General
-
Target
0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
-
Size
387KB
-
Sample
221106-lvmlwsggdm
-
MD5
2184e73b4a2ecee7a726b2d7f8374946
-
SHA1
8dd0ef00c55f8470ae513b66773a6369539a8dc9
-
SHA256
0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
-
SHA512
15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
SSDEEP
6144:27D6KarVGMXvnF/Cq/HgZ4OYSUO8mJuWV918BMgVvraUdctrs+s3jwwV:sDGR3dCyHtOZ/JuWV9uBMg10ewwV
Static task
static1
Behavioral task
behavioral1
Sample
0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
Resource
win7-20220812-en
Malware Config
Extracted
cybergate
2.6
ÖÍíÉ
127.0.0.1:8081
tunisia-sat.no-ip.biz:8081
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
bin
-
install_file
windows.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
t?tulo da mensagem
-
password
abcd1234
Targets
-
-
Target
0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
-
Size
387KB
-
MD5
2184e73b4a2ecee7a726b2d7f8374946
-
SHA1
8dd0ef00c55f8470ae513b66773a6369539a8dc9
-
SHA256
0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
-
SHA512
15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
SSDEEP
6144:27D6KarVGMXvnF/Cq/HgZ4OYSUO8mJuWV918BMgVvraUdctrs+s3jwwV:sDGR3dCyHtOZ/JuWV9uBMg10ewwV
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-