview

overview

Static

static

3

edc9ad9b9e...cc.exe

windows7-x64

edc9ad9b9e...cc.exe

windows10-2004-x64

Sharing

General

Target

edc9ad9b9ebb530c92c74eae5739584f28592bf9f5e69000c3fb2ebe1777aecc
Size

319KB
Sample

241227-emykvs1qdn
MD5

53f8362ac1be66a1a40b851b3fe3633c
SHA1

188af4ceb7182266ff5acd66bac693b49842c900
SHA256

edc9ad9b9ebb530c92c74eae5739584f28592bf9f5e69000c3fb2ebe1777aecc
SHA512

17343a24c781067cf9a2640edf4c30be0700c15c029310c59b52b30e806ddb837a38e69d1822d2ccf5c2f22f33184fcd213313b7226cbe6e40625b85893a801a
SSDEEP

6144:jwpfGeJ2FpuDmNl6jI86yyZmhmMCY2fFLrDn8EtNMTbnXhFbE8g6ZBITTAjqVO:QOfFn/gI/zZmhmlY29Lnn4LhFlTETTAN

Score

10^/10

cybergate nominas discovery persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

edc9ad9b9ebb530c92c74eae5739584f28592bf9f5e69000c3fb2ebe1777aecc.exe

Resource

win7-20241010-en

cybergate nominas discovery persistence stealer trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

edc9ad9b9ebb530c92c74eae5739584f28592bf9f5e69000c3fb2ebe1777aecc.exe

Resource

win10v2004-20241007-en

cybergate nominas discovery persistence stealer trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Nominas

C2

192.168.1.192:2222

Mutex

YRDP856R3H4512

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
nominas

Targets

- Target
  
  edc9ad9b9ebb530c92c74eae5739584f28592bf9f5e69000c3fb2ebe1777aecc
- Size
  
  319KB
- MD5
  
  53f8362ac1be66a1a40b851b3fe3633c
- SHA1
  
  188af4ceb7182266ff5acd66bac693b49842c900
- SHA256
  
  edc9ad9b9ebb530c92c74eae5739584f28592bf9f5e69000c3fb2ebe1777aecc
- SHA512
  
  17343a24c781067cf9a2640edf4c30be0700c15c029310c59b52b30e806ddb837a38e69d1822d2ccf5c2f22f33184fcd213313b7226cbe6e40625b85893a801a
- SSDEEP
  
  6144:jwpfGeJ2FpuDmNl6jI86yyZmhmMCY2fFLrDn8EtNMTbnXhFbE8g6ZBITTAjqVO:QOfFn/gI/zZmhmlY29Lnn4LhFlTETTAN
Score

10^/10

cybergate nominas discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatenominasdiscoverypersistencestealertrojanupx

behavioral2

cybergatenominasdiscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy