cybergate | 4f1457eeef37ab3ae11616a597a48a68769248bac288eac9afcf69c3386aa26d

General

Target

JaffaCakes118_3eb5916ae45b3e4d999008a9604645e5
Size

681KB
Sample

250127-mntx3avrfr
MD5

3eb5916ae45b3e4d999008a9604645e5
SHA1

9e483101b6c79f33dedd44f17a5d50e3417b62d3
SHA256

4f1457eeef37ab3ae11616a597a48a68769248bac288eac9afcf69c3386aa26d
SHA512

731d0cc3e3c6b72f9e0f29f0a52a499ad55c856fb49aed51ed456a3c9c360db5725d4e0366052d73c60d45dbeff8f0831b0883808cea347ee446dcceedf572ad
SSDEEP

12288:1rNCav4fk1J2mhvBSgW80t4YrgBd0+R7rjDgIrcpJZDo+S6zGJ2AE:/vWkKm2god2V7rnzrcBDvLGB

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Pawned

C2

127.0.0.1:35000

Mutex

706C51RU0567RI

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
5
injected_process
explorer.exe
install_dir
winupdt
install_file
winupdt.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
Loly3ah
regkey_hkcu
winupdt

Targets

- Target
  
  JaffaCakes118_3eb5916ae45b3e4d999008a9604645e5
- Size
  
  681KB
- MD5
  
  3eb5916ae45b3e4d999008a9604645e5
- SHA1
  
  9e483101b6c79f33dedd44f17a5d50e3417b62d3
- SHA256
  
  4f1457eeef37ab3ae11616a597a48a68769248bac288eac9afcf69c3386aa26d
- SHA512
  
  731d0cc3e3c6b72f9e0f29f0a52a499ad55c856fb49aed51ed456a3c9c360db5725d4e0366052d73c60d45dbeff8f0831b0883808cea347ee446dcceedf572ad
- SSDEEP
  
  12288:1rNCav4fk1J2mhvBSgW80t4YrgBd0+R7rjDgIrcpJZDo+S6zGJ2AE:/vWkKm2god2V7rnzrcBDvLGB
Score

10^/10

cybergate pawned discovery stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Cybergate family

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2