General

  • Target

    156f1740301681a822aee776e6041d8bea6a8ec8f2da5176964bc52829c61581

  • Size

    1.8MB

  • Sample

    220222-t4ydrabba5

  • MD5

    092edda9d23a2641024199cfe439d195

  • SHA1

    e52250b3534452ae30b4150f1807c410300e7a53

  • SHA256

    156f1740301681a822aee776e6041d8bea6a8ec8f2da5176964bc52829c61581

  • SHA512

    86ffd4d8f93cf891ccc43686702f5ccae8c72e64305401e7a46ceacc567fffcf298a1f65591b85499caba2cddae62e01021bee3ab86cabd68c1713760435524e

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtps.bol.com.br
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    kelisson123

Extracted

Family

cybergate

Version

v1.02.1

Botnet

server

C2

macacolouco3059.ddns.net:50

Mutex

Pluguin

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft

  • install_file

    explorer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.

  • message_box_title

    LAMMER

  • password

    0050

  • regkey_hkcu

    Avirnt

  • regkey_hklm

    Avgnt

Extracted

Family

njrat

Version

0.6.4

Botnet

loja

C2

macacolouco3059.ddns.net:3059

Mutex

b375d923c230947f4a1ad96e9215116e

Attributes
  • reg_key

    b375d923c230947f4a1ad96e9215116e

  • splitter

    |'|'|

Targets

    • Target

      156f1740301681a822aee776e6041d8bea6a8ec8f2da5176964bc52829c61581

    • Size

      1.8MB

    • MD5

      092edda9d23a2641024199cfe439d195

    • SHA1

      e52250b3534452ae30b4150f1807c410300e7a53

    • SHA256

      156f1740301681a822aee776e6041d8bea6a8ec8f2da5176964bc52829c61581

    • SHA512

      86ffd4d8f93cf891ccc43686702f5ccae8c72e64305401e7a46ceacc567fffcf298a1f65591b85499caba2cddae62e01021bee3ab86cabd68c1713760435524e

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks