cybergate | 20e67cabd1880e55430b1d008e96534d81b65bf6b90125cc171a4994754f8e33

General

Target

JaffaCakes118_1d1415bc957c510f11c9166328a4a368
Size

2.1MB
Sample

250124-crkhpavlbx
MD5

1d1415bc957c510f11c9166328a4a368
SHA1

6e0b5ad5a5e1877dcb0c783de2ff5cdcdbd6390b
SHA256

20e67cabd1880e55430b1d008e96534d81b65bf6b90125cc171a4994754f8e33
SHA512

7d28518efea06b677d1f4428082d8b8b8bf468b9714d7be8a7f6e1d19c05e91823c143b34e2a69c4db16f7eee83c8676d59fd434f026fa5f31ad4d9d362fc24c
SSDEEP

49152:SGJ9F3aLD2ja2wlGuC86k4lxGt5Dq+FgbaplOuH+VugHFfU2UcwC:dJ6nIlk4TGdgc5HqfU2UjC

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

as2622.zapto.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
Win_Xp.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Please try again later.
message_box_title
Error
password
abcd1234

Targets

- Target
  
  SpyNet.exe
- Size
  
  1.9MB
- MD5
  
  5c664bb7c9e941ce733578c523fde300
- SHA1
  
  4c4d79c0c10280584a87cbe08d88654b0dc3f9be
- SHA256
  
  2af2016b07434db1f0571a5116fcd97228ee7c1e9d86a17ad3806e0f163b79f0
- SHA512
  
  0be11b4c2da13e46a2634d4912eb0132cdc64b4d32fed230e0f663de0431f5a115b571925baa842b2b43dc220e1a0a6e4f5af6b77fe72bd22f4e480dbfc13406
- SSDEEP
  
  49152:h5ykdSag7jT4PCSfjb75AVXUXdXAygTlOuBRiyAiK:h5yQE2Lb7qIAdx5BJAV
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2
- Target
  
  file.exe
- Size
  
  284KB
- MD5
  
  3bdd018ec772915afdc1fb5d33fcd9b3
- SHA1
  
  5e520d8e84c87ef0e64265dee34e7eb91f6e1943
- SHA256
  
  0447bc3dd86801fb3c87eb4da7c6280db083450317bfabf7db094fd00225820c
- SHA512
  
  b058e9b6764d969265af29386afa7e7abcbe1c2bcc0d67ef8bc0ba8ba708b5d063ebd4e23fc1ab1eff26753a3aaa2462e2b3281d409e780c125e22d76c40e4be
- SSDEEP
  
  6144:/k4qm2AXy7uKAsotZr6Q0OTizhdszxiPasj4PpARHFE:M9b0Zv/TeDHsCa2g
Score

10^/10

cybergate öííé discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4