cybergate | beb354e2290d3f9d70916ea811e43422400dc79207d3db25925e514e85bca8c5 | Triage

Submit
Reports

Overview

overview

Static

static

7

19e504ada9...18.exe

windows7-x64

19e504ada9...18.exe

windows10-2004-x64

Sharing

General

Target

19e504ada9fcd470e3c8ae519fbfd055_JaffaCakes118
Size

344KB
Sample

240628-m85kaswejb
MD5

19e504ada9fcd470e3c8ae519fbfd055
SHA1

e1589c21c3cb2b87e3145e14a58bfbc664ee756b
SHA256

beb354e2290d3f9d70916ea811e43422400dc79207d3db25925e514e85bca8c5
SHA512

474d0ddcbcf30d571e2b1a10fd81fa859c05cac55fa143307de54d5f4c28cddcf678c7bb3efa543067717c08e5af5e98bdf23d9dde9ab0907467d9d14941b1d1
SSDEEP

6144:QUgPai+oC8EbEnbDmwQ0uTIi+5GlIzYrQf2SuPWOzL9PtEOW4hlODqCNLFuJgyqw:6CiEEbq0b55AIz+QflMBLTE0hlkhFSgM

Score

10^/10

cybergate -nisan persistence stealer trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

19e504ada9fcd470e3c8ae519fbfd055_JaffaCakes118.exe

Resource

win7-20240220-en

cybergate -nisan persistence stealer trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

19e504ada9fcd470e3c8ae519fbfd055_JaffaCakes118.exe

Resource

win10v2004-20240508-en

cybergate -nisan persistence stealer trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

-NisaN

C2

127.0.0.1:81

xradar.no-ip.org:81

barulay1.zapto.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
install
install_file
winst.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  19e504ada9fcd470e3c8ae519fbfd055_JaffaCakes118
- Size
  
  344KB
- MD5
  
  19e504ada9fcd470e3c8ae519fbfd055
- SHA1
  
  e1589c21c3cb2b87e3145e14a58bfbc664ee756b
- SHA256
  
  beb354e2290d3f9d70916ea811e43422400dc79207d3db25925e514e85bca8c5
- SHA512
  
  474d0ddcbcf30d571e2b1a10fd81fa859c05cac55fa143307de54d5f4c28cddcf678c7bb3efa543067717c08e5af5e98bdf23d9dde9ab0907467d9d14941b1d1
- SSDEEP
  
  6144:QUgPai+oC8EbEnbDmwQ0uTIi+5GlIzYrQf2SuPWOzL9PtEOW4hlODqCNLFuJgyqw:6CiEEbq0b55AIz+QflMBLTE0hlkhFSgM
Score

10^/10

cybergate -nisan persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergate-nisanpersistencestealertrojanupx

behavioral2

cybergate-nisanpersistencestealertrojanupx

© 2018-2024

Terms | Privacy