General
-
Target
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c
-
Size
341KB
-
Sample
221207-hvdgfaec36
-
MD5
a491c799d482368deccdf8d9c47ac62d
-
SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c
-
SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c
-
SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc
-
SSDEEP
6144:pJXQh6uTjQ4rVmh3k4cSbgzsdrVRRetrEpsKHAK3g3UHYTvLRUQSOObAIASgrtHS:xDXXbQL31z7KFCoNrFGdOJa9f5eRS
Static task
static1
Behavioral task
behavioral1
Sample
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe
Resource
win7-20220812-en
Malware Config
Extracted
cybergate
v1.07.5
remote
ir0kz.zapto.org:1213
0G7MT5Q26I65Q0
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
wincfg
-
install_file
newudp.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Targets
-
-
Target
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c
-
Size
341KB
-
MD5
a491c799d482368deccdf8d9c47ac62d
-
SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c
-
SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c
-
SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc
-
SSDEEP
6144:pJXQh6uTjQ4rVmh3k4cSbgzsdrVRRetrEpsKHAK3g3UHYTvLRUQSOObAIASgrtHS:xDXXbQL31z7KFCoNrFGdOJa9f5eRS
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-