General

  • Target

    7de2f6abbda94428c3070f8a6379f677d4b63b98295fb0df0f37f58cdf4049c2

  • Size

    457KB

  • Sample

    221106-e29axacdf4

  • MD5

    203f2a96c9d1553ec903609cf42c516d

  • SHA1

    1bfc3d5602a12d61e5121bfde7219dd940cfcfba

  • SHA256

    7de2f6abbda94428c3070f8a6379f677d4b63b98295fb0df0f37f58cdf4049c2

  • SHA512

    9bfb270807082a418e9891c17ac21072ed602d45c40fe03041c3292a28c4745a2083f551154cb47211643cdbfbb0fd71f5748604066bc76bf00b6eaff9791471

  • SSDEEP

    12288:cq9e6N0DmGb2IyIMFMDotqmLmGJP71vIJ7gysQ0:FD0Dm+7vmuIqT8DKJ7gysQ0

Malware Config

Extracted

Family

cybergate

Version

2.8 Private Edition

Botnet

CryptoSuite_Victim

C2

127.0.0.1:81

Mutex

***CryptoSuite***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_file

    cftmon.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    http://www.cryptosuite.org - YLN

  • message_box_title

    Error..

  • password

    CryptoSuite

  • regkey_hkcu

    cftmon

Targets

    • Target

      7de2f6abbda94428c3070f8a6379f677d4b63b98295fb0df0f37f58cdf4049c2

    • Size

      457KB

    • MD5

      203f2a96c9d1553ec903609cf42c516d

    • SHA1

      1bfc3d5602a12d61e5121bfde7219dd940cfcfba

    • SHA256

      7de2f6abbda94428c3070f8a6379f677d4b63b98295fb0df0f37f58cdf4049c2

    • SHA512

      9bfb270807082a418e9891c17ac21072ed602d45c40fe03041c3292a28c4745a2083f551154cb47211643cdbfbb0fd71f5748604066bc76bf00b6eaff9791471

    • SSDEEP

      12288:cq9e6N0DmGb2IyIMFMDotqmLmGJP71vIJ7gysQ0:FD0Dm+7vmuIqT8DKJ7gysQ0

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks