General

  • Target

    b7fd818d47f4b0a992419e336bc6ab4c18e33bcb9a5fcc3118da666d9d709921

  • Size

    320KB

  • Sample

    221201-le22msec27

  • MD5

    4840cde567cad9a96f93e6eabf1ce9ea

  • SHA1

    13eeed36b31cbd2c0700a1a3e35b73707ef8b5e9

  • SHA256

    b7fd818d47f4b0a992419e336bc6ab4c18e33bcb9a5fcc3118da666d9d709921

  • SHA512

    dc5d69e1eadcef4ebc864da060946d0864dcbace24e14fc81c2f702aad5e3bf11e6415888ef771f3040037345a6162972983cc7091ca6d8c223f449126b964e1

  • SSDEEP

    6144:UFo/OrzcE/RsF2mMVsEhpN0REFxCfQvcBe0/f7KXXVe5:goWr7yKhi2Fxau0/f7KHS

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Infectado

C2

probandoo.no-ip.org:2000

Mutex

cabezadefideo123x122

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Win32

  • install_file

    notepad.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      b7fd818d47f4b0a992419e336bc6ab4c18e33bcb9a5fcc3118da666d9d709921

    • Size

      320KB

    • MD5

      4840cde567cad9a96f93e6eabf1ce9ea

    • SHA1

      13eeed36b31cbd2c0700a1a3e35b73707ef8b5e9

    • SHA256

      b7fd818d47f4b0a992419e336bc6ab4c18e33bcb9a5fcc3118da666d9d709921

    • SHA512

      dc5d69e1eadcef4ebc864da060946d0864dcbace24e14fc81c2f702aad5e3bf11e6415888ef771f3040037345a6162972983cc7091ca6d8c223f449126b964e1

    • SSDEEP

      6144:UFo/OrzcE/RsF2mMVsEhpN0REFxCfQvcBe0/f7KXXVe5:goWr7yKhi2Fxau0/f7KHS

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks