General

  • Target

    fdfdae75585d82bbbbcf987a718f39f073e97eb93174f24b6944fa429ebacb20

  • Size

    335KB

  • Sample

    221030-y5ltkaaceq

  • MD5

    90bd2d5f5c1236396bd700aa7722a791

  • SHA1

    16e5ac0209b9bf3ccca6ac1a025efde0c99912c7

  • SHA256

    fdfdae75585d82bbbbcf987a718f39f073e97eb93174f24b6944fa429ebacb20

  • SHA512

    3d7d15dc27b68c5d1c311ece6cf00dc91a5748d7b71a058132bc8d49c7592f084500aa4e8e41a8db1f644cebf2b99779ab7dc369beb4bc92d20f500e7ec3f043

  • SSDEEP

    6144:IqIlZJowmXZxRnANwrN8eje8gKa5oEzFQl2xR0Sj5gvC07HnFZfj44:IXlrrmXZx7rN84Xa5oEzas30Sj5gvCKZ

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

alabady.no-ip.biz :81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_file

    windows.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Error

  • message_box_title

    Error

  • password

    5838999

Targets

    • Target

      fdfdae75585d82bbbbcf987a718f39f073e97eb93174f24b6944fa429ebacb20

    • Size

      335KB

    • MD5

      90bd2d5f5c1236396bd700aa7722a791

    • SHA1

      16e5ac0209b9bf3ccca6ac1a025efde0c99912c7

    • SHA256

      fdfdae75585d82bbbbcf987a718f39f073e97eb93174f24b6944fa429ebacb20

    • SHA512

      3d7d15dc27b68c5d1c311ece6cf00dc91a5748d7b71a058132bc8d49c7592f084500aa4e8e41a8db1f644cebf2b99779ab7dc369beb4bc92d20f500e7ec3f043

    • SSDEEP

      6144:IqIlZJowmXZxRnANwrN8eje8gKa5oEzFQl2xR0Sj5gvC07HnFZfj44:IXlrrmXZx7rN84Xa5oEzas30Sj5gvCKZ

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks