General
-
Target
7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055
-
Size
4.4MB
-
Sample
221123-lwpgwafh2x
-
MD5
9ed07118ff23d177f3d98b12508c5612
-
SHA1
b156685cf48c8e153716fc637078f1c52a66114e
-
SHA256
7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055
-
SHA512
0267560c2f04e0344ed46771fde6a6d70a9d37c33c96779ad489e475395c2cce83da3981abd424e63a1746ba6333c58eb9915ff0081c0aac0e81e056798e8c57
-
SSDEEP
98304:4CjPKNckJS/qUXdaF3czuGtNf+LUy0Dx3HuSzO1edE/DcvKbKCSgUcTpBl4EDHh:4CbGlSiSaJ2ugEoD9OSEOWcEKdWpT7DB
Malware Config
Extracted
cybergate
v3.4.2.2
VPN4
joujounette974.ddns.net:8027
64M5FRUGH772A6
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
HWID Generator is actually down. Please come back later.Sorry for inconvenience.
-
message_box_title
HWID Generator Error!!
-
password
123456
Targets
-
-
Target
7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055
-
Size
4.4MB
-
MD5
9ed07118ff23d177f3d98b12508c5612
-
SHA1
b156685cf48c8e153716fc637078f1c52a66114e
-
SHA256
7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055
-
SHA512
0267560c2f04e0344ed46771fde6a6d70a9d37c33c96779ad489e475395c2cce83da3981abd424e63a1746ba6333c58eb9915ff0081c0aac0e81e056798e8c57
-
SSDEEP
98304:4CjPKNckJS/qUXdaF3czuGtNf+LUy0Dx3HuSzO1edE/DcvKbKCSgUcTpBl4EDHh:4CbGlSiSaJ2ugEoD9OSEOWcEKdWpT7DB
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Modifies WinLogon for persistence
-
Adds policy Run key to start application
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-