cybergate | 95f066a28885fefe5e32d4235b5b9909090d4d1613ea99ffe252ec9298dda8df | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

kanald4643.exe

windows7-x64

kanald4643.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_65dbe1ff4432feff6383f08beeefe081
Size

414KB
Sample

250311-r96afawkw9
MD5

65dbe1ff4432feff6383f08beeefe081
SHA1

1f992ea91f53d6928660e28bab0be82763019026
SHA256

95f066a28885fefe5e32d4235b5b9909090d4d1613ea99ffe252ec9298dda8df
SHA512

81119949eea2ef976de50e84e67a73340487bbe0547cb1dcbf5e69649a5ad7720a5fec1c777fc9a359d583e649d745c05238cf33df93850c46ae083d5595920b
SSDEEP

12288:jRXUbXIZ2S/UMHsHbk+0eRCPlgKjYViXCo+J:jRXUzIw4so+0NlgK8CZ+J

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

kanald4643.exe

Resource

win7-20240903-en

cybergate remote discovery persistence stealer trojan upx

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

kanald4643.exe

Resource

win10v2004-20250217-en

cybergate remote discovery persistence stealer trojan upx

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

127.0.0.1:81

coderz.no-ip.biz:81

Mutex

VDR311B46N3Y3D

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
Systems
install_file
system35.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Belirtilen modül bulunamadý.
message_box_title
Java (TM)
password
beyzade
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  kanald4643.exe
- Size
  
  470KB
- MD5
  
  ef5713b392e8af72f60431d5dcf26d15
- SHA1
  
  bcbf5a903301c14298c30a6892a22a4e63aac5ce
- SHA256
  
  21648e88530bd1f5d7b91f7c4118151e129eeefd09704c97621bc80031c376af
- SHA512
  
  dd362ed3ef931ed96378726956e8806bcb400fca2935f73e4be67614dbecce0e24b3e893b42413c16d6ed3dc92869dec81dbd6c89272a3351745ddb70b57811d
- SSDEEP
  
  12288:HTxqLbYg6TXPAk/ONr5Aa+KqdMdYFQ19P:zxqLMgJx5AlKqONP
Score

10^/10

cybergate remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateremotediscoverypersistencestealertrojanupx

behavioral2

cybergateremotediscoverypersistencestealertrojanupx

© 2018-2025

Terms | Privacy