General

  • Target

    5a88da19e51140ed8bfc399590a4eb7f7af534d0bb2b159112eed586ece4903c

  • Size

    398KB

  • Sample

    221021-xc32psbacn

  • MD5

    10a26718b4d85c56752ca5e274532d21

  • SHA1

    7b9db3e68f7e9817906ab9b0bc8fe1f7580da4ee

  • SHA256

    5a88da19e51140ed8bfc399590a4eb7f7af534d0bb2b159112eed586ece4903c

  • SHA512

    9adef618c1b79b5c381b5c659492a9f6fa7e13f308d70d56357152166a8d78b3f77a2b7b99860c7903a4947106d3691b462acb35f5af3f00a0b389ce7690cbcc

  • SSDEEP

    6144:UtS83Og7LqHoaKv1yB54ycUjjja5rGcFNDO5AULemh39a4qGXnTlyvfh1o:a5koa41I517uCwAxIt+yvfo

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Dr.BLOTO

C2

zx4n.no-ip.info:43

zx6n.no-ip.biz:43

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    Ruyoer

  • install_file

    WKienf.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Please try again later.

  • message_box_title

    Error

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      5a88da19e51140ed8bfc399590a4eb7f7af534d0bb2b159112eed586ece4903c

    • Size

      398KB

    • MD5

      10a26718b4d85c56752ca5e274532d21

    • SHA1

      7b9db3e68f7e9817906ab9b0bc8fe1f7580da4ee

    • SHA256

      5a88da19e51140ed8bfc399590a4eb7f7af534d0bb2b159112eed586ece4903c

    • SHA512

      9adef618c1b79b5c381b5c659492a9f6fa7e13f308d70d56357152166a8d78b3f77a2b7b99860c7903a4947106d3691b462acb35f5af3f00a0b389ce7690cbcc

    • SSDEEP

      6144:UtS83Og7LqHoaKv1yB54ycUjjja5rGcFNDO5AULemh39a4qGXnTlyvfh1o:a5koa41I517uCwAxIt+yvfo

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks