cybergate | a5a60f924ee701ce356037a1a6ee84d71c20e4112c297d57511cec87c7734674 | Triage

Sharing

General

Target

JaffaCakes118_852598c087b93a500d4b2b7df1a06a17
Size

380KB
Sample

250321-3jlznaszgy
MD5

852598c087b93a500d4b2b7df1a06a17
SHA1

3b2d01c381fb4a7097f4b7e354194f2d46644cb4
SHA256

a5a60f924ee701ce356037a1a6ee84d71c20e4112c297d57511cec87c7734674
SHA512

949954308ca224d0d7f779669e9035372a167470fb57069870ccfb0d9155ed1c265fcd8d19fea7d1f4d3c7b58a5cf6f3f9b1f72c192c04fce1f772c49ee77c79
SSDEEP

6144:bF3z7Ls3CwM+kBDl7VXKaH2AoQZbGQ2MG+33zO3kYgOf/DrF7IRqo2SuCToWUG+t:5jSCwM+yJ7p1/LxzO3kWrF73KUoz

Score

10^/10

cybergate cybergate discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cybergate

C2

panteravt.no-ip.org:82

Mutex

E3B65X37H270YP

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./My Documents/
ftp_interval
15
ftp_password
pantera
ftp_port
21
ftp_server
ftp.drivehq.com
ftp_username
panteravt
injected_process
explorer.exe
install_dir
Winlog
install_file
cybergate.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
admin

Targets

- Target
  
  JaffaCakes118_852598c087b93a500d4b2b7df1a06a17
- Size
  
  380KB
- MD5
  
  852598c087b93a500d4b2b7df1a06a17
- SHA1
  
  3b2d01c381fb4a7097f4b7e354194f2d46644cb4
- SHA256
  
  a5a60f924ee701ce356037a1a6ee84d71c20e4112c297d57511cec87c7734674
- SHA512
  
  949954308ca224d0d7f779669e9035372a167470fb57069870ccfb0d9155ed1c265fcd8d19fea7d1f4d3c7b58a5cf6f3f9b1f72c192c04fce1f772c49ee77c79
- SSDEEP
  
  6144:bF3z7Ls3CwM+kBDl7VXKaH2AoQZbGQ2MG+33zO3kYgOf/DrF7IRqo2SuCToWUG+t:5jSCwM+yJ7p1/LxzO3kWrF73KUoz
Score

10^/10

cybergate cybergate discovery persistence stealer trojan
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatecybergatediscoverypersistencestealertrojan

behavioral2