Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    af83612cdf7f06a4954c82cd6dfb941332d731caf58b944850a94e9839d86341

  • Size

    283KB

  • Sample

    221204-hfs9caac3w

  • MD5

    a7202d29aa76f190df8e9fc7562408ea

  • SHA1

    7d8e11b7129153ada60a583b7eb62bc16b17e15c

  • SHA256

    af83612cdf7f06a4954c82cd6dfb941332d731caf58b944850a94e9839d86341

  • SHA512

    afd1ad3fc67a78c4f6c2a08788f6baeeb3043da2a725eb1e1d160f2e1e3552879d29ff6e7dda39d7e89eb818e8344bb2e4aef2babf25f6aecfafb2ba73ef4b84

  • SSDEEP

    6144:Ck4qmpQXyNbtSu4fJ3ekS/kYqknRkYmPMbeE4CX8/13Qc:99OBSumOUYLiP4q/13Qc

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

127.0.0.1:288

yasr-q4.zapto.org:288

Mutex

***MUTEX2***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    spy-net

  • install_file

    Win_Xp.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Please try again later.

  • message_box_title

    Error

  • password

    abcd1234

Targets

    • Target

      af83612cdf7f06a4954c82cd6dfb941332d731caf58b944850a94e9839d86341

    • Size

      283KB

    • MD5

      a7202d29aa76f190df8e9fc7562408ea

    • SHA1

      7d8e11b7129153ada60a583b7eb62bc16b17e15c

    • SHA256

      af83612cdf7f06a4954c82cd6dfb941332d731caf58b944850a94e9839d86341

    • SHA512

      afd1ad3fc67a78c4f6c2a08788f6baeeb3043da2a725eb1e1d160f2e1e3552879d29ff6e7dda39d7e89eb818e8344bb2e4aef2babf25f6aecfafb2ba73ef4b84

    • SSDEEP

      6144:Ck4qmpQXyNbtSu4fJ3ekS/kYqknRkYmPMbeE4CX8/13Qc:99OBSumOUYLiP4q/13Qc

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks