Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206
-
Size
888KB
-
Sample
221020-ah84ksece9
-
MD5
a0efe7e5c16f631870d5d29b5992a020
-
SHA1
70afc709e34a9a9cddcebfe0237520d9efb95b76
-
SHA256
1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206
-
SHA512
3dfb6122e1656a8c8da52a0cd72d20cf8df0595a6761fea9a94e2ab362c009940515243c16984397c18f1a41e3f3af7fd16a7ed7780e64d05ddc91f25e4e9c34
-
SSDEEP
12288:dHlDbtDorPevhdQivIi3kTy/lZyNDaHBgwM3dBE5c:dHlD1gPeJdVv73azDwGX
Static task
static1
Behavioral task
behavioral1
Sample
1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe
Resource
win7-20220812-en
Malware Config
Extracted
cybergate
v1.07.5
RS3
blueparrot.no-ip.biz:87
61FUA6146NINT0
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
winessentials.exe
-
install_dir
install
-
install_file
Windowslive.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
c1ndy123
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206
-
Size
888KB
-
MD5
a0efe7e5c16f631870d5d29b5992a020
-
SHA1
70afc709e34a9a9cddcebfe0237520d9efb95b76
-
SHA256
1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206
-
SHA512
3dfb6122e1656a8c8da52a0cd72d20cf8df0595a6761fea9a94e2ab362c009940515243c16984397c18f1a41e3f3af7fd16a7ed7780e64d05ddc91f25e4e9c34
-
SSDEEP
12288:dHlDbtDorPevhdQivIi3kTy/lZyNDaHBgwM3dBE5c:dHlD1gPeJdVv73azDwGX
-
Modifies WinLogon for persistence
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-