General

  • Target

    0605a2ad5b4a969cfeabbe91ccbf41605d0eeabd42418cdb1ab090b4d71700b8

  • Size

    538KB

  • Sample

    221106-mgw4vahgfj

  • MD5

    09729c447c0db004651d90b045ae7680

  • SHA1

    5af1a63bcf96a90c7284cb729c5cfde3cceb74d7

  • SHA256

    0605a2ad5b4a969cfeabbe91ccbf41605d0eeabd42418cdb1ab090b4d71700b8

  • SHA512

    aafaf6a041f50fca25536009da31deb7d1d42d6ead8303a754c62412038d9e59b2d1c83ad7d2d95700374b39f6decafe07a7c4adc1f51b260492454dbc8cc4f3

  • SSDEEP

    12288:tHiLvYSlbAfgWpqrGVtMVKE3GNKRhtPHHmh:QNbA58mtMAAuUhtOh

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

Lammer

C2

maaxhak.no-ip.org:81

maaxhak.no-ip.org:82

Mutex

fghfjj

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft

  • install_file

    explorer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.

  • message_box_title

    LAMMER

  • password

    123

  • regkey_hkcu

    Avirnt

  • regkey_hklm

    Avgnt

Targets

    • Target

      0605a2ad5b4a969cfeabbe91ccbf41605d0eeabd42418cdb1ab090b4d71700b8

    • Size

      538KB

    • MD5

      09729c447c0db004651d90b045ae7680

    • SHA1

      5af1a63bcf96a90c7284cb729c5cfde3cceb74d7

    • SHA256

      0605a2ad5b4a969cfeabbe91ccbf41605d0eeabd42418cdb1ab090b4d71700b8

    • SHA512

      aafaf6a041f50fca25536009da31deb7d1d42d6ead8303a754c62412038d9e59b2d1c83ad7d2d95700374b39f6decafe07a7c4adc1f51b260492454dbc8cc4f3

    • SSDEEP

      12288:tHiLvYSlbAfgWpqrGVtMVKE3GNKRhtPHHmh:QNbA58mtMAAuUhtOh

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks