General

  • Target

    54dc63c41b193c64eac32a6b324d9077c06f28144a7120e840f0ba05040d5ab0

  • Size

    1.1MB

  • Sample

    220427-vrz79aede5

  • MD5

    e45a703cfef28c84e879fb396280c47e

  • SHA1

    a51b865a243996064b28ef030b8c4452da88c28b

  • SHA256

    54dc63c41b193c64eac32a6b324d9077c06f28144a7120e840f0ba05040d5ab0

  • SHA512

    9c883fcda503d3b1d18d6840e4025a41fca1f2d544c0405e5200547d49e2aaa138f2bca6be2b951c2acbd218fb45f1b1845f82441ba61cf7e2061bcc5bb75298

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

victime

C2

spypa.no-ip.org:114

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    update.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      54dc63c41b193c64eac32a6b324d9077c06f28144a7120e840f0ba05040d5ab0

    • Size

      1.1MB

    • MD5

      e45a703cfef28c84e879fb396280c47e

    • SHA1

      a51b865a243996064b28ef030b8c4452da88c28b

    • SHA256

      54dc63c41b193c64eac32a6b324d9077c06f28144a7120e840f0ba05040d5ab0

    • SHA512

      9c883fcda503d3b1d18d6840e4025a41fca1f2d544c0405e5200547d49e2aaa138f2bca6be2b951c2acbd218fb45f1b1845f82441ba61cf7e2061bcc5bb75298

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

3
T1060

Defense Evasion

Modify Registry

3
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks