General
-
Target
825e37086796f4d16132c1ea361590bc116b904f40259a1e315b2b3d2e5d562f
-
Size
296KB
-
Sample
221106-qkr6vadba7
-
MD5
0e70086fe3e4db85c006e1c202f6d0de
-
SHA1
88e6c1e41014c94c80fb0e300013b78ac0619fac
-
SHA256
825e37086796f4d16132c1ea361590bc116b904f40259a1e315b2b3d2e5d562f
-
SHA512
9401b28194a37f9a2dd9d32b9bb88cfa65a56bc58f1347f7d8af581ef4e361dc133889e40187fbd5eb71ab2cf5c4deb291f459548bb52a9bf0ee82c31dc2645f
-
SSDEEP
6144:/OpslFlqmhdBCkWYxuukP1pjSKSNVkq/MVJb9:/wsl9TBd47GLRMTb9
Behavioral task
behavioral1
Sample
825e37086796f4d16132c1ea361590bc116b904f40259a1e315b2b3d2e5d562f.exe
Resource
win7-20220812-en
Malware Config
Extracted
cybergate
v1.07.5
Cyber
owningnoobs.sytes.net:1337
DW716RPIY4N5A8
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
825e37086796f4d16132c1ea361590bc116b904f40259a1e315b2b3d2e5d562f
-
Size
296KB
-
MD5
0e70086fe3e4db85c006e1c202f6d0de
-
SHA1
88e6c1e41014c94c80fb0e300013b78ac0619fac
-
SHA256
825e37086796f4d16132c1ea361590bc116b904f40259a1e315b2b3d2e5d562f
-
SHA512
9401b28194a37f9a2dd9d32b9bb88cfa65a56bc58f1347f7d8af581ef4e361dc133889e40187fbd5eb71ab2cf5c4deb291f459548bb52a9bf0ee82c31dc2645f
-
SSDEEP
6144:/OpslFlqmhdBCkWYxuukP1pjSKSNVkq/MVJb9:/wsl9TBd47GLRMTb9
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-