cybergate | bd142721218705104b92c67aa3fca2517067f778b3ec67faf97eb41cd5c5a4b6

General

Target

JaffaCakes118_7898e4e88c9705492077d523a6c6b039
Size

842KB
Sample

250104-j1b18s1jet
MD5

7898e4e88c9705492077d523a6c6b039
SHA1

5c6a8950eca0afeef0b9015a4ca0985e766bc85d
SHA256

bd142721218705104b92c67aa3fca2517067f778b3ec67faf97eb41cd5c5a4b6
SHA512

a5439f6adb3073e61c3c6a08d912e2f07725769e16f4deea5bbe2f31c61e18611957df947a8653734fddf0ca7f5788947402f04f3c11fdd8664a9e023c8e4e61
SSDEEP

12288:hTsrLn1kFwdd0p+7j9albVmYBvSAa8q8G8CGmP0ooTrSpDo3BwOwUqP:B0nCFgd0pKj9albIYRC2mP0VrsM32pT

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

grenadexnxx.hopto.org:100

Mutex

3I061X2TQ12448

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Targets

- Target
  
  JaffaCakes118_7898e4e88c9705492077d523a6c6b039
- Size
  
  842KB
- MD5
  
  7898e4e88c9705492077d523a6c6b039
- SHA1
  
  5c6a8950eca0afeef0b9015a4ca0985e766bc85d
- SHA256
  
  bd142721218705104b92c67aa3fca2517067f778b3ec67faf97eb41cd5c5a4b6
- SHA512
  
  a5439f6adb3073e61c3c6a08d912e2f07725769e16f4deea5bbe2f31c61e18611957df947a8653734fddf0ca7f5788947402f04f3c11fdd8664a9e023c8e4e61
- SSDEEP
  
  12288:hTsrLn1kFwdd0p+7j9albVmYBvSAa8q8G8CGmP0ooTrSpDo3BwOwUqP:B0nCFgd0pKj9albIYRC2mP0VrsM32pT
Score

10^/10

cybergate remote discovery stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Cybergate family

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2