General

  • Target

    1a7cd2e732ae5b9ce455ca8d34826feb531ef24efae440c53383ed64848cfe76

  • Size

    275KB

  • Sample

    220607-2w5rvsgaa2

  • MD5

    6b877042a2a59a72c640cd82180ff4cf

  • SHA1

    374f84d7a8a0a7e7a1419fa2846e7290a3145291

  • SHA256

    1a7cd2e732ae5b9ce455ca8d34826feb531ef24efae440c53383ed64848cfe76

  • SHA512

    80a1e1ac55efafee03733295616f3aaad46833662c26cfebb44ade832fbb327dc0bba2fe67a5e3a8be9a47b5eed372040132f56b93286ad0f5d1d725a443741a

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

127.0.0.1:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Targets

    • Target

      1a7cd2e732ae5b9ce455ca8d34826feb531ef24efae440c53383ed64848cfe76

    • Size

      275KB

    • MD5

      6b877042a2a59a72c640cd82180ff4cf

    • SHA1

      374f84d7a8a0a7e7a1419fa2846e7290a3145291

    • SHA256

      1a7cd2e732ae5b9ce455ca8d34826feb531ef24efae440c53383ed64848cfe76

    • SHA512

      80a1e1ac55efafee03733295616f3aaad46833662c26cfebb44ade832fbb327dc0bba2fe67a5e3a8be9a47b5eed372040132f56b93286ad0f5d1d725a443741a

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks