General

  • Target

    e28ccd0b147758c2bd0efe102c75b085b66fa3094c8125dda179b1ede7c68e26

  • Size

    504KB

  • Sample

    221021-ebf7faafcp

  • MD5

    7b9883bb9223d21b6cd7575af63f2440

  • SHA1

    5331df3cef388250fbbb1c8801f597f6ec30e7a0

  • SHA256

    e28ccd0b147758c2bd0efe102c75b085b66fa3094c8125dda179b1ede7c68e26

  • SHA512

    e8517b740d5709a99d0ac21e69b1f4e504273a5073fe989e968dd8932f27bbdde4fac3be2c01820fbe3ed2e3065b8ac0192918f07c896d42f9691a2318bdec76

  • SSDEEP

    12288:tiY7Ha53gRdvWijFJl5KkDTwqGG4VQnKMVbk:t3653gRdvWiPl/Twgk8c

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

fric

C2

satanisther.sytes.net:23567

Mutex

AY647S0E3B1G77

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    60

  • injected_process

    explorer.exe

  • install_dir

    MSwinlogonl

  • install_file

    winlogonl.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    dll not found.

  • message_box_title

    error

  • password

    titan

Targets

    • Target

      e28ccd0b147758c2bd0efe102c75b085b66fa3094c8125dda179b1ede7c68e26

    • Size

      504KB

    • MD5

      7b9883bb9223d21b6cd7575af63f2440

    • SHA1

      5331df3cef388250fbbb1c8801f597f6ec30e7a0

    • SHA256

      e28ccd0b147758c2bd0efe102c75b085b66fa3094c8125dda179b1ede7c68e26

    • SHA512

      e8517b740d5709a99d0ac21e69b1f4e504273a5073fe989e968dd8932f27bbdde4fac3be2c01820fbe3ed2e3065b8ac0192918f07c896d42f9691a2318bdec76

    • SSDEEP

      12288:tiY7Ha53gRdvWijFJl5KkDTwqGG4VQnKMVbk:t3653gRdvWiPl/Twgk8c

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks