General
-
Target
8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311
-
Size
344KB
-
Sample
221106-j2selsdfbn
-
MD5
30258d571aa875077eaa46d038d9f3f6
-
SHA1
179c38560faaf7087d6abdad5fb2d2ef1107e4fe
-
SHA256
8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311
-
SHA512
519a0402d31c64234f191f8f28f5fbbb4e9a05a8eaf46e5df33a897fe6f41b49f88be5c8811cd98f23bfb75246f16beb72b4abc125b5a776d2ccff876a2c98b8
-
SSDEEP
6144:hs5fW5ymCZCMld6KK4HLe0vX3MN5zQMaMRXNxOm2Gi5CMRpNyXzkn401:SIomCZCme0lvXgeMdRX0PN4kB1
Static task
static1
Behavioral task
behavioral1
Sample
8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311.exe
Resource
win7-20220812-en
Malware Config
Extracted
cybergate
2.6
CHORO
conquer1000.no-ip.org:2000
conquer1000.no-ip.org:4000
conquer1000.no-ip.org:7000
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
svchts
-
install_file
System.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
123
-
regkey_hkcu
System
-
regkey_hklm
System32
Targets
-
-
Target
8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311
-
Size
344KB
-
MD5
30258d571aa875077eaa46d038d9f3f6
-
SHA1
179c38560faaf7087d6abdad5fb2d2ef1107e4fe
-
SHA256
8dead5f956330707bd19cd3ea56fec3dcc172bb7c5192bbee6280d5081254311
-
SHA512
519a0402d31c64234f191f8f28f5fbbb4e9a05a8eaf46e5df33a897fe6f41b49f88be5c8811cd98f23bfb75246f16beb72b4abc125b5a776d2ccff876a2c98b8
-
SSDEEP
6144:hs5fW5ymCZCMld6KK4HLe0vX3MN5zQMaMRXNxOm2Gi5CMRpNyXzkn401:SIomCZCme0lvXgeMdRX0PN4kB1
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-