cybergate | a30c40330acb77b8d239cb2cce1d2f07a1f2a4f62a62739cbb1bc7c53425a5c5

General

Target

JaffaCakes118_73565d7feaca00c2da659c15547223fe
Size

424KB
Sample

250116-mc32lawrfq
MD5

73565d7feaca00c2da659c15547223fe
SHA1

6e535f9fe9bf4e9a7d849a49d190151cac12bd02
SHA256

a30c40330acb77b8d239cb2cce1d2f07a1f2a4f62a62739cbb1bc7c53425a5c5
SHA512

c29268eda2dc3e287f56f7ca16092bc4fcb1eb223b3504b021b84f622bedbc50a6578f19947d440df0be66ddd906f7363a4cfd121eb859caca56538dd9138eee
SSDEEP

6144:PZwh7ML8kaNBWBDsqrlGHvG6mwlS/b2UoJa6SVwLfuy1R1Efatd17kyQQkxy+Tll:PZwhMp1BhxvwlH9a6cUJ1N/dQ/xy+Bl

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

remote

C2

127.0.0.1:95

Mutex

3UQ3GA84BJIE6J

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_file
svchost.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
azerty
regkey_hkcu
HKCN
regkey_hklm
HKLO

Targets

- Target
  
  JaffaCakes118_73565d7feaca00c2da659c15547223fe
- Size
  
  424KB
- MD5
  
  73565d7feaca00c2da659c15547223fe
- SHA1
  
  6e535f9fe9bf4e9a7d849a49d190151cac12bd02
- SHA256
  
  a30c40330acb77b8d239cb2cce1d2f07a1f2a4f62a62739cbb1bc7c53425a5c5
- SHA512
  
  c29268eda2dc3e287f56f7ca16092bc4fcb1eb223b3504b021b84f622bedbc50a6578f19947d440df0be66ddd906f7363a4cfd121eb859caca56538dd9138eee
- SSDEEP
  
  6144:PZwh7ML8kaNBWBDsqrlGHvG6mwlS/b2UoJa6SVwLfuy1R1Efatd17kyQQkxy+Tll:PZwhMp1BhxvwlH9a6cUJ1N/dQ/xy+Bl
Score

10^/10

cybergate remote discovery stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Cybergate family

Checks computer location settings

Suspicious use of SetThreadContext

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2