Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed

  • Size

    520KB

  • Sample

    221021-c1p5jagffk

  • MD5

    791f8102ea9510491562193f3bb238a2

  • SHA1

    3ac5ae41ba89e830299b2d78e2f0993cff23690b

  • SHA256

    79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed

  • SHA512

    14d7c6b15b76d32d710c353e1f04771144fc71078d20bc131254947f394da4eb50512c8845b10f5ecc834dd6ff5143a72356ea510ed4e828e73b73f9aed4fb4c

  • SSDEEP

    6144:wmcD66RRju5JGmrpQsK3RD2u270jupCJsCxCz5JGmrpQsK3RD2u270jupCJsCxCp:5cD6633Z2zkPaCxfZ2zkPaCx2

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

127.0.0.1:81

Mutex

Newx32

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • ftp_password

    pikaloka

  • ftp_port

    21

  • ftp_server

    6te.net

  • ftp_username

    xikoloko.6te.net

  • injected_process

    explorer.exe

  • install_dir

    winx32

  • install_file

    netsys.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    voce eh gay????????

  • message_box_title

    KLEBER

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed

    • Size

      520KB

    • MD5

      791f8102ea9510491562193f3bb238a2

    • SHA1

      3ac5ae41ba89e830299b2d78e2f0993cff23690b

    • SHA256

      79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed

    • SHA512

      14d7c6b15b76d32d710c353e1f04771144fc71078d20bc131254947f394da4eb50512c8845b10f5ecc834dd6ff5143a72356ea510ed4e828e73b73f9aed4fb4c

    • SSDEEP

      6144:wmcD66RRju5JGmrpQsK3RD2u270jupCJsCxCz5JGmrpQsK3RD2u270jupCJsCxCp:5cD6633Z2zkPaCxfZ2zkPaCx2

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.