General

  • Target

    ae8ef7d95830225eeb5281e1dcd998d5a20bc0f7d2637562d453c079162a7285

  • Size

    6.0MB

  • Sample

    221205-evhjlsec44

  • MD5

    7d56d6770cea41bce51a8a450fc5c4c0

  • SHA1

    28009333e89edc0d4435153eac5a5e4ffb92bee9

  • SHA256

    ae8ef7d95830225eeb5281e1dcd998d5a20bc0f7d2637562d453c079162a7285

  • SHA512

    34653efd10abd40bf83d3d1769f8a844204f35ef3e0a1af14d203c4d943ce7e790dec8eee07a682434cb119925630c7ceedbc975fa5c3dac201e11a03596ba74

  • SSDEEP

    49152:fU/Sjt/4FCdnG4PaF2rHrE1kGrebyz90CIFOxWA8uoWh1h:

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

Test 1

C2

87w.no-ip.info:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Adobe

  • install_file

    PDFViewer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    MSNMSGR

  • regkey_hklm

    MSNMSGR

Targets

    • Target

      ae8ef7d95830225eeb5281e1dcd998d5a20bc0f7d2637562d453c079162a7285

    • Size

      6.0MB

    • MD5

      7d56d6770cea41bce51a8a450fc5c4c0

    • SHA1

      28009333e89edc0d4435153eac5a5e4ffb92bee9

    • SHA256

      ae8ef7d95830225eeb5281e1dcd998d5a20bc0f7d2637562d453c079162a7285

    • SHA512

      34653efd10abd40bf83d3d1769f8a844204f35ef3e0a1af14d203c4d943ce7e790dec8eee07a682434cb119925630c7ceedbc975fa5c3dac201e11a03596ba74

    • SSDEEP

      49152:fU/Sjt/4FCdnG4PaF2rHrE1kGrebyz90CIFOxWA8uoWh1h:

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

3
T1060

Defense Evasion

Modify Registry

3
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks