General
-
Target
8c1e88ce29486f67d04842be50bc85dc82ccf28d4dffa65d8ec503bc407ddba4
-
Size
2.7MB
-
Sample
221128-gqmzmsfb31
-
MD5
2abb16d2aa6b2145338783401d389991
-
SHA1
7a3ce73a23fa4ffedcf1f729b7e9cb2db982ffb6
-
SHA256
8c1e88ce29486f67d04842be50bc85dc82ccf28d4dffa65d8ec503bc407ddba4
-
SHA512
e73f1635050d59edae8c76c79939788b98d723970eaf22fd646016dbcc56927ea829a772833b5513ce76c3d00c560715e7225bbcb45ff0274406fa613698e950
-
SSDEEP
49152:876bsYVnbZNYRLJ1wgnuOGgznf2bi1QP37Fs8pUeg:
Static task
static1
Behavioral task
behavioral1
Sample
8c1e88ce29486f67d04842be50bc85dc82ccf28d4dffa65d8ec503bc407ddba4.exe
Resource
win7-20220901-en
Malware Config
Extracted
pony
http://eroticbox.net/Ponx/gate.php
Extracted
cybergate
2.6
NISAN
eroticbox.no-ip.biz:83
***MUTEX***3
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
System.exe
-
install_dir
ctfmon
-
install_file
ctfmon.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
123456
-
regkey_hkcu
java
-
regkey_hklm
update
Targets
-
-
Target
8c1e88ce29486f67d04842be50bc85dc82ccf28d4dffa65d8ec503bc407ddba4
-
Size
2.7MB
-
MD5
2abb16d2aa6b2145338783401d389991
-
SHA1
7a3ce73a23fa4ffedcf1f729b7e9cb2db982ffb6
-
SHA256
8c1e88ce29486f67d04842be50bc85dc82ccf28d4dffa65d8ec503bc407ddba4
-
SHA512
e73f1635050d59edae8c76c79939788b98d723970eaf22fd646016dbcc56927ea829a772833b5513ce76c3d00c560715e7225bbcb45ff0274406fa613698e950
-
SSDEEP
49152:876bsYVnbZNYRLJ1wgnuOGgznf2bi1QP37Fs8pUeg:
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Adds policy Run key to start application
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-