General

  • Target

    Trojan-Ransom.Win32.Blocker.eybs-2119094a9b8fc9a65269bdd5eeafe1dcb70709c3d25e3db73b06135aab23c4e3

  • Size

    975KB

  • Sample

    221106-yx65jacdgl

  • MD5

    1d0ae4c1d7162eb8bf5fe5512abeb2fd

  • SHA1

    63a47d8fb4567ba336ec6658294cc05b80282b40

  • SHA256

    2119094a9b8fc9a65269bdd5eeafe1dcb70709c3d25e3db73b06135aab23c4e3

  • SHA512

    a7030a755f3d45632fb62d648eb0955fb5383038a988b80632d90531aa125d7e242926c474fa0d1bfb2fc16d774d9a8786b0ac1fea5dd4c968a9992d28034c6f

  • SSDEEP

    24576:e/sm07vwHjGSyq00LVqBzOMLiiFJj2xeFtQEbG:e/KvwHKSyq00LVqM/xyttG

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

noipviada

C2

microsftcuzona.serveminecraft.net:25565

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Dir

  • install_file

    explorar.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Esse Hack é Pago , Segue a Lista de Preços... R$ 0,00 - Teste R$ 1,50 - 1 Semana R$ 5,90 - 1 Mês R$ 15,50 - Permanente Para comprar , adicione-me no skype: .......................... J-Pex ( aaJetPex )

  • message_box_title

    Hack VIP é Pago

  • password

    123

  • regkey_hkcu

    (Padrão)

  • regkey_hklm

    Windows

Targets

    • Target

      Trojan-Ransom.Win32.Blocker.eybs-2119094a9b8fc9a65269bdd5eeafe1dcb70709c3d25e3db73b06135aab23c4e3

    • Size

      975KB

    • MD5

      1d0ae4c1d7162eb8bf5fe5512abeb2fd

    • SHA1

      63a47d8fb4567ba336ec6658294cc05b80282b40

    • SHA256

      2119094a9b8fc9a65269bdd5eeafe1dcb70709c3d25e3db73b06135aab23c4e3

    • SHA512

      a7030a755f3d45632fb62d648eb0955fb5383038a988b80632d90531aa125d7e242926c474fa0d1bfb2fc16d774d9a8786b0ac1fea5dd4c968a9992d28034c6f

    • SSDEEP

      24576:e/sm07vwHjGSyq00LVqBzOMLiiFJj2xeFtQEbG:e/KvwHKSyq00LVqM/xyttG

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • UAC bypass

    • Windows security bypass

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks