General
-
Target
3e4c52f880d3e6e2a764dc93b40ea34cd591c94c6d90d60aa991cb32023d95ed
-
Size
968KB
-
Sample
221125-cz6e5ahg7t
-
MD5
2f6c036677c948e2a9c9272450312f36
-
SHA1
9c6366cb63bf7f81cfdf5be8a52a5c65bde1236d
-
SHA256
3e4c52f880d3e6e2a764dc93b40ea34cd591c94c6d90d60aa991cb32023d95ed
-
SHA512
0e66858912726a2838843fc60f5a2c08d09a664036a577621947cee7051279089dd62b3bafd0065f268ea19a790c02a5fb587cef6caa3af7960edabb802297ac
-
SSDEEP
24576:StIeDsYWyebySixpypehoxMUMzaoRCq68GN0wgeXZR:S6eDjzghSaeCxMTtCn8QXZ
Behavioral task
behavioral1
Sample
3e4c52f880d3e6e2a764dc93b40ea34cd591c94c6d90d60aa991cb32023d95ed.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3e4c52f880d3e6e2a764dc93b40ea34cd591c94c6d90d60aa991cb32023d95ed.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
cybergate
2.6
E-mail Amigo
maxboy.no-ip.org:81
maxboy19.no-ip.org:200
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
explorer.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
1234567
-
regkey_hkcu
win32
-
regkey_hklm
win32
Targets
-
-
Target
3e4c52f880d3e6e2a764dc93b40ea34cd591c94c6d90d60aa991cb32023d95ed
-
Size
968KB
-
MD5
2f6c036677c948e2a9c9272450312f36
-
SHA1
9c6366cb63bf7f81cfdf5be8a52a5c65bde1236d
-
SHA256
3e4c52f880d3e6e2a764dc93b40ea34cd591c94c6d90d60aa991cb32023d95ed
-
SHA512
0e66858912726a2838843fc60f5a2c08d09a664036a577621947cee7051279089dd62b3bafd0065f268ea19a790c02a5fb587cef6caa3af7960edabb802297ac
-
SSDEEP
24576:StIeDsYWyebySixpypehoxMUMzaoRCq68GN0wgeXZR:S6eDjzghSaeCxMTtCn8QXZ
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-