General
-
Target
287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59
-
Size
2.0MB
-
Sample
221205-2eyxzsdd22
-
MD5
0ce92ed77c07532a818e8604c582fcec
-
SHA1
eb0932f99b64a6cca7e1cd96c989ee14810b5dae
-
SHA256
287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59
-
SHA512
dba5affc0b225c2f1068da92ab516f38cc6daf2132134471fd732b08d563c0fb8cfb9607c374d98146af3a0b9f2521aa53e7a6ae95e6e885f114f8a80cb2ab67
-
SSDEEP
49152:l/DduN3sJM79Gg+DhRg9Wu/O0xFJog2wz:lrduNes8tY9Wu/fxTo2
Malware Config
Extracted
cybergate
v1.07.5
remote
spraslhivai.no-ip.info:12345
683LG4WHIT0W6R
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
1
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59
-
Size
2.0MB
-
MD5
0ce92ed77c07532a818e8604c582fcec
-
SHA1
eb0932f99b64a6cca7e1cd96c989ee14810b5dae
-
SHA256
287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59
-
SHA512
dba5affc0b225c2f1068da92ab516f38cc6daf2132134471fd732b08d563c0fb8cfb9607c374d98146af3a0b9f2521aa53e7a6ae95e6e885f114f8a80cb2ab67
-
SSDEEP
49152:l/DduN3sJM79Gg+DhRg9Wu/O0xFJog2wz:lrduNes8tY9Wu/fxTo2
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-