cybergate | 1b69e542f45007ee82d6d06388ce3f281c0c7f405472de8dc5971e77cb4d730b | Triage

Sharing

General

Target

JaffaCakes118_21a44d6d225f5c4ee90226f2b5293de2
Size

421KB
Sample

250223-w9awratraz
MD5

21a44d6d225f5c4ee90226f2b5293de2
SHA1

98791c95d4d02c746008613cd250ca09026ef5a1
SHA256

1b69e542f45007ee82d6d06388ce3f281c0c7f405472de8dc5971e77cb4d730b
SHA512

397fa178f51ec3f04aaf21d178ca93a5d94c763bf020b58e23f6f703d3fa06faf37ad7d42ddb6b295528f51ccf21f29025a5e094f8ccf0ba9056f7d96b02edf4
SSDEEP

6144:Dy4OUsUThYRk8E2bVwR+VLK2ZjVIgLQ6cQ+MUcoDN3wu9NtbUAtKJZ:Dy4XsUTKEF87jVIsQ6sKOZwuvyAtKJZ

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

46.37.180.197:2300

Mutex

M2PUXL8BFYT2U7

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Targets

- Target
  
  JaffaCakes118_21a44d6d225f5c4ee90226f2b5293de2
- Size
  
  421KB
- MD5
  
  21a44d6d225f5c4ee90226f2b5293de2
- SHA1
  
  98791c95d4d02c746008613cd250ca09026ef5a1
- SHA256
  
  1b69e542f45007ee82d6d06388ce3f281c0c7f405472de8dc5971e77cb4d730b
- SHA512
  
  397fa178f51ec3f04aaf21d178ca93a5d94c763bf020b58e23f6f703d3fa06faf37ad7d42ddb6b295528f51ccf21f29025a5e094f8ccf0ba9056f7d96b02edf4
- SSDEEP
  
  6144:Dy4OUsUThYRk8E2bVwR+VLK2ZjVIgLQ6cQ+MUcoDN3wu9NtbUAtKJZ:Dy4XsUTKEF87jVIsQ6sKOZwuvyAtKJZ
Score

10^/10

cybergate cyber discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatecyberdiscoverypersistencestealertrojanupx

behavioral2

cybergatecyberdiscoverypersistencestealertrojanupx