cybergate | 61ab050d2aacdf082ba4e83189f35574a3d87e6f93f9fffcbd273c9ec375fb08 | Triage

Submit
Reports

Overview

overview

Static

static

3

191a51c7ea...18.exe

windows7-x64

191a51c7ea...18.exe

windows10-2004-x64

Sharing

General

Target

191a51c7ea05c957f06eb645a5a25091_JaffaCakes118
Size

328KB
Sample

240628-g53cwavgmh
MD5

191a51c7ea05c957f06eb645a5a25091
SHA1

79e9847191d9cc98783dbae86d135fcc47a329bb
SHA256

61ab050d2aacdf082ba4e83189f35574a3d87e6f93f9fffcbd273c9ec375fb08
SHA512

7d8d8bb177cfd32ed9c4e743e404dd1b101d79439087729e04bf362c400cba46530eeb8d81bd2929445943d6ae7446ae4eba0f871603edb591667695c4738f81
SSDEEP

6144:PzCYvnJC1idbeY+rhufgik9F457ayqgpsk60YbNBU6YYts1mtZQSCX+JZs4fGYIn:PfvJC1qbahufgp45WbWsk60CBFYYtdDY

Score

10^/10

cybergate vítima persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

191a51c7ea05c957f06eb645a5a25091_JaffaCakes118.exe

Resource

win7-20240508-en

cybergate vítima persistence stealer trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

191a51c7ea05c957f06eb645a5a25091_JaffaCakes118.exe

Resource

win10v2004-20240508-en

cybergate vítima persistence stealer trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

hellrosa10.no-ip.org:666

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Servis
install_file
WinServices.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Targets

- Target
  
  191a51c7ea05c957f06eb645a5a25091_JaffaCakes118
- Size
  
  328KB
- MD5
  
  191a51c7ea05c957f06eb645a5a25091
- SHA1
  
  79e9847191d9cc98783dbae86d135fcc47a329bb
- SHA256
  
  61ab050d2aacdf082ba4e83189f35574a3d87e6f93f9fffcbd273c9ec375fb08
- SHA512
  
  7d8d8bb177cfd32ed9c4e743e404dd1b101d79439087729e04bf362c400cba46530eeb8d81bd2929445943d6ae7446ae4eba0f871603edb591667695c4738f81
- SSDEEP
  
  6144:PzCYvnJC1idbeY+rhufgik9F457ayqgpsk60YbNBU6YYts1mtZQSCX+JZs4fGYIn:PfvJC1qbahufgp45WbWsk60CBFYYtdDY
Score

10^/10

cybergate vítima persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatevítimapersistencestealertrojanupx

behavioral2

cybergatevítimapersistencestealertrojanupx

© 2018-2024

Terms | Privacy