General

  • Target

    55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824

  • Size

    1.1MB

  • Sample

    221106-ks6fjscfc3

  • MD5

    295186d521efde600fe65a53a8649ff0

  • SHA1

    a5d068dd8955fc29427298c9d5f2044d3b2a7114

  • SHA256

    55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824

  • SHA512

    f6ef927e49567b21a7ff2b914a8d7837fc3060914a97467b9b29b6c58c4ddca68c4042830f1f37a2ddc77653f0c02f652221ce587e97eb0be56cc6ae85c4fef9

  • SSDEEP

    24576:7zStYF/AiO8FbIZB1WiQXhF905CtBkV0Hf4Rl4NPtkDrT3lww2l/3:7zAYV8H4hn0KBkVEf4gNPtkCjJ

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

Lammer

C2

patinhosmill.ddns.net:2000

Mutex

Pluguin

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft

  • install_file

    Pluguin.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.

  • message_box_title

    LAMMER

  • password

    123

  • regkey_hkcu

    Avirnt

  • regkey_hklm

    skypeupdate

Targets

    • Target

      55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824

    • Size

      1.1MB

    • MD5

      295186d521efde600fe65a53a8649ff0

    • SHA1

      a5d068dd8955fc29427298c9d5f2044d3b2a7114

    • SHA256

      55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824

    • SHA512

      f6ef927e49567b21a7ff2b914a8d7837fc3060914a97467b9b29b6c58c4ddca68c4042830f1f37a2ddc77653f0c02f652221ce587e97eb0be56cc6ae85c4fef9

    • SSDEEP

      24576:7zStYF/AiO8FbIZB1WiQXhF905CtBkV0Hf4Rl4NPtkDrT3lww2l/3:7zAYV8H4hn0KBkVEf4gNPtkCjJ

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks