cybergate | 93088347332df3ac34eb4a8208d298c93c2297f3dfe79aff95e8e925088f842d | Triage

Submit
Reports

Overview

overview

Static

static

3

1a4f84fae2...18.exe

windows7-x64

1a4f84fae2...18.exe

windows10-2004-x64

Sharing

General

Target

1a4f84fae2b20c9d4363eafbd3542948_JaffaCakes118
Size

336KB
Sample

240628-qtft6ssbne
MD5

1a4f84fae2b20c9d4363eafbd3542948
SHA1

ec298a903b2246389117797f8e2fc81685350b59
SHA256

93088347332df3ac34eb4a8208d298c93c2297f3dfe79aff95e8e925088f842d
SHA512

95ebfca98198ca9a2969c4ef13d77a8a1c554af8c9e563be98e50a33f43f8213e7284f0aa17e362693dfa5a0b54938d06236659c97cd61e14c8f9685355bf833
SSDEEP

6144:RuRmpYv7drjs0q7jHQnOfRrboaqKfxsrsHMkC825XqWgYN+awAiUangZOG5K8m:sRls0qvcEcXczHTKXqWgAwLngB5rm

Score

10^/10

cybergate [email protected]persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1a4f84fae2b20c9d4363eafbd3542948_JaffaCakes118.exe

Resource

win7-20240508-en

cybergate [email protected]persistence stealer trojan upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

1a4f84fae2b20c9d4363eafbd3542948_JaffaCakes118.exe

Resource

win10v2004-20240611-en

cybergate persistence stealer trojan upx

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

[email protected]

C2

lollies.zapto.org:82

Mutex

645L4XJ0PD1430

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
bananas
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  1a4f84fae2b20c9d4363eafbd3542948_JaffaCakes118
- Size
  
  336KB
- MD5
  
  1a4f84fae2b20c9d4363eafbd3542948
- SHA1
  
  ec298a903b2246389117797f8e2fc81685350b59
- SHA256
  
  93088347332df3ac34eb4a8208d298c93c2297f3dfe79aff95e8e925088f842d
- SHA512
  
  95ebfca98198ca9a2969c4ef13d77a8a1c554af8c9e563be98e50a33f43f8213e7284f0aa17e362693dfa5a0b54938d06236659c97cd61e14c8f9685355bf833
- SSDEEP
  
  6144:RuRmpYv7drjs0q7jHQnOfRrboaqKfxsrsHMkC825XqWgYN+awAiUangZOG5K8m:sRls0qvcEcXczHTKXqWgAwLngB5rm
Score

10^/10

cybergate [email protected]persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergate[email protected]persistencestealertrojanupx

behavioral2

cybergatepersistencestealertrojanupx

© 2018-2024

Terms | Privacy