Overview

overview

10

Static

static

d37f2520ec...f5.exe

windows7-x64

10

d37f2520ec...f5.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    d37f2520ec34aa24d21f13c18e6704e4da95efa81de0644ac972e14e4c0a49f5

  • Size

    335KB

  • Sample

    221204-nc7v8adc24

  • MD5

    5055d76a1f8daaec0f5770776f7f6d8c

  • SHA1

    062956404966dae452b0315a7a418dfbfe4a94e1

  • SHA256

    d37f2520ec34aa24d21f13c18e6704e4da95efa81de0644ac972e14e4c0a49f5

  • SHA512

    4ff6ef1129c6c3dc96fcf67bcbfa84cbe3ddf187e7a3728f5b5145e4cba3a5ea3dd5b5d1ee08d60a056feea7df94649d1cc476149e0dd46de9db0999cf6d3267

  • SSDEEP

    6144:IlFN7UPLV3V8UOD9NN1CgaEOYz1S6YrOhpbZVYPkAnslD6HKiNmXvZl5mJqUhy:fT8UOD9NN1tkOiOhB0PT4+qdHUzhy

Score
10/10
cybergateremotepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

aloo2.no-ip.biz:1604

Mutex

35A7K8AFA1474W

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./bla/

  • ftp_interval

    30

  • ftp_password

    darkmoon

  • ftp_port

    21

  • ftp_server

    ftpperso.free.fr

  • ftp_username

    darkmoon2

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    branleur

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      d37f2520ec34aa24d21f13c18e6704e4da95efa81de0644ac972e14e4c0a49f5

    • Size

      335KB

    • MD5

      5055d76a1f8daaec0f5770776f7f6d8c

    • SHA1

      062956404966dae452b0315a7a418dfbfe4a94e1

    • SHA256

      d37f2520ec34aa24d21f13c18e6704e4da95efa81de0644ac972e14e4c0a49f5

    • SHA512

      4ff6ef1129c6c3dc96fcf67bcbfa84cbe3ddf187e7a3728f5b5145e4cba3a5ea3dd5b5d1ee08d60a056feea7df94649d1cc476149e0dd46de9db0999cf6d3267

    • SSDEEP

      6144:IlFN7UPLV3V8UOD9NN1CgaEOYz1S6YrOhpbZVYPkAnslD6HKiNmXvZl5mJqUhy:fT8UOD9NN1tkOiOhB0PT4+qdHUzhy

    Score
    10/10
    cybergateremotepersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks