cybergate | 443683ba27975d6d8121be7f1d7682fef75b5d001611fbd4921855d8dfcda555 | Triage

Submit
Reports

Overview

overview

Static

static

3

291eb6e24c...18.exe

windows7-x64

291eb6e24c...18.exe

windows10-2004-x64

Sharing

General

Target

291eb6e24cef3e84f827627717f55ad6_JaffaCakes118
Size

530KB
Sample

240706-wqqsvsyanq
MD5

291eb6e24cef3e84f827627717f55ad6
SHA1

88504050a0262e1535eb80910bc67212c5f5b171
SHA256

443683ba27975d6d8121be7f1d7682fef75b5d001611fbd4921855d8dfcda555
SHA512

2cd778222d30eca2c766b6eed0b242908a831d41738f4195b3e04ebf99f60f3227635ef1f691ebbe871a0ceb0cf8bc33041956fc10e16373a2720321caa25065
SSDEEP

12288:cXVSFPW7C2aATg9grNlF+31Z3d4vo8FU/GQx8Qb7Xp5COcY2nlhy:SSB+lN869Cj3Qo8Fgxvb758OPaA

Score

10^/10

cybergate remote persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

291eb6e24cef3e84f827627717f55ad6_JaffaCakes118.exe

Resource

win7-20240220-en

cybergate remote persistence stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

291eb6e24cef3e84f827627717f55ad6_JaffaCakes118.exe

Resource

win10v2004-20240704-en

cybergate remote persistence stealer trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.20.10

Botnet

remote

C2

asushack9424.no-ip.org:83

Mutex

6U58OW8U1L0WE2

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
Microupdate.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Error 5212a34 Please contact your local Administrator to acess this file
message_box_title
Microsoft/win32
password
lolada
regkey_hkcu
MICROSOFT
regkey_hklm
MICROSOFT

Targets

- Target
  
  291eb6e24cef3e84f827627717f55ad6_JaffaCakes118
- Size
  
  530KB
- MD5
  
  291eb6e24cef3e84f827627717f55ad6
- SHA1
  
  88504050a0262e1535eb80910bc67212c5f5b171
- SHA256
  
  443683ba27975d6d8121be7f1d7682fef75b5d001611fbd4921855d8dfcda555
- SHA512
  
  2cd778222d30eca2c766b6eed0b242908a831d41738f4195b3e04ebf99f60f3227635ef1f691ebbe871a0ceb0cf8bc33041956fc10e16373a2720321caa25065
- SSDEEP
  
  12288:cXVSFPW7C2aATg9grNlF+31Z3d4vo8FU/GQx8Qb7Xp5COcY2nlhy:SSB+lN869Cj3Qo8Fgxvb758OPaA
Score

10^/10

cybergate remote persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergateremotepersistencestealertrojan

behavioral2

cybergateremotepersistencestealertrojanupx

© 2018-2024

Terms | Privacy