Overview

overview

10

Static

static

38ed48106c...b8.exe

windows7-x64

10

38ed48106c...b8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

  • Size

    328KB

  • Sample

    221124-fzybasee4t

  • MD5

    de3c1b8ca015d37518796e5df25900b0

  • SHA1

    33f77379ce18355332806ba63137201c38794e3e

  • SHA256

    38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

  • SHA512

    c9d1352f5ef4a757296ab2fcbe3feaf9acfacfa762c00d220518956f552ab8834f49299a5bea0be080f7eaa2294011693693cf97dd2aac5ceee70620d784104a

  • SSDEEP

    6144:5kh54k8aN4wAtZ6FMT5sbpKTtetxHEJzvjnJecyqlGXtWrqO5L1t:m5BlNbigM+bpWE3HWLJfynWpBD

Score
10/10
cybergatecoderpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Coder

C2

assistitvonline24.ddns.net:1338

Mutex

5408e94e23211dd

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Steaml

  • install_file

    juschedlll..exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Upgrade your windows

  • message_box_title

    Upgrade system

  • password

    123

  • regkey_hkcu

    HRV

  • regkey_hklm

    HCR

Targets

    • Target

      38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

    • Size

      328KB

    • MD5

      de3c1b8ca015d37518796e5df25900b0

    • SHA1

      33f77379ce18355332806ba63137201c38794e3e

    • SHA256

      38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

    • SHA512

      c9d1352f5ef4a757296ab2fcbe3feaf9acfacfa762c00d220518956f552ab8834f49299a5bea0be080f7eaa2294011693693cf97dd2aac5ceee70620d784104a

    • SSDEEP

      6144:5kh54k8aN4wAtZ6FMT5sbpKTtetxHEJzvjnJecyqlGXtWrqO5L1t:m5BlNbigM+bpWE3HWLJfynWpBD

    Score
    10/10
    cybergatecoderpersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks