General

  • Target

    24e47d0497b5df637f0cbcdc066deba266208527b3e8d970148820916faaebdf

  • Size

    444KB

  • Sample

    221011-erh1zaebek

  • MD5

    78d246250f5b379b79dd16b29bcf1420

  • SHA1

    fcf87ff43972ffcdb8befe977d62227fa7b0d2b7

  • SHA256

    24e47d0497b5df637f0cbcdc066deba266208527b3e8d970148820916faaebdf

  • SHA512

    5062376e1382f1a882d872743fe4b05f15ceebf722e80d541645ab6069d8fe67c7f789ffc18d8fb87a6aa1f7f772758fd8a3dbd5c7d7b858e422526b5ee731d6

  • SSDEEP

    12288:3H/wkoI06HYuuk3nUKvqeJ3tcK97+ZA8f:vToIL4uuunFh0

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

hack

C2

hoocking.no-ip.org:5000

Mutex

windows

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    chrome.exe

  • install_dir

    windowslogon

  • install_file

    winlogon32.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    no es una aplicación Win32 válida.

  • message_box_title

    error 0x00C1 %12345

  • password

    123asd

  • regkey_hkcu

    HKC

  • regkey_hklm

    HKL

Targets

    • Target

      24e47d0497b5df637f0cbcdc066deba266208527b3e8d970148820916faaebdf

    • Size

      444KB

    • MD5

      78d246250f5b379b79dd16b29bcf1420

    • SHA1

      fcf87ff43972ffcdb8befe977d62227fa7b0d2b7

    • SHA256

      24e47d0497b5df637f0cbcdc066deba266208527b3e8d970148820916faaebdf

    • SHA512

      5062376e1382f1a882d872743fe4b05f15ceebf722e80d541645ab6069d8fe67c7f789ffc18d8fb87a6aa1f7f772758fd8a3dbd5c7d7b858e422526b5ee731d6

    • SSDEEP

      12288:3H/wkoI06HYuuk3nUKvqeJ3tcK97+ZA8f:vToIL4uuunFh0

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

3
T1060

Defense Evasion

Modify Registry

3
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks