Overview

overview

10

Static

static

c14c4d862b...14.exe

windows7-x64

10

c14c4d862b...14.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c14c4d862b1c7655f85ce22b326efceb2c58b76d412a5c050fd8f478c25f3c14

  • Size

    340KB

  • Sample

    221203-wfrbmsfd8z

  • MD5

    91ec37177c7f42bb011137b82f1ec795

  • SHA1

    881117d3751f1c05cead9d13c702bcb16a3a0df0

  • SHA256

    c14c4d862b1c7655f85ce22b326efceb2c58b76d412a5c050fd8f478c25f3c14

  • SHA512

    f5c3ed8a667f0e76401d105ec4464d9ce7054258c9c396aba5b2fd4a6f3fe498cdb42ab8a7315d2ad50acff6d9f76c619cdc05ae58fd21a90501ab35af4d162a

  • SSDEEP

    6144:MYp9cIMnhkMDhHk4qm2mfQgKV/a2hgHs+yf3hBTaeHEtmwBsQszE61vNKtQ3:/HD8hkMDW9EfQnV/a2Egf3P9HE8wBPVO

Score
10/10
cybergatevictimapersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

victima

C2

gamer9090.no-ip.org:81

gamer9090.no-ip.org:80

gamer9090.no-ip.org:2000

gamer9090.no-ip.org:4000
Mutex

Error

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • ftp_password

    bolivar

  • ftp_port

    21

  • ftp_server

    legionao.clanteam.com

  • ftp_username

    legionao_clanteam

  • injected_process

    explorer.exe

  • install_dir

    svchost

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    bolivar

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      c14c4d862b1c7655f85ce22b326efceb2c58b76d412a5c050fd8f478c25f3c14

    • Size

      340KB

    • MD5

      91ec37177c7f42bb011137b82f1ec795

    • SHA1

      881117d3751f1c05cead9d13c702bcb16a3a0df0

    • SHA256

      c14c4d862b1c7655f85ce22b326efceb2c58b76d412a5c050fd8f478c25f3c14

    • SHA512

      f5c3ed8a667f0e76401d105ec4464d9ce7054258c9c396aba5b2fd4a6f3fe498cdb42ab8a7315d2ad50acff6d9f76c619cdc05ae58fd21a90501ab35af4d162a

    • SSDEEP

      6144:MYp9cIMnhkMDhHk4qm2mfQgKV/a2hgHs+yf3hBTaeHEtmwBsQszE61vNKtQ3:/HD8hkMDW9EfQnV/a2Egf3P9HE8wBPVO

    Score
    10/10
    cybergatevictimapersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks