cybergate | 4ecb2e7e488377b0ecb3cd4df323c0bebc759ee90b7593dfb4ec8c9fc4139316 | Triage

Submit
Reports

Overview

overview

Static

static

3

18e1e154b2...18.exe

windows7-x64

18e1e154b2...18.exe

windows10-2004-x64

Sharing

General

Target

18e1e154b24d16fe6b026e74f9883126_JaffaCakes118
Size

496KB
Sample

240628-frse3ssfpa
MD5

18e1e154b24d16fe6b026e74f9883126
SHA1

98ada9968b0ccfc38b8ab1d71ff4e4d70e396224
SHA256

4ecb2e7e488377b0ecb3cd4df323c0bebc759ee90b7593dfb4ec8c9fc4139316
SHA512

58cc438d5b9e417e1b70ae487771de99408afa9d41aab2ebbaa6b6c53126af0d71c110baf3bfa1cfe66ab286514e4a2749fc98cf1a93c4afd560a5253b9eac53
SSDEEP

12288:ASHzVaXA6e0NSY+IWhjYjz3F3dbKvVqYRuHqnXrk:qQ6eaR2hjG53dbKNw

Score

10^/10

cybergate tencent evasion persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

18e1e154b24d16fe6b026e74f9883126_JaffaCakes118.exe

Resource

win7-20240221-en

cybergate tencent evasion persistence stealer trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

18e1e154b24d16fe6b026e74f9883126_JaffaCakes118.exe

Resource

win10v2004-20240226-en

cybergate tencent evasion persistence stealer trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Tencent

C2

symeon3melrich.no-ip.org:45010

danielclaudede.dyndns.org:13889

murazawahara.no-ip.info:7070

Mutex

TT43M10GK0G5SB

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
ZBj2

Targets

- Target
  
  18e1e154b24d16fe6b026e74f9883126_JaffaCakes118
- Size
  
  496KB
- MD5
  
  18e1e154b24d16fe6b026e74f9883126
- SHA1
  
  98ada9968b0ccfc38b8ab1d71ff4e4d70e396224
- SHA256
  
  4ecb2e7e488377b0ecb3cd4df323c0bebc759ee90b7593dfb4ec8c9fc4139316
- SHA512
  
  58cc438d5b9e417e1b70ae487771de99408afa9d41aab2ebbaa6b6c53126af0d71c110baf3bfa1cfe66ab286514e4a2749fc98cf1a93c4afd560a5253b9eac53
- SSDEEP
  
  12288:ASHzVaXA6e0NSY+IWhjYjz3F3dbKvVqYRuHqnXrk:qQ6eaR2hjG53dbKNw
Score

10^/10

cybergate tencent evasion persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatetencentevasionpersistencestealertrojanupx

behavioral2

cybergatetencentevasionpersistencestealertrojanupx

© 2018-2024

Terms | Privacy