General

  • Target

    f2374f2f930495b32fbc09ac18516a424cbf2021935d4061b824b43566a1d158

  • Size

    690KB

  • Sample

    221021-g4algafcfr

  • MD5

    51f4b35013790be99ee26ccf4829c07d

  • SHA1

    3d18f4a043a31beb97668665f8e1b531755ac217

  • SHA256

    f2374f2f930495b32fbc09ac18516a424cbf2021935d4061b824b43566a1d158

  • SHA512

    e6b34e4ab0e26fbe10c913d7419c6f0eb63852cbebcbc5f30a5cf44236939053cbd4ebb77ce979b54cf73744ee48a59f1f04fb7a9397dcd7cad373c723e3da26

  • SSDEEP

    12288:wAXPfZIb7O8W/9uTXqdI3Vummiw1SdEsKd1dki2V6la8dobYGU0tc1QgPjhApaha:Xf9qXqdoVdcKUobYNBf

Malware Config

Extracted

Family

cybergate

Version

v3.0.2.0

Botnet

E

C2

nilsio.no-ip.org:32957

nilsio.no-ip.org:39069

Mutex

Y2Q2648FL5MEWL

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    Lifetec

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      f2374f2f930495b32fbc09ac18516a424cbf2021935d4061b824b43566a1d158

    • Size

      690KB

    • MD5

      51f4b35013790be99ee26ccf4829c07d

    • SHA1

      3d18f4a043a31beb97668665f8e1b531755ac217

    • SHA256

      f2374f2f930495b32fbc09ac18516a424cbf2021935d4061b824b43566a1d158

    • SHA512

      e6b34e4ab0e26fbe10c913d7419c6f0eb63852cbebcbc5f30a5cf44236939053cbd4ebb77ce979b54cf73744ee48a59f1f04fb7a9397dcd7cad373c723e3da26

    • SSDEEP

      12288:wAXPfZIb7O8W/9uTXqdI3Vummiw1SdEsKd1dki2V6la8dobYGU0tc1QgPjhApaha:Xf9qXqdoVdcKUobYNBf

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks