Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    9a628265c2dd41cbf8e666d6aa84dd62146edf03e103bd2561cbdbf324b1577a

  • Size

    436KB

  • Sample

    221206-mcl33scb2s

  • MD5

    b4665c03226556d126ee33dbb9e73c88

  • SHA1

    a36abb1dd23f3a696cee27b7ffd3babedfdb0fce

  • SHA256

    9a628265c2dd41cbf8e666d6aa84dd62146edf03e103bd2561cbdbf324b1577a

  • SHA512

    da9992f796d6bc6eff9ec8f2f43cbaffa2ea1dfb98cf8afea25388502250078257878232659f3d771f41c78b484e1239394ad83603e50f377031b131a7de9f40

  • SSDEEP

    12288:KnHLkcsECEvOAEZzB2tDBZtQYdIhJ9tazfpYIxe:kHLkcUEvP+63tQYdMXwzhxe

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

hiddenspy.no-ip.biz:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_file

    windows.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    t?tulo da mensagem

  • password

    abcd1234

Targets

    • Target

      9a628265c2dd41cbf8e666d6aa84dd62146edf03e103bd2561cbdbf324b1577a

    • Size

      436KB

    • MD5

      b4665c03226556d126ee33dbb9e73c88

    • SHA1

      a36abb1dd23f3a696cee27b7ffd3babedfdb0fce

    • SHA256

      9a628265c2dd41cbf8e666d6aa84dd62146edf03e103bd2561cbdbf324b1577a

    • SHA512

      da9992f796d6bc6eff9ec8f2f43cbaffa2ea1dfb98cf8afea25388502250078257878232659f3d771f41c78b484e1239394ad83603e50f377031b131a7de9f40

    • SSDEEP

      12288:KnHLkcsECEvOAEZzB2tDBZtQYdIhJ9tazfpYIxe:kHLkcUEvP+63tQYdMXwzhxe

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks