Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed

  • Size

    520KB

  • Sample

    221021-c1p5jagffk

  • MD5

    791f8102ea9510491562193f3bb238a2

  • SHA1

    3ac5ae41ba89e830299b2d78e2f0993cff23690b

  • SHA256

    79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed

  • SHA512

    14d7c6b15b76d32d710c353e1f04771144fc71078d20bc131254947f394da4eb50512c8845b10f5ecc834dd6ff5143a72356ea510ed4e828e73b73f9aed4fb4c

  • SSDEEP

    6144:wmcD66RRju5JGmrpQsK3RD2u270jupCJsCxCz5JGmrpQsK3RD2u270jupCJsCxCp:5cD6633Z2zkPaCxfZ2zkPaCx2

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

127.0.0.1:81

Mutex

Newx32

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • ftp_password

    pikaloka

  • ftp_port

    21

  • ftp_server

    6te.net

  • ftp_username

    xikoloko.6te.net

  • injected_process

    explorer.exe

  • install_dir

    winx32

  • install_file

    netsys.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    voce eh gay????????

  • message_box_title

    KLEBER

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed

    • Size

      520KB

    • MD5

      791f8102ea9510491562193f3bb238a2

    • SHA1

      3ac5ae41ba89e830299b2d78e2f0993cff23690b

    • SHA256

      79b80ef5b8f06d0dc4dd51a620c43bc5a6f63c7fc8c60ba7c555a0fc3a95c4ed

    • SHA512

      14d7c6b15b76d32d710c353e1f04771144fc71078d20bc131254947f394da4eb50512c8845b10f5ecc834dd6ff5143a72356ea510ed4e828e73b73f9aed4fb4c

    • SSDEEP

      6144:wmcD66RRju5JGmrpQsK3RD2u270jupCJsCxCz5JGmrpQsK3RD2u270jupCJsCxCp:5cD6633Z2zkPaCxfZ2zkPaCx2

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks