cybergate | 66f7991f4ee4eac331a912547b9cb75f97db97c6c36ccc9dc6a851f3cdf3bd2d

General

Target

18b7a8fd6df2ed2d49d14c905e026710_JaffaCakes118
Size

474KB
Sample

240628-enjhbszgjg
MD5

18b7a8fd6df2ed2d49d14c905e026710
SHA1

6a12e3058fc0579660e949cf157602dc6a9356e3
SHA256

66f7991f4ee4eac331a912547b9cb75f97db97c6c36ccc9dc6a851f3cdf3bd2d
SHA512

79fb82a6e05efd7dc9af21cb0e540fe337956aca7fddb928362a82b8a655a3688fdc442f86b5312f7494fac5b11f28f631174b176d1a5e1168dbdf30b18fc1e5
SSDEEP

12288:gpMcchY2ZSPRtK/8jpPq8Fw9RssOg5DP5R0AzWNqoc:GqhY2QPm/gpPq8y5OMVrnV

Score

10^/10

Malware Config

Extracted

Family

cybergate

Botnet

TRUE

C2

ÝØðÕÞÎÝÎÅý¼¼ûÙÈìÎÓßýØØÎÙÏÏ¼¼êÕÎÈÉÝÐìÎÓÈÙßÈ¼¼êÕÎÈÉÝÐýÐÐÓß¼¼êÕÎÈÉÝÐúÎÙÙ¼¼¼ùÄÕÈìÎÓßÙÏÏ¼¼¼ðÏÝÿÐÓÏÙ¼¼ÿÎÅÌÈéÒÌÎÓÈÙßÈøÝÈÝ¼¼ÿÓèÝÏ×ñÙÑúÎÙÙ¼¼¼ïÅÏúÎÙÙïÈÎÕÒÛ¼¼¼ìïÈÓÎÙÿÎÙÝÈÙõÒÏÈÝÒßÙ¼¼îÝÏùÒÉÑùÒÈÎÕÙÏý¼¼¼ïôûÙÈïÌÙßÕÝÐúÓÐØÙÎìÝÈÔý¼¼¼èÓýÏßÕÕ¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼J28}

HKLM

HKCU

FALSE

16

0

título da mensagem

texto da mensagem

TRUE

ftp.server.com

./logs/

ftp_user

ª÷Öº+Þ

21

30

Mutex

Attributes

enable_keylogger
false
enable_message_box
false
install_dir
TRUE
install_file
TRUE
install_flag
true
keylogger_enable_ftp
false
message_box_caption
TRUE
message_box_title
TRUE
password
TRUE
regkey_hkcu
TRUE
regkey_hklm
TRUE

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

C2

b-7rb.no-ip.biz:99

turrrki.no-ip.biz:82

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  18b7a8fd6df2ed2d49d14c905e026710_JaffaCakes118
- Size
  
  474KB
- MD5
  
  18b7a8fd6df2ed2d49d14c905e026710
- SHA1
  
  6a12e3058fc0579660e949cf157602dc6a9356e3
- SHA256
  
  66f7991f4ee4eac331a912547b9cb75f97db97c6c36ccc9dc6a851f3cdf3bd2d
- SHA512
  
  79fb82a6e05efd7dc9af21cb0e540fe337956aca7fddb928362a82b8a655a3688fdc442f86b5312f7494fac5b11f28f631174b176d1a5e1168dbdf30b18fc1e5
- SSDEEP
  
  12288:gpMcchY2ZSPRtK/8jpPq8Fw9RssOg5DP5R0AzWNqoc:GqhY2QPm/gpPq8y5OMVrnV
Score

10^/10

cybergate vítima persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2