General
-
Target
8c1e88ce29486f67d04842be50bc85dc82ccf28d4dffa65d8ec503bc407ddba4
-
Size
2.7MB
-
Sample
221128-gqmzmsfb31
-
MD5
2abb16d2aa6b2145338783401d389991
-
SHA1
7a3ce73a23fa4ffedcf1f729b7e9cb2db982ffb6
-
SHA256
8c1e88ce29486f67d04842be50bc85dc82ccf28d4dffa65d8ec503bc407ddba4
-
SHA512
e73f1635050d59edae8c76c79939788b98d723970eaf22fd646016dbcc56927ea829a772833b5513ce76c3d00c560715e7225bbcb45ff0274406fa613698e950
-
SSDEEP
49152:876bsYVnbZNYRLJ1wgnuOGgznf2bi1QP37Fs8pUeg:
Malware Config
Extracted
pony
http://eroticbox.net/Ponx/gate.php
Extracted
cybergate
2.6
NISAN
eroticbox.no-ip.biz:83
***MUTEX***3
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
System.exe
-
install_dir
ctfmon
-
install_file
ctfmon.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
123456
-
regkey_hkcu
java
-
regkey_hklm
update
Targets
-
-
Target
8c1e88ce29486f67d04842be50bc85dc82ccf28d4dffa65d8ec503bc407ddba4
-
Size
2.7MB
-
MD5
2abb16d2aa6b2145338783401d389991
-
SHA1
7a3ce73a23fa4ffedcf1f729b7e9cb2db982ffb6
-
SHA256
8c1e88ce29486f67d04842be50bc85dc82ccf28d4dffa65d8ec503bc407ddba4
-
SHA512
e73f1635050d59edae8c76c79939788b98d723970eaf22fd646016dbcc56927ea829a772833b5513ce76c3d00c560715e7225bbcb45ff0274406fa613698e950
-
SSDEEP
49152:876bsYVnbZNYRLJ1wgnuOGgznf2bi1QP37Fs8pUeg:
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
UAC bypass
-
Windows security bypass
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Adds policy Run key to start application
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-