cybergate | 8fa6f064bb8a69f01fc5e7cf99e9839bced6d0c48aeba6d585d6005299df5d63 | Triage

Submit
Reports

Overview

overview

Static

static

3

22cc883e40...18.exe

windows7-x64

22cc883e40...18.exe

windows10-2004-x64

Sharing

General

Target

22cc883e40dfff829de3a3c102c03296_JaffaCakes118
Size

707KB
Sample

240703-sk9r1awarm
MD5

22cc883e40dfff829de3a3c102c03296
SHA1

0e7cf3b95ac4dad296a8913d92b84c1ea404a8ce
SHA256

8fa6f064bb8a69f01fc5e7cf99e9839bced6d0c48aeba6d585d6005299df5d63
SHA512

4ca4d4eb7537902327e736631324c029efe21f137bb54c02ea8681d71d586c3b5e483dc2c4da1c29403a03e890257f681d7d2053b9e5a8a9c86e31019167ecc1
SSDEEP

12288:lCic850dZQm5F2olhhiuTsewTg8inGIjNFr43O93Yai5mrQsmy:6859m5FDlhhjfyg1BjqeoYrQfy

Score

10^/10

cybergate vítima persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

22cc883e40dfff829de3a3c102c03296_JaffaCakes118.exe

Resource

win7-20240221-en

cybergate vítima persistence stealer trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

22cc883e40dfff829de3a3c102c03296_JaffaCakes118.exe

Resource

win10v2004-20240508-en

cybergate vítima persistence stealer trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

fadit.no-ip.biz:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
sys.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
FAILID DLL
message_box_title
ERROR
password
abcd1234

Targets

- Target
  
  22cc883e40dfff829de3a3c102c03296_JaffaCakes118
- Size
  
  707KB
- MD5
  
  22cc883e40dfff829de3a3c102c03296
- SHA1
  
  0e7cf3b95ac4dad296a8913d92b84c1ea404a8ce
- SHA256
  
  8fa6f064bb8a69f01fc5e7cf99e9839bced6d0c48aeba6d585d6005299df5d63
- SHA512
  
  4ca4d4eb7537902327e736631324c029efe21f137bb54c02ea8681d71d586c3b5e483dc2c4da1c29403a03e890257f681d7d2053b9e5a8a9c86e31019167ecc1
- SSDEEP
  
  12288:lCic850dZQm5F2olhhiuTsewTg8inGIjNFr43O93Yai5mrQsmy:6859m5FDlhhjfyg1BjqeoYrQfy
Score

10^/10

cybergate vítima persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatevítimapersistencestealertrojanupx

behavioral2

cybergatevítimapersistencestealertrojanupx

© 2018-2024

Terms | Privacy