General

  • Target

    5cb3e5a604c9764c14986dff080b93e9be624cb4406f5af5224b8927895468f6

  • Size

    500KB

  • Sample

    221106-kqbhdseggn

  • MD5

    11da4736ccb6fccf497748c0506376df

  • SHA1

    4b5e2f1bd50dc6e0cbefe58585a9c23c33da81e7

  • SHA256

    5cb3e5a604c9764c14986dff080b93e9be624cb4406f5af5224b8927895468f6

  • SHA512

    1e98d3538c4f56c02971fc306e857d87747aa54b096e73d24ee807da16559a9d176336f86b7e3ef87a3faad538d0fd24da93dbde8649ca82e2267bbdd86ebab5

  • SSDEEP

    6144:AWsoXvHnZqqHYBJTf7hlN8WMo5SZ7DvJkWZA8U+WApNCTOeDNQDx7dHw://UOYBJLFl6fZ7Dx8RFA3CTHE7J

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

domdom2121

C2

176.240.164.204:2121

95.6.97.198:2121

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    21212121

Targets

    • Target

      5cb3e5a604c9764c14986dff080b93e9be624cb4406f5af5224b8927895468f6

    • Size

      500KB

    • MD5

      11da4736ccb6fccf497748c0506376df

    • SHA1

      4b5e2f1bd50dc6e0cbefe58585a9c23c33da81e7

    • SHA256

      5cb3e5a604c9764c14986dff080b93e9be624cb4406f5af5224b8927895468f6

    • SHA512

      1e98d3538c4f56c02971fc306e857d87747aa54b096e73d24ee807da16559a9d176336f86b7e3ef87a3faad538d0fd24da93dbde8649ca82e2267bbdd86ebab5

    • SSDEEP

      6144:AWsoXvHnZqqHYBJTf7hlN8WMo5SZ7DvJkWZA8U+WApNCTOeDNQDx7dHw://UOYBJLFl6fZ7Dx8RFA3CTHE7J

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks