cybergate | aeb3210f44cdbff0608652e9f1b1efa70f5ca8a261cc977c37ab7a171cef3dc2 | Triage

Submit
Reports

Overview

overview

Static

static

0cb116e2ca...18.exe

windows7-x64

0cb116e2ca...18.exe

windows10-2004-x64

Sharing

General

Target

0cb116e2ca4cf9f83e14e96e2416ac17_JaffaCakes118
Size

335KB
Sample

240625-fq43gssanf
MD5

0cb116e2ca4cf9f83e14e96e2416ac17
SHA1

7064e6b1202478c2ed2b0a19bc8c5155850945bc
SHA256

aeb3210f44cdbff0608652e9f1b1efa70f5ca8a261cc977c37ab7a171cef3dc2
SHA512

bed8d32cb2402a5e1d17e49d7021fe1f22be65ad7e574bec82a85525b35b91fc4c726c4772425d2357e2b51331e8583b12fbad8cadf40bff7d74e2a5a98e8ea0
SSDEEP

6144:OtOpslehdBCkWYxuukP1pjSKSNVkq/MVJbFI4:IwsleTBd47GLRMTb

Score

10^/10

cybergate 0 persistence stealer trojan upx

Static task

static1

upx 0 cybergate

3 signatures

Behavioral task

behavioral1

Sample

0cb116e2ca4cf9f83e14e96e2416ac17_JaffaCakes118.exe

Resource

win7-20231129-en

cybergate 0 persistence stealer trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

0cb116e2ca4cf9f83e14e96e2416ac17_JaffaCakes118.exe

Resource

win10v2004-20240508-en

cybergate 0 persistence stealer trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

0

C2

atomcosmos.no-ip.biz:100

Mutex

32F4J11P4BCL7Q

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
dwn.exe
install_flag
true
keylogger_enable_ftp
false
password
icePOWER
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  0cb116e2ca4cf9f83e14e96e2416ac17_JaffaCakes118
- Size
  
  335KB
- MD5
  
  0cb116e2ca4cf9f83e14e96e2416ac17
- SHA1
  
  7064e6b1202478c2ed2b0a19bc8c5155850945bc
- SHA256
  
  aeb3210f44cdbff0608652e9f1b1efa70f5ca8a261cc977c37ab7a171cef3dc2
- SHA512
  
  bed8d32cb2402a5e1d17e49d7021fe1f22be65ad7e574bec82a85525b35b91fc4c726c4772425d2357e2b51331e8583b12fbad8cadf40bff7d74e2a5a98e8ea0
- SSDEEP
  
  6144:OtOpslehdBCkWYxuukP1pjSKSNVkq/MVJbFI4:IwsleTBd47GLRMTb
Score

10^/10

cybergate 0 persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergate0persistencestealertrojanupx

behavioral2

cybergate0persistencestealertrojanupx

© 2018-2024

Terms | Privacy