General
-
Target
b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2
-
Size
756KB
-
Sample
221130-25rllagf31
-
MD5
3fcd710621e35d3b44cfdf5526713409
-
SHA1
9ae6828fe48e807f657d0bcec12bdc08bf127f91
-
SHA256
b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2
-
SHA512
746be9048423dbd744516ee5b1a119b97e011397e580f673a12659eb17d10b6aff38124aa6529871de4e917f1ece7f088c225bce4d753722cc61de27fbd4de6d
-
SSDEEP
12288:ptDKf5rbJVpa/ZPJ0qY55dvq2W2C2yoCyBCZM6OdXA3N544+DeuAKksdj2LpGZ8K:pgpayvj4HvjZCWK4+De4lZPFHG0KadHN
Static task
static1
Behavioral task
behavioral1
Sample
b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
Resource
win7-20220812-en
Malware Config
Extracted
cybergate
2.6
Victime
ownyou78.no-ip.org:1605
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
1234
Targets
-
-
Target
b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2
-
Size
756KB
-
MD5
3fcd710621e35d3b44cfdf5526713409
-
SHA1
9ae6828fe48e807f657d0bcec12bdc08bf127f91
-
SHA256
b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2
-
SHA512
746be9048423dbd744516ee5b1a119b97e011397e580f673a12659eb17d10b6aff38124aa6529871de4e917f1ece7f088c225bce4d753722cc61de27fbd4de6d
-
SSDEEP
12288:ptDKf5rbJVpa/ZPJ0qY55dvq2W2C2yoCyBCZM6OdXA3N544+DeuAKksdj2LpGZ8K:pgpayvj4HvjZCWK4+De4lZPFHG0KadHN
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-