General
-
Target
0605a2ad5b4a969cfeabbe91ccbf41605d0eeabd42418cdb1ab090b4d71700b8
-
Size
538KB
-
Sample
221106-mgw4vahgfj
-
MD5
09729c447c0db004651d90b045ae7680
-
SHA1
5af1a63bcf96a90c7284cb729c5cfde3cceb74d7
-
SHA256
0605a2ad5b4a969cfeabbe91ccbf41605d0eeabd42418cdb1ab090b4d71700b8
-
SHA512
aafaf6a041f50fca25536009da31deb7d1d42d6ead8303a754c62412038d9e59b2d1c83ad7d2d95700374b39f6decafe07a7c4adc1f51b260492454dbc8cc4f3
-
SSDEEP
12288:tHiLvYSlbAfgWpqrGVtMVKE3GNKRhtPHHmh:QNbA58mtMAAuUhtOh
Static task
static1
Behavioral task
behavioral1
Sample
0605a2ad5b4a969cfeabbe91ccbf41605d0eeabd42418cdb1ab090b4d71700b8.exe
Resource
win7-20220812-en
Malware Config
Extracted
cybergate
v1.02.1
Lammer
maaxhak.no-ip.org:81
maaxhak.no-ip.org:82
fghfjj
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Microsoft
-
install_file
explorer.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
-
message_box_title
LAMMER
-
password
123
-
regkey_hkcu
Avirnt
-
regkey_hklm
Avgnt
Targets
-
-
Target
0605a2ad5b4a969cfeabbe91ccbf41605d0eeabd42418cdb1ab090b4d71700b8
-
Size
538KB
-
MD5
09729c447c0db004651d90b045ae7680
-
SHA1
5af1a63bcf96a90c7284cb729c5cfde3cceb74d7
-
SHA256
0605a2ad5b4a969cfeabbe91ccbf41605d0eeabd42418cdb1ab090b4d71700b8
-
SHA512
aafaf6a041f50fca25536009da31deb7d1d42d6ead8303a754c62412038d9e59b2d1c83ad7d2d95700374b39f6decafe07a7c4adc1f51b260492454dbc8cc4f3
-
SSDEEP
12288:tHiLvYSlbAfgWpqrGVtMVKE3GNKRhtPHHmh:QNbA58mtMAAuUhtOh
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-