General

  • Target

    473f80b3430a5b6b40ade08f3b1262ec86fa8aa713d54d7fdfb36b9c39dd702d

  • Size

    297KB

  • Sample

    221021-dgd4lahed9

  • MD5

    579cae64c297512ee1a9cb18fa166f16

  • SHA1

    9e465dd1c250c86c53e9e13b4a5aebd485d88f7c

  • SHA256

    473f80b3430a5b6b40ade08f3b1262ec86fa8aa713d54d7fdfb36b9c39dd702d

  • SHA512

    c67e5b6c09db3e352a755aa9cbe867c094eed2fc62f3315c40e3698b595e747d3117ea0299ca8f1722fd1f515a7699460e85e7e9f588b38f58e49f9e77b810c9

  • SSDEEP

    6144:8OpslFlqLhdBCkWYxuukP1pjSKSNVkq/MVJbi:8wsl8TBd47GLRMTbi

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

test

C2

stickker.no-ip.biz:5111

Mutex

B0477LDG30X3OV

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    fire

  • install_file

    fire-ro bypass.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    test

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      473f80b3430a5b6b40ade08f3b1262ec86fa8aa713d54d7fdfb36b9c39dd702d

    • Size

      297KB

    • MD5

      579cae64c297512ee1a9cb18fa166f16

    • SHA1

      9e465dd1c250c86c53e9e13b4a5aebd485d88f7c

    • SHA256

      473f80b3430a5b6b40ade08f3b1262ec86fa8aa713d54d7fdfb36b9c39dd702d

    • SHA512

      c67e5b6c09db3e352a755aa9cbe867c094eed2fc62f3315c40e3698b595e747d3117ea0299ca8f1722fd1f515a7699460e85e7e9f588b38f58e49f9e77b810c9

    • SSDEEP

      6144:8OpslFlqLhdBCkWYxuukP1pjSKSNVkq/MVJbi:8wsl8TBd47GLRMTbi

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks