General

  • Target

    c3ea96e56df3112f27c711e90fc770b12e3586e2d91d295b90441e62291506f1

  • Size

    650KB

  • Sample

    221204-hxxm4abe9t

  • MD5

    0fb32a643952a687bbaf7ab13f29abda

  • SHA1

    7afd8e39e967ca86261d85269c0a96a12183e9e1

  • SHA256

    c3ea96e56df3112f27c711e90fc770b12e3586e2d91d295b90441e62291506f1

  • SHA512

    3041eebbed86b7d12439aa3b7b58487d3d8fbb1ec1eee7dacb0c1e5a2edb3b26557c95febf51de31fdf9fbd7dce194e8807f0619f16f9aefc617f1bff58e7630

  • SSDEEP

    12288:YHLUMuiv9RgfSjAzRtyQpNemrMqcWzYXO8lU/rpq:itARXPe5einU/rpq

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

SPY

C2

compartilhar.no-ip.org:1338

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Arquivo Corrompido !!

  • message_box_title

    Erro dll

  • password

    invasor

Targets

    • Target

      c3ea96e56df3112f27c711e90fc770b12e3586e2d91d295b90441e62291506f1

    • Size

      650KB

    • MD5

      0fb32a643952a687bbaf7ab13f29abda

    • SHA1

      7afd8e39e967ca86261d85269c0a96a12183e9e1

    • SHA256

      c3ea96e56df3112f27c711e90fc770b12e3586e2d91d295b90441e62291506f1

    • SHA512

      3041eebbed86b7d12439aa3b7b58487d3d8fbb1ec1eee7dacb0c1e5a2edb3b26557c95febf51de31fdf9fbd7dce194e8807f0619f16f9aefc617f1bff58e7630

    • SSDEEP

      12288:YHLUMuiv9RgfSjAzRtyQpNemrMqcWzYXO8lU/rpq:itARXPe5einU/rpq

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks