cybergate | 4c7297113f7fbcb1f833a7fbc10332f2dd2323a12d5f960d07c57f884f6a5f85 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

4c7297113f7fbcb1f833a7fbc10332f2dd2323a12d5f960d07c57f884f6a5f85
Size

562KB
MD5

245006d37d973a646cebba2089470a02
SHA1

1eaab78af33a17212fab8e06d231808c386ab5d2
SHA256

4c7297113f7fbcb1f833a7fbc10332f2dd2323a12d5f960d07c57f884f6a5f85
SHA512

e81ae355e9b964cfcc52701fc7191e139827c79068a425cb636654981aefd809a59d90b2aa1b2f77766c22c87f8b0040d6348ca7e23648e47e1fd9251689a535
SSDEEP

6144:pmcD66RS4tkQA47XHOvVIt9X5JGmrpQsK3RD2u270jupCJsCxCrIIdd0:scD66k4Gf47XOvVXZ2zkPaCx8w

Score

10^/10

upx marelis cybergate

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Marelis

C2

cct.no-ip.org:82

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
explorer
install_file
explorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
The program cannot start.
message_box_title
Fatal error
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

Cybergate family
cybergate

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
sample	upx

Files

4c7297113f7fbcb1f833a7fbc10332f2dd2323a12d5f960d07c57f884f6a5f85
.exe windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

UPX0
Size: 184KB - Virtual size: 184KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 344KB - Virtual size: 344KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 33KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE