General

  • Target

    827a8478c1b9149a141c83c69af94788f7cfd14fe574b4751fb34976e447e7d1

  • Size

    340KB

  • Sample

    221030-g41gwsfdg9

  • MD5

    925fbc0c057c6b27e7a73168977f05f2

  • SHA1

    208a96f40f280775169159c32a3e0e59d4a7a890

  • SHA256

    827a8478c1b9149a141c83c69af94788f7cfd14fe574b4751fb34976e447e7d1

  • SHA512

    d94e1abd85f521fb907cd68c7d85803e7c743d8b07dc54843a175426f49b229359c40338159d094d73643cd58f64b75b3abe3b8ce4a8c881c287b225ff0880c7

  • SSDEEP

    6144:wMIz9uuepag4xY3IvYbfTvEGUMpjjaS+AmMu9SCEabYnV5ybiW:wbzkueMhTvwfTvvj3U19SqYVXW

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

~ Êã ÇáÏÚÓ ~

C2

meshalmshal.no-ip.biz:81

meshalmrb.no-ip.biz:81

Mutex

65BDNS5Q2Q1B53

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    ÕíÛå ÇáÕæÑÉ ÎÂØÆå

  • message_box_title

    ÎØÇ

  • password

    123456

  • regkey_hklm

    HKLM

Targets

    • Target

      827a8478c1b9149a141c83c69af94788f7cfd14fe574b4751fb34976e447e7d1

    • Size

      340KB

    • MD5

      925fbc0c057c6b27e7a73168977f05f2

    • SHA1

      208a96f40f280775169159c32a3e0e59d4a7a890

    • SHA256

      827a8478c1b9149a141c83c69af94788f7cfd14fe574b4751fb34976e447e7d1

    • SHA512

      d94e1abd85f521fb907cd68c7d85803e7c743d8b07dc54843a175426f49b229359c40338159d094d73643cd58f64b75b3abe3b8ce4a8c881c287b225ff0880c7

    • SSDEEP

      6144:wMIz9uuepag4xY3IvYbfTvEGUMpjjaS+AmMu9SCEabYnV5ybiW:wbzkueMhTvwfTvvj3U19SqYVXW

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks