General
-
Target
cccfb5e0994937e4e82206181f16b9f60556749dd3aa2a13a0dcca9370d41956
-
Size
392KB
-
Sample
221205-l1py7sch9x
-
MD5
d44a2bcb5498914f8a2a8da9971682f7
-
SHA1
09e3c6a21c416e62b7f358d1f7139a6eb160f4a9
-
SHA256
cccfb5e0994937e4e82206181f16b9f60556749dd3aa2a13a0dcca9370d41956
-
SHA512
40386642aa3d6c3b151c2f418d7ea1fc2898a193e81207cb9f5d9460a39009e157455b9327e2c77368587359e47c211296fa7260a9bbbad38c43ca01545e9dd2
-
SSDEEP
6144:Gjg7qM+iSMmPzytxn4NJRgZH84HYdaiVexBXybVoBEZhZaJxId0MG62:7FUyvqRgZH844dbex9ybOQZa3562
Static task
static1
Behavioral task
behavioral1
Sample
cccfb5e0994937e4e82206181f16b9f60556749dd3aa2a13a0dcca9370d41956.exe
Resource
win7-20220901-en
Malware Config
Extracted
cybergate
2.6
Victime
by-brunix.no-ip.org:81
brunix-by.no-ip.biz:81
192.168.1.10:81
jajaja...
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Win32
-
install_file
notepad.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_title
Titre = #464545 Message
-
password
123
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
cccfb5e0994937e4e82206181f16b9f60556749dd3aa2a13a0dcca9370d41956
-
Size
392KB
-
MD5
d44a2bcb5498914f8a2a8da9971682f7
-
SHA1
09e3c6a21c416e62b7f358d1f7139a6eb160f4a9
-
SHA256
cccfb5e0994937e4e82206181f16b9f60556749dd3aa2a13a0dcca9370d41956
-
SHA512
40386642aa3d6c3b151c2f418d7ea1fc2898a193e81207cb9f5d9460a39009e157455b9327e2c77368587359e47c211296fa7260a9bbbad38c43ca01545e9dd2
-
SSDEEP
6144:Gjg7qM+iSMmPzytxn4NJRgZH84HYdaiVexBXybVoBEZhZaJxId0MG62:7FUyvqRgZH844dbex9ybOQZa3562
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-