General

  • Target

    86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba

  • Size

    514KB

  • Sample

    221106-j6ez3sdghp

  • MD5

    31b32a4b9868e2872e08cbc5edc6f1f0

  • SHA1

    8b879e7d75a05b957a49740a302eec40d63630e3

  • SHA256

    86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba

  • SHA512

    f680e855961e791287472d78a6772e4725f1a2421182d0fd75ef546bff9b8082de446866515df7ca227da07e15fb5313070efea3a7d1a6173198b03905e01855

  • SSDEEP

    12288:nh6Bo7lyUDyiFBpbH7Xxu8XhE9wOqWBKh7Ho0LVdM:kBo7bFvz7hhqwOqDHvfM

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

Client

C2

ph4nt0mzz.zapto.org:999

Mutex

VKTWTS75QF741D

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    mstcfg

  • install_file

    mstcfg.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba

    • Size

      514KB

    • MD5

      31b32a4b9868e2872e08cbc5edc6f1f0

    • SHA1

      8b879e7d75a05b957a49740a302eec40d63630e3

    • SHA256

      86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba

    • SHA512

      f680e855961e791287472d78a6772e4725f1a2421182d0fd75ef546bff9b8082de446866515df7ca227da07e15fb5313070efea3a7d1a6173198b03905e01855

    • SSDEEP

      12288:nh6Bo7lyUDyiFBpbH7Xxu8XhE9wOqWBKh7Ho0LVdM:kBo7bFvz7hhqwOqDHvfM

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks