General
-
Target
74b282a44fb5ca94711babbdcd2a00eb31a59781659af5bde9b5faa94b118c8c
-
Size
543KB
-
Sample
221124-mcaeaaba8y
-
MD5
84612233d33318568a3cccececa3f807
-
SHA1
7f8bbe325854c7e760d02003ab555c7a25776683
-
SHA256
74b282a44fb5ca94711babbdcd2a00eb31a59781659af5bde9b5faa94b118c8c
-
SHA512
6b788021a45e0a1da5d3fa7e8e4c5a60b578bf0678ebb75f23591d162c7caf295532240e06765b948032f9d809564863d0d2712984e37d8a3832dbc3e0fe8560
-
SSDEEP
12288:YSFT9HXzy4NgSOuqKL8IeRQzPer6SqAtLtjDEM61l8Yw:YSrV0uqKL8IFir6SLL9DJUl8
Static task
static1
Behavioral task
behavioral1
Sample
74b282a44fb5ca94711babbdcd2a00eb31a59781659af5bde9b5faa94b118c8c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
74b282a44fb5ca94711babbdcd2a00eb31a59781659af5bde9b5faa94b118c8c.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
cybergate
v1.18.0 - Trial version
Levieux100
levieux.no-ip.biz:82
31GKW73W8BBJTV
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
5
-
ftp_password
AZerty123
-
ftp_port
21
-
ftp_server
ftp.membres.multimania.fr
-
ftp_username
hosse211
-
injected_process
explorer.exe
-
install_dir
Winupdate
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
Veuillez Reéxecuter en tant q' Administrateur
-
message_box_title
CyberGate
-
password
azerty123
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
74b282a44fb5ca94711babbdcd2a00eb31a59781659af5bde9b5faa94b118c8c
-
Size
543KB
-
MD5
84612233d33318568a3cccececa3f807
-
SHA1
7f8bbe325854c7e760d02003ab555c7a25776683
-
SHA256
74b282a44fb5ca94711babbdcd2a00eb31a59781659af5bde9b5faa94b118c8c
-
SHA512
6b788021a45e0a1da5d3fa7e8e4c5a60b578bf0678ebb75f23591d162c7caf295532240e06765b948032f9d809564863d0d2712984e37d8a3832dbc3e0fe8560
-
SSDEEP
12288:YSFT9HXzy4NgSOuqKL8IeRQzPer6SqAtLtjDEM61l8Yw:YSrV0uqKL8IFir6SLL9DJUl8
Score10/10-
Modifies WinLogon for persistence
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-