cybergate | f6de350a5105b2a50e65307c5b905a8d44828e5c85c1792a23681107c2a1e19e

General

Target

JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb
Size

2.4MB
Sample

250124-vdrnyszkep
MD5

237e4f4bb75b4cab5abf054d61a5f8cb
SHA1

b0d95494681c03870f3dc0bf1b0e5b4c1de8f4f9
SHA256

f6de350a5105b2a50e65307c5b905a8d44828e5c85c1792a23681107c2a1e19e
SHA512

a7f5c7e08786307c7f9b0d59c58820c7fdef9a4769f2eb35d5e9bd0bc2ae780d8a7d3686de0f75f242fef0393b797359591592f2ec28c8569e90041ad6b803d4
SSDEEP

49152:kXXWX/AZS2qy3EM9EBn98WDhj9k0Hj6fNQeevvzXkHGgYXwUhzdSO3cbt:kXeA8zy3D967l/6FQeorXWGgswizdrch

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

sdsf1123.no-ip.biz:1338

Mutex

I44K6V861PQW8A

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Engine
install_file
iexplore.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb
- Size
  
  2.4MB
- MD5
  
  237e4f4bb75b4cab5abf054d61a5f8cb
- SHA1
  
  b0d95494681c03870f3dc0bf1b0e5b4c1de8f4f9
- SHA256
  
  f6de350a5105b2a50e65307c5b905a8d44828e5c85c1792a23681107c2a1e19e
- SHA512
  
  a7f5c7e08786307c7f9b0d59c58820c7fdef9a4769f2eb35d5e9bd0bc2ae780d8a7d3686de0f75f242fef0393b797359591592f2ec28c8569e90041ad6b803d4
- SSDEEP
  
  49152:kXXWX/AZS2qy3EM9EBn98WDhj9k0Hj6fNQeevvzXkHGgYXwUhzdSO3cbt:kXeA8zy3D967l/6FQeorXWGgswizdrch
Score

10^/10

cybergate darkcomet remote discovery persistence rat stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2