General
-
Target
Trojan-Ransom.Win32.Blocker.eluf-e2961ba28a3cc3f00c6c747911fbefc4801967436b0446f43c9f1eecbc7a1084
-
Size
305KB
-
Sample
221106-x9bnqahbb2
-
MD5
f448d257058e9f1eb44ae300dffafd24
-
SHA1
e7ab910aa9793b8598000fe4cdb2a4043aeeaad7
-
SHA256
e2961ba28a3cc3f00c6c747911fbefc4801967436b0446f43c9f1eecbc7a1084
-
SHA512
89b025ffa22592e32f4e28b9753f1e5437629c81b41e4739bda7bc9db99b88fac201d95cc565edf7ff8e541722ebf6f685aa19dfc84eb13f9079b2a86553b34c
-
SSDEEP
6144:gNuN0ov+YgUywIG6DXUL3QPZ42YOLSY3Dz02F84vYvGhVhjyloRf5HrC3u01S8:gNufvZzywR6TU6ZSOL1Dzf1vYQWlyhLM
Static task
static1
Behavioral task
behavioral1
Sample
proposta.exe
Resource
win7-20220812-en
Malware Config
Extracted
cybergate
2.6
Server
queda2122.no-ip.info:2000
***SHOW***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Boot
-
install_file
pograma.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
proposta.exe
-
Size
384KB
-
MD5
d074091d9edf51897a78703f1b8d805b
-
SHA1
2b94b4640535bc82b716d944b8ad7523d3aad881
-
SHA256
068e361a53531b237dedb8b414c0a2378f5b3df69e21049905ad478c15682751
-
SHA512
9aaae3fd962268d2378f7ed417e51254d476d402d9f1967a81fb023444fb9ed28cf7b01687dcfffb556530abe21b36eb2e643e5e485034b4353614c70db7994f
-
SSDEEP
6144:lh51ovHGDL/3TM8kI/NSbY5t1fqTEJIQUp9tPjwIja3m6Lh3Tf10rlKkhCXn:lD0HGDL/3ZkI18At1uZ9xwXZhzWrw
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-