General

  • Target

    50f5f1feaabf19bfc8144ed1d6c1e31258589d17cc98f050a58a1a5e6d787d75

  • Size

    284KB

  • Sample

    221106-rwlc4shfbm

  • MD5

    0d327629efd46e4a106542211b457f6b

  • SHA1

    825a27765e47a7f1030086fe592b6b4870398d35

  • SHA256

    50f5f1feaabf19bfc8144ed1d6c1e31258589d17cc98f050a58a1a5e6d787d75

  • SHA512

    07b2257670d5ff53409b5cbfa988139e2d3f5633d9bf7d6079271452852fb5d6bbe2d047e6c9eecfd965d2d20580e6164264d4538c59a517113d30dcc4c5e85b

  • SSDEEP

    6144:z9n6vfBzENlUd0QjawyMKJ+kAvJME0qXcsUQgYG9I8ZC2ZQL32:Z6HBgDUdJapkvOERXPzz8ZCXL3

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

server

C2

teeheeftw.no-ip.org:586

Mutex

Q7248441RQ6Q67

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    taskmgr.exe

  • install_file

    taskmgr.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      50f5f1feaabf19bfc8144ed1d6c1e31258589d17cc98f050a58a1a5e6d787d75

    • Size

      284KB

    • MD5

      0d327629efd46e4a106542211b457f6b

    • SHA1

      825a27765e47a7f1030086fe592b6b4870398d35

    • SHA256

      50f5f1feaabf19bfc8144ed1d6c1e31258589d17cc98f050a58a1a5e6d787d75

    • SHA512

      07b2257670d5ff53409b5cbfa988139e2d3f5633d9bf7d6079271452852fb5d6bbe2d047e6c9eecfd965d2d20580e6164264d4538c59a517113d30dcc4c5e85b

    • SSDEEP

      6144:z9n6vfBzENlUd0QjawyMKJ+kAvJME0qXcsUQgYG9I8ZC2ZQL32:Z6HBgDUdJapkvOERXPzz8ZCXL3

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks