Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    823a0e86b351e824c6acc550e2f373aa3464bcfbb5a3ea016c2ce99ada9d066c

  • Size

    400KB

  • Sample

    221002-jc7g8sfbhm

  • MD5

    782fefba1659a128a0af8cb9780ad5d0

  • SHA1

    464542428b15f4a2228616238628fe5a781c67df

  • SHA256

    823a0e86b351e824c6acc550e2f373aa3464bcfbb5a3ea016c2ce99ada9d066c

  • SHA512

    b62819777e75d7dcedfc4bdefc544e022c145eb3b97d53e2766d842552eb659ecd8bd7f341f022fd6ec530b2c2d879abefd25a940b86959acb847094c747687b

  • SSDEEP

    6144:YmcD66RRjtYeS9sdnPIMQo5JGmrpQsK3RD2u270jupCJsCxCE:xcD663SecC3KZ2zkPaCxZ

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Yeni

C2

orc.zapto.org:8181

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Run Time '9' - Subscript out of range

  • message_box_title

    Wolfteam

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      823a0e86b351e824c6acc550e2f373aa3464bcfbb5a3ea016c2ce99ada9d066c

    • Size

      400KB

    • MD5

      782fefba1659a128a0af8cb9780ad5d0

    • SHA1

      464542428b15f4a2228616238628fe5a781c67df

    • SHA256

      823a0e86b351e824c6acc550e2f373aa3464bcfbb5a3ea016c2ce99ada9d066c

    • SHA512

      b62819777e75d7dcedfc4bdefc544e022c145eb3b97d53e2766d842552eb659ecd8bd7f341f022fd6ec530b2c2d879abefd25a940b86959acb847094c747687b

    • SSDEEP

      6144:YmcD66RRjtYeS9sdnPIMQo5JGmrpQsK3RD2u270jupCJsCxCE:xcD663SecC3KZ2zkPaCxZ

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks