General
-
Target
87bff59bbace0bb849b2c5283cbd83722da46db61119e5eec9274be644dc8c49
-
Size
3.0MB
-
Sample
221201-cf8fdahe6v
-
MD5
01b9803dd17e0f07980ac1802d4534e0
-
SHA1
9bd8103fa36d3c16acb3d1ad11e759853b94643b
-
SHA256
87bff59bbace0bb849b2c5283cbd83722da46db61119e5eec9274be644dc8c49
-
SHA512
a965e61f69e71dd83450ec7d8c4e000fd5ddb3fd2ba52d20b7e5395b6cf8e3245e9349908148b75c187802f33e87928175fb98365ef793fa2b0f8b78956eff9d
-
SSDEEP
12288:Ud9twT6uXhgX4WA1komG7x3YvJSO5b8RfRF5yLzDmkysKDwcLLPu/caYkDybdee0:+9DqhdfRRnIg0o2pdwwbss1Tfz8jMtI
Static task
static1
Behavioral task
behavioral1
Sample
87bff59bbace0bb849b2c5283cbd83722da46db61119e5eec9274be644dc8c49.exe
Resource
win7-20220901-en
Malware Config
Extracted
cybergate
v3.4.2.2
Bot
darkdns.no-ip.info:999
55A57Q3S651H5M
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
87bff59bbace0bb849b2c5283cbd83722da46db61119e5eec9274be644dc8c49
-
Size
3.0MB
-
MD5
01b9803dd17e0f07980ac1802d4534e0
-
SHA1
9bd8103fa36d3c16acb3d1ad11e759853b94643b
-
SHA256
87bff59bbace0bb849b2c5283cbd83722da46db61119e5eec9274be644dc8c49
-
SHA512
a965e61f69e71dd83450ec7d8c4e000fd5ddb3fd2ba52d20b7e5395b6cf8e3245e9349908148b75c187802f33e87928175fb98365ef793fa2b0f8b78956eff9d
-
SSDEEP
12288:Ud9twT6uXhgX4WA1komG7x3YvJSO5b8RfRF5yLzDmkysKDwcLLPu/caYkDybdee0:+9DqhdfRRnIg0o2pdwwbss1Tfz8jMtI
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-