cybergate | e5a90df5f02f5db4bc5fd8e32624e53431f4ee6b59f12ce8abe8a7494dcb72b4

General

Target

e5a90df5f02f5db4bc5fd8e32624e53431f4ee6b59f12ce8abe8a7494dcb72b4
Size

328KB
Sample

221123-vz4kmsdd7x
MD5

3d612822da4a0b947a7415769776fb38
SHA1

ef6254615e3e647df90f6a8e88d2d09578cdaabf
SHA256

e5a90df5f02f5db4bc5fd8e32624e53431f4ee6b59f12ce8abe8a7494dcb72b4
SHA512

8d838497ca6fed7e2e15ee0beb5697d115501b646e3949d880afdfda38c57fb52bae329c9736a3f12297f03d9678d3eb412d070bcb747977b96810138a99af1e
SSDEEP

6144:jJcD660Rj65JGmrpQsK3RD2u270jupCJsCxC7QxP:NcD66ADZ2zkPaCxp

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Skyppe

C2

dunhill123.no-ip.biz:82

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
password
0555224011
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  e5a90df5f02f5db4bc5fd8e32624e53431f4ee6b59f12ce8abe8a7494dcb72b4
- Size
  
  328KB
- MD5
  
  3d612822da4a0b947a7415769776fb38
- SHA1
  
  ef6254615e3e647df90f6a8e88d2d09578cdaabf
- SHA256
  
  e5a90df5f02f5db4bc5fd8e32624e53431f4ee6b59f12ce8abe8a7494dcb72b4
- SHA512
  
  8d838497ca6fed7e2e15ee0beb5697d115501b646e3949d880afdfda38c57fb52bae329c9736a3f12297f03d9678d3eb412d070bcb747977b96810138a99af1e
- SSDEEP
  
  6144:jJcD660Rj65JGmrpQsK3RD2u270jupCJsCxC7QxP:NcD66ADZ2zkPaCxp
Score

10^/10

persistence upx evasion
- Modifies firewall policy service
  evasion
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Modifies firewall policy service

Adds policy Run key to start application

Modifies Installed Components in the registry

UPX packed file

Adds Run key to start application

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2