General

  • Target

    64864c7007f2626994398cd1edd78912e43c554459b094fa25e4c2a7c6ef9593

  • Size

    628KB

  • Sample

    221106-l67q7shcel

  • MD5

    2cfca1fa8763be6eed11e47401fabd49

  • SHA1

    bfe916c8dadfcf4c7025c03648ea6ef63e6952c1

  • SHA256

    64864c7007f2626994398cd1edd78912e43c554459b094fa25e4c2a7c6ef9593

  • SHA512

    bd871365213d210d01eaa149be300539cc338a0dc3ef7cd4dd877e9186f6377e945bfe2b03191a99fa41d94c5688220e9db8e04ae8f129428d592eb3b7d8e595

  • SSDEEP

    12288:iXeVQkTrvj4xdoJ/Up9zCU2LnOjvTcUsEXxoMo1Exan+KMrrRwOm6:iaQkTf4zoGaCrcU5Xlo7ERJm6

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

victim

C2

noorhackers.no-ip.org:1604

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    yahoo

  • install_file

    windows.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    t?tulo da mensagem

  • password

    123321

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      64864c7007f2626994398cd1edd78912e43c554459b094fa25e4c2a7c6ef9593

    • Size

      628KB

    • MD5

      2cfca1fa8763be6eed11e47401fabd49

    • SHA1

      bfe916c8dadfcf4c7025c03648ea6ef63e6952c1

    • SHA256

      64864c7007f2626994398cd1edd78912e43c554459b094fa25e4c2a7c6ef9593

    • SHA512

      bd871365213d210d01eaa149be300539cc338a0dc3ef7cd4dd877e9186f6377e945bfe2b03191a99fa41d94c5688220e9db8e04ae8f129428d592eb3b7d8e595

    • SSDEEP

      12288:iXeVQkTrvj4xdoJ/Up9zCU2LnOjvTcUsEXxoMo1Exan+KMrrRwOm6:iaQkTf4zoGaCrcU5Xlo7ERJm6

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks