General
-
Target
64864c7007f2626994398cd1edd78912e43c554459b094fa25e4c2a7c6ef9593
-
Size
628KB
-
Sample
221106-l67q7shcel
-
MD5
2cfca1fa8763be6eed11e47401fabd49
-
SHA1
bfe916c8dadfcf4c7025c03648ea6ef63e6952c1
-
SHA256
64864c7007f2626994398cd1edd78912e43c554459b094fa25e4c2a7c6ef9593
-
SHA512
bd871365213d210d01eaa149be300539cc338a0dc3ef7cd4dd877e9186f6377e945bfe2b03191a99fa41d94c5688220e9db8e04ae8f129428d592eb3b7d8e595
-
SSDEEP
12288:iXeVQkTrvj4xdoJ/Up9zCU2LnOjvTcUsEXxoMo1Exan+KMrrRwOm6:iaQkTf4zoGaCrcU5Xlo7ERJm6
Static task
static1
Behavioral task
behavioral1
Sample
64864c7007f2626994398cd1edd78912e43c554459b094fa25e4c2a7c6ef9593.exe
Resource
win7-20220812-en
Malware Config
Extracted
cybergate
2.6
victim
noorhackers.no-ip.org:1604
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
yahoo
-
install_file
windows.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
t?tulo da mensagem
-
password
123321
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
64864c7007f2626994398cd1edd78912e43c554459b094fa25e4c2a7c6ef9593
-
Size
628KB
-
MD5
2cfca1fa8763be6eed11e47401fabd49
-
SHA1
bfe916c8dadfcf4c7025c03648ea6ef63e6952c1
-
SHA256
64864c7007f2626994398cd1edd78912e43c554459b094fa25e4c2a7c6ef9593
-
SHA512
bd871365213d210d01eaa149be300539cc338a0dc3ef7cd4dd877e9186f6377e945bfe2b03191a99fa41d94c5688220e9db8e04ae8f129428d592eb3b7d8e595
-
SSDEEP
12288:iXeVQkTrvj4xdoJ/Up9zCU2LnOjvTcUsEXxoMo1Exan+KMrrRwOm6:iaQkTf4zoGaCrcU5Xlo7ERJm6
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-