General

  • Target

    Trojan-Ransom.Win32.Blocker.eluf-e2961ba28a3cc3f00c6c747911fbefc4801967436b0446f43c9f1eecbc7a1084

  • Size

    305KB

  • Sample

    221106-x9bnqahbb2

  • MD5

    f448d257058e9f1eb44ae300dffafd24

  • SHA1

    e7ab910aa9793b8598000fe4cdb2a4043aeeaad7

  • SHA256

    e2961ba28a3cc3f00c6c747911fbefc4801967436b0446f43c9f1eecbc7a1084

  • SHA512

    89b025ffa22592e32f4e28b9753f1e5437629c81b41e4739bda7bc9db99b88fac201d95cc565edf7ff8e541722ebf6f685aa19dfc84eb13f9079b2a86553b34c

  • SSDEEP

    6144:gNuN0ov+YgUywIG6DXUL3QPZ42YOLSY3Dz02F84vYvGhVhjyloRf5HrC3u01S8:gNufvZzywR6TU6ZSOL1Dzf1vYQWlyhLM

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

C2

queda2122.no-ip.info:2000

Mutex

***SHOW***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Boot

  • install_file

    pograma.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      proposta.exe

    • Size

      384KB

    • MD5

      d074091d9edf51897a78703f1b8d805b

    • SHA1

      2b94b4640535bc82b716d944b8ad7523d3aad881

    • SHA256

      068e361a53531b237dedb8b414c0a2378f5b3df69e21049905ad478c15682751

    • SHA512

      9aaae3fd962268d2378f7ed417e51254d476d402d9f1967a81fb023444fb9ed28cf7b01687dcfffb556530abe21b36eb2e643e5e485034b4353614c70db7994f

    • SSDEEP

      6144:lh51ovHGDL/3TM8kI/NSbY5t1fqTEJIQUp9tPjwIja3m6Lh3Tf10rlKkhCXn:lD0HGDL/3ZkI18At1uZ9xwXZhzWrw

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks