General

  • Target

    d0056937f8a8e74fdf6ae10c6c389fe79c6b3af94bc1aa01e69d9c0ee52b1820

  • Size

    772KB

  • Sample

    221106-renrxaggbn

  • MD5

    0174697ceca41dd4f3652c42e89b9805

  • SHA1

    3fcc2ec9e295bb7676e62510f6b1ec5d21466c33

  • SHA256

    d0056937f8a8e74fdf6ae10c6c389fe79c6b3af94bc1aa01e69d9c0ee52b1820

  • SHA512

    4c16cb325618a402948e449091a72b2a7f0f4ce5d1903573955c8266548f9b787fc5b2d1f680063c52521eda12b7effbd8f30f679294e1fa4a1eb54594cb7877

  • SSDEEP

    12288:T1q9CdsqTzLEebrKtzsFpZyTy18gLrWo6D7hkYHC:T1O0zL3utqpZ2y18CrYlk

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

N0_Lose

C2

fvool.gicp.net:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    qul.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    ÕâÊÇÀ´×ÔÓÚN0_LoseµÄÎʺò£¡

  • message_box_title

    N0_LoseµÄÎʺò

  • password

    abcd1234

Targets

    • Target

      d0056937f8a8e74fdf6ae10c6c389fe79c6b3af94bc1aa01e69d9c0ee52b1820

    • Size

      772KB

    • MD5

      0174697ceca41dd4f3652c42e89b9805

    • SHA1

      3fcc2ec9e295bb7676e62510f6b1ec5d21466c33

    • SHA256

      d0056937f8a8e74fdf6ae10c6c389fe79c6b3af94bc1aa01e69d9c0ee52b1820

    • SHA512

      4c16cb325618a402948e449091a72b2a7f0f4ce5d1903573955c8266548f9b787fc5b2d1f680063c52521eda12b7effbd8f30f679294e1fa4a1eb54594cb7877

    • SSDEEP

      12288:T1q9CdsqTzLEebrKtzsFpZyTy18gLrWo6D7hkYHC:T1O0zL3utqpZ2y18CrYlk

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks