General

  • Target

    7a4a760a071d0b05c85351d4c63fd1deee9d139c96f6e6b5c58f3065353ded98

  • Size

    353KB

  • Sample

    221030-1rpz6sccc6

  • MD5

    915e965cb39c9c14b553ad75aa942307

  • SHA1

    f3a64c310371e3df7384814d870157847c0b9202

  • SHA256

    7a4a760a071d0b05c85351d4c63fd1deee9d139c96f6e6b5c58f3065353ded98

  • SHA512

    5ea6a3252a488ed0c2e548be7a7a9e850b36875e2194c5de0519272edebaad2ef699ccf6a6cedd9b5cea9ff42184a73dcc0cb78a71a92b1b5b3f27884e83b9aa

  • SSDEEP

    6144:ck4qmmSI9XinMT7eUzbp5mbBJLUg/aUeU7QDPoNRQC9FQWG9Jn/YaobCIKP:v9RFinMXLAnojUeOQC9Sln/YaBP

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

dsd3tec.zapto.org:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_file

    windows.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    t?tulo da mensagem

  • password

    abcd1234

Targets

    • Target

      7a4a760a071d0b05c85351d4c63fd1deee9d139c96f6e6b5c58f3065353ded98

    • Size

      353KB

    • MD5

      915e965cb39c9c14b553ad75aa942307

    • SHA1

      f3a64c310371e3df7384814d870157847c0b9202

    • SHA256

      7a4a760a071d0b05c85351d4c63fd1deee9d139c96f6e6b5c58f3065353ded98

    • SHA512

      5ea6a3252a488ed0c2e548be7a7a9e850b36875e2194c5de0519272edebaad2ef699ccf6a6cedd9b5cea9ff42184a73dcc0cb78a71a92b1b5b3f27884e83b9aa

    • SSDEEP

      6144:ck4qmmSI9XinMT7eUzbp5mbBJLUg/aUeU7QDPoNRQC9FQWG9Jn/YaobCIKP:v9RFinMXLAnojUeOQC9Sln/YaBP

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks