General
-
Target
7a4a760a071d0b05c85351d4c63fd1deee9d139c96f6e6b5c58f3065353ded98
-
Size
353KB
-
Sample
221030-1rpz6sccc6
-
MD5
915e965cb39c9c14b553ad75aa942307
-
SHA1
f3a64c310371e3df7384814d870157847c0b9202
-
SHA256
7a4a760a071d0b05c85351d4c63fd1deee9d139c96f6e6b5c58f3065353ded98
-
SHA512
5ea6a3252a488ed0c2e548be7a7a9e850b36875e2194c5de0519272edebaad2ef699ccf6a6cedd9b5cea9ff42184a73dcc0cb78a71a92b1b5b3f27884e83b9aa
-
SSDEEP
6144:ck4qmmSI9XinMT7eUzbp5mbBJLUg/aUeU7QDPoNRQC9FQWG9Jn/YaobCIKP:v9RFinMXLAnojUeOQC9Sln/YaBP
Behavioral task
behavioral1
Sample
7a4a760a071d0b05c85351d4c63fd1deee9d139c96f6e6b5c58f3065353ded98.exe
Resource
win7-20220812-en
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
cybergate
2.6
ÖÍíÉ
dsd3tec.zapto.org:288
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_file
windows.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
t?tulo da mensagem
-
password
abcd1234
Targets
-
-
Target
7a4a760a071d0b05c85351d4c63fd1deee9d139c96f6e6b5c58f3065353ded98
-
Size
353KB
-
MD5
915e965cb39c9c14b553ad75aa942307
-
SHA1
f3a64c310371e3df7384814d870157847c0b9202
-
SHA256
7a4a760a071d0b05c85351d4c63fd1deee9d139c96f6e6b5c58f3065353ded98
-
SHA512
5ea6a3252a488ed0c2e548be7a7a9e850b36875e2194c5de0519272edebaad2ef699ccf6a6cedd9b5cea9ff42184a73dcc0cb78a71a92b1b5b3f27884e83b9aa
-
SSDEEP
6144:ck4qmmSI9XinMT7eUzbp5mbBJLUg/aUeU7QDPoNRQC9FQWG9Jn/YaobCIKP:v9RFinMXLAnojUeOQC9Sln/YaBP
-
Modifies firewall policy service
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-