cybergate | 97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d

General

Target

97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d
Size

4.5MB
Sample

221125-phqpkabb9v
MD5

69198511f4cc27c6670f61757caa32e5
SHA1

8a8ad67be1c8e70a3674cff39ae9883e1cf8c6aa
SHA256

97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d
SHA512

353a91d6500da1221c3693d35ed35b919e8486ba96e09c87c121680ffba83f6aaea61ac2e13c4bf32faec68b433e54bb56a78d16977b93e2425c9bdea78f8947
SSDEEP

98304:ZdnVheNMO1AiE8fHmdgZYEMyHC/FZnwoP5zfgA8Zw4X++bPC:/Hg1o8fGdgeHnLKZZwYba

Score

10^/10

Malware Config

Extracted

Family

darkcomet

Botnet

Bot

C2

chotilnw.no-ip.biz:83

Mutex

DC_MUTEX-YVG7SYP

Attributes

InstallPath
Microsoft\Microsoft\svchost.exe
gencode
hqGgcnPMuE8E
install
true
offline_keylogger
true
password
1100801319215a
persistence
true
reg_key
Windows Update

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

Bot

C2

chotilnw.no-ip.biz:81

Mutex

JMBJ1877RR46DI

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1100801319215a
regkey_hkcu
Windows Update
regkey_hklm
Windows Update

Targets

- Target
  
  97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d
- Size
  
  4.5MB
- MD5
  
  69198511f4cc27c6670f61757caa32e5
- SHA1
  
  8a8ad67be1c8e70a3674cff39ae9883e1cf8c6aa
- SHA256
  
  97318f25aaa9a0464d241bc2ecd45d5244926892296b8fa9a27b56f9092fa81d
- SHA512
  
  353a91d6500da1221c3693d35ed35b919e8486ba96e09c87c121680ffba83f6aaea61ac2e13c4bf32faec68b433e54bb56a78d16977b93e2425c9bdea78f8947
- SSDEEP
  
  98304:ZdnVheNMO1AiE8fHmdgZYEMyHC/FZnwoP5zfgA8Zw4X++bPC:/Hg1o8fGdgeHnLKZZwYba
Score

10^/10

cybergate darkcomet modiloader bot persistence rat stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- ModiLoader Second Stage
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1 behavioral2