General
-
Target
35cb0ceef3f5542a5c6f3e0585eb07c0041df4b695ac92834b621c549a733bc4
-
Size
524KB
-
Sample
221126-kkrmesaa8y
-
MD5
2d66d5b6dbd25544368cba771513e858
-
SHA1
d64a8d21cd36657168e818dc7eeedff52aa86976
-
SHA256
35cb0ceef3f5542a5c6f3e0585eb07c0041df4b695ac92834b621c549a733bc4
-
SHA512
a34d13da811bec4df06f26405b4542488db4719bf83fb4f7bf2c37e6c8e7e0fc03427f0e92235eca2a7e6b1a43d04dd2c73d0e9c14f0f0ed363497e3e0a4504f
-
SSDEEP
12288:PV15wLR2ts0EXSoGGMKpMG7cIdV6yY/lNRT2Khdt6LkokUkkkkUeGWlpkkkk6kkp:PH8Rg9StGGjyK1dVjY/lNRCUhLLp
Static task
static1
Behavioral task
behavioral1
Sample
35cb0ceef3f5542a5c6f3e0585eb07c0041df4b695ac92834b621c549a733bc4.exe
Resource
win7-20220812-en
Malware Config
Extracted
cybergate
v3.4.2.2
RPC GTA
94.102.53.192:1616
56MM714CB7PJXN
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Targets
-
-
Target
35cb0ceef3f5542a5c6f3e0585eb07c0041df4b695ac92834b621c549a733bc4
-
Size
524KB
-
MD5
2d66d5b6dbd25544368cba771513e858
-
SHA1
d64a8d21cd36657168e818dc7eeedff52aa86976
-
SHA256
35cb0ceef3f5542a5c6f3e0585eb07c0041df4b695ac92834b621c549a733bc4
-
SHA512
a34d13da811bec4df06f26405b4542488db4719bf83fb4f7bf2c37e6c8e7e0fc03427f0e92235eca2a7e6b1a43d04dd2c73d0e9c14f0f0ed363497e3e0a4504f
-
SSDEEP
12288:PV15wLR2ts0EXSoGGMKpMG7cIdV6yY/lNRT2Khdt6LkokUkkkkUeGWlpkkkk6kkp:PH8Rg9StGGjyK1dVjY/lNRCUhLLp
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-