General

  • Target

    7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9

  • Size

    479KB

  • Sample

    221019-3ytytadgd6

  • MD5

    a17e4519a6e005f7fd867703639a15a7

  • SHA1

    23e6bc4906b190a33203cd489ede1d499e819cad

  • SHA256

    7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9

  • SHA512

    e47a3eae65661119b7900d95c1a8f5edc80d55a6d1110aea53d13aaf408447eef73165e866ee74907ad1483c53396835143c1534a956b933fe224f3da4d28a04

  • SSDEEP

    12288:tzPC0M438po70VxFFVJYCNp18mXxt2p7mOEvdwmQEd7bOuf+eube:hFs+ITxtK46Ywh

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Trial version

Botnet

Victime

C2

tarik775.no-ip.org:81

Mutex

XO6853ER546413

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    BOOT

  • install_file

    msnmsgr.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    008

  • regkey_hkcu

    Windows Live Messenger

Targets

    • Target

      7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9

    • Size

      479KB

    • MD5

      a17e4519a6e005f7fd867703639a15a7

    • SHA1

      23e6bc4906b190a33203cd489ede1d499e819cad

    • SHA256

      7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9

    • SHA512

      e47a3eae65661119b7900d95c1a8f5edc80d55a6d1110aea53d13aaf408447eef73165e866ee74907ad1483c53396835143c1534a956b933fe224f3da4d28a04

    • SSDEEP

      12288:tzPC0M438po70VxFFVJYCNp18mXxt2p7mOEvdwmQEd7bOuf+eube:hFs+ITxtK46Ywh

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

3
T1060

Defense Evasion

Modify Registry

3
T1112

Scripting

1
T1064

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks