General
-
Target
b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8
-
Size
606KB
-
Sample
221206-cx2ddsgh98
-
MD5
6983b23403c4066b080525c06b93555d
-
SHA1
3d83c8f70967a68ea4e1fffcc8ed2bab7ed326a9
-
SHA256
b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8
-
SHA512
c11546545e805b9b292ce6186aadeb6123af5f08b8d2b3a1f04e0e3f26098227d8087ae67e90e1c317d3abd06b02c6523b03bb8457b46dc2a74ca901cab67bde
-
SSDEEP
12288:IzRCiwkF3ClNsh+Rpq5/R8CHvZ69P6OtWjvbbqyUvX6:ORsapEqZtPZ69P6O8jp
Static task
static1
Behavioral task
behavioral1
Sample
b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
Resource
win7-20220812-en
Malware Config
Extracted
cybergate
v1.01.18
Hack
cerberus147.no-ip.biz:5454
CyberGate1
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
Svchost.exe
-
install_dir
install
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Check Update
-
message_box_title
Error
-
password
aqwxszedcvfr
-
regkey_hkcu
Svchost
-
regkey_hklm
Rundll32
Targets
-
-
Target
b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8
-
Size
606KB
-
MD5
6983b23403c4066b080525c06b93555d
-
SHA1
3d83c8f70967a68ea4e1fffcc8ed2bab7ed326a9
-
SHA256
b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8
-
SHA512
c11546545e805b9b292ce6186aadeb6123af5f08b8d2b3a1f04e0e3f26098227d8087ae67e90e1c317d3abd06b02c6523b03bb8457b46dc2a74ca901cab67bde
-
SSDEEP
12288:IzRCiwkF3ClNsh+Rpq5/R8CHvZ69P6OtWjvbbqyUvX6:ORsapEqZtPZ69P6O8jp
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-