cybergate | f8abbc89666668301e373cd5c0accc360ba7914f10632e5d4e356f89cfb9c44e | Triage

Submit
Reports

Overview

overview

Static

static

7

0e893572ab...18.exe

windows7-x64

0e893572ab...18.exe

windows10-2004-x64

Sharing

General

Target

0e893572ab2b8938efaa947fdca8751d_JaffaCakes118
Size

737KB
Sample

240625-slsvwaxclc
MD5

0e893572ab2b8938efaa947fdca8751d
SHA1

b9d28b19f4e3034404a7c03812bee4e8c507a1bf
SHA256

f8abbc89666668301e373cd5c0accc360ba7914f10632e5d4e356f89cfb9c44e
SHA512

928d7d1f2495fac04c6039ebfa8b388749147f1e63bf57c2436e4ddeb131eceddaf9a9a6a06fcb5d86ad65126216f73d03565539d6dc6a04653ea09f0c53f171
SSDEEP

12288:H0v+hLuj9PElC5J2p7mLPhJx0PcybY31YBrrtSmg9NL5/QE/nI3sDvoD3WJ:H0v+FueiBpJCRTBrrtSxLL5ooI0AD3o

Score

10^/10

cybergate vítima aspackv2 persistence stealer trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

0e893572ab2b8938efaa947fdca8751d_JaffaCakes118.exe

Resource

win7-20240221-en

cybergate vítima aspackv2 persistence stealer trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

0e893572ab2b8938efaa947fdca8751d_JaffaCakes118.exe

Resource

win10v2004-20240508-en

cybergate vítima aspackv2 persistence stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

hackerstyler.no-ip.biz:81

192.168.1.75:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Chrome
install_file
chrome.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123456
regkey_hkcu
chrome
regkey_hklm
chrome

Targets

- Target
  
  0e893572ab2b8938efaa947fdca8751d_JaffaCakes118
- Size
  
  737KB
- MD5
  
  0e893572ab2b8938efaa947fdca8751d
- SHA1
  
  b9d28b19f4e3034404a7c03812bee4e8c507a1bf
- SHA256
  
  f8abbc89666668301e373cd5c0accc360ba7914f10632e5d4e356f89cfb9c44e
- SHA512
  
  928d7d1f2495fac04c6039ebfa8b388749147f1e63bf57c2436e4ddeb131eceddaf9a9a6a06fcb5d86ad65126216f73d03565539d6dc6a04653ea09f0c53f171
- SSDEEP
  
  12288:H0v+hLuj9PElC5J2p7mLPhJx0PcybY31YBrrtSmg9NL5/QE/nI3sDvoD3WJ:H0v+FueiBpJCRTBrrtSxLL5ooI0AD3o
Score

10^/10

cybergate vítima aspackv2 persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatevítimaaspackv2persistencestealertrojanupx

behavioral2

cybergatevítimaaspackv2persistencestealertrojanupx

© 2018-2024

Terms | Privacy