General
-
Target
b66194e6db05c9da65c1f7f8192c6fd612552d6b23e0a7b447747d5a73f1a74d
-
Size
425KB
-
Sample
221201-xn12gsah84
-
MD5
6dc58bf183cf1894f5e150a66f09abc8
-
SHA1
744280af53860c73425c73c17e7b3c6e90e517c5
-
SHA256
b66194e6db05c9da65c1f7f8192c6fd612552d6b23e0a7b447747d5a73f1a74d
-
SHA512
fde7c22d213c3f039ecb44a833ef768fa69568038a1350de8c04038989b6effd7a2f5ba992b3ea6211aa5e9a353a8989abf914fef46a350c3e7dae0af7745da4
-
SSDEEP
12288:E1dlZo5yLyl6sdKjj8ZdaSIoSbOr4y0FdsJGfrzU:E1dlZo5wsdKjjI0SIoK+IaYnU
Static task
static1
Behavioral task
behavioral1
Sample
b66194e6db05c9da65c1f7f8192c6fd612552d6b23e0a7b447747d5a73f1a74d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b66194e6db05c9da65c1f7f8192c6fd612552d6b23e0a7b447747d5a73f1a74d.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
cybergate
2.6
youtube
v0idhack.no-ip.biz:2000
service
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
service
-
install_file
service.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
STOP: c000021 a (Error grave del sistema) El proceso del sistema Windows Logon Process termino inesperadamente con un estado 0xc0000135 (0x0000000) Se cerrara el proceso.
-
message_box_title
Stop c000021a (Error grave del sistema)
-
password
bruno0907
-
regkey_hkcu
services
-
regkey_hklm
service
Targets
-
-
Target
b66194e6db05c9da65c1f7f8192c6fd612552d6b23e0a7b447747d5a73f1a74d
-
Size
425KB
-
MD5
6dc58bf183cf1894f5e150a66f09abc8
-
SHA1
744280af53860c73425c73c17e7b3c6e90e517c5
-
SHA256
b66194e6db05c9da65c1f7f8192c6fd612552d6b23e0a7b447747d5a73f1a74d
-
SHA512
fde7c22d213c3f039ecb44a833ef768fa69568038a1350de8c04038989b6effd7a2f5ba992b3ea6211aa5e9a353a8989abf914fef46a350c3e7dae0af7745da4
-
SSDEEP
12288:E1dlZo5yLyl6sdKjj8ZdaSIoSbOr4y0FdsJGfrzU:E1dlZo5wsdKjjI0SIoK+IaYnU
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-