Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ab4fd5313e3fac585c04d0a6735724fac0824bb6a06efc8bb6b1b9aa1a6948b3

  • Size

    277KB

  • Sample

    221202-3efxvaea73

  • MD5

    53bd7b9ee969bced0bb4b0f62fd0772e

  • SHA1

    a7cb2cb9efa73c4873b7a8f6bb1479b2783a6667

  • SHA256

    ab4fd5313e3fac585c04d0a6735724fac0824bb6a06efc8bb6b1b9aa1a6948b3

  • SHA512

    87d5df224b81fac0b323af9012c4716d1dd795dad1afc0c413a4af181b497b35205ff67f7d3113bb2bc35129c6fbcc2f42605595ccb4148acad4c6b5b1b18f3f

  • SSDEEP

    6144:ak4qmsI+RGqjMsKslxSwQvu49myE8KjhFE2kuT0Vfo5J2N//YL5A4v:F9DndlYwQvu49mgODkzUJ2N//o3

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

chiheb

C2

hack-bifrost.no-ip.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    chiheb

Targets

    • Target

      ab4fd5313e3fac585c04d0a6735724fac0824bb6a06efc8bb6b1b9aa1a6948b3

    • Size

      277KB

    • MD5

      53bd7b9ee969bced0bb4b0f62fd0772e

    • SHA1

      a7cb2cb9efa73c4873b7a8f6bb1479b2783a6667

    • SHA256

      ab4fd5313e3fac585c04d0a6735724fac0824bb6a06efc8bb6b1b9aa1a6948b3

    • SHA512

      87d5df224b81fac0b323af9012c4716d1dd795dad1afc0c413a4af181b497b35205ff67f7d3113bb2bc35129c6fbcc2f42605595ccb4148acad4c6b5b1b18f3f

    • SSDEEP

      6144:ak4qmsI+RGqjMsKslxSwQvu49myE8KjhFE2kuT0Vfo5J2N//YL5A4v:F9DndlYwQvu49mgODkzUJ2N//o3

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks