General
-
Target
a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
-
Size
340KB
-
Sample
221205-mjzmraah97
-
MD5
4d37950dd556f098d14a099869d35ad4
-
SHA1
f530628df64f620967a0960c687b10bf18579c94
-
SHA256
a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
-
SHA512
f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
-
SSDEEP
6144:NJXQh6uTjQ4rVmh3k4cSbgzsdrVRRetrEpsKHAK3g3UHYTvLRUQSOObAIASgrtHv:2CAIn0eth0Bpi60uKd6N
Static task
static1
Behavioral task
behavioral1
Sample
a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653.exe
Resource
win7-20220812-en
Malware Config
Extracted
cybergate
v1.07.5
remote
ir0kz.zapto.org:1213
0G7MT5Q26I65Q0
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
wincfg
-
install_file
newudp.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Targets
-
-
Target
a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
-
Size
340KB
-
MD5
4d37950dd556f098d14a099869d35ad4
-
SHA1
f530628df64f620967a0960c687b10bf18579c94
-
SHA256
a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
-
SHA512
f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
-
SSDEEP
6144:NJXQh6uTjQ4rVmh3k4cSbgzsdrVRRetrEpsKHAK3g3UHYTvLRUQSOObAIASgrtHv:2CAIn0eth0Bpi60uKd6N
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-