General
-
Target
e22a92a192751ca568942939c56829a1f00067427a809b7b7f77ca88b68f344b
-
Size
347KB
-
Sample
221207-mc2hrsbd4s
-
MD5
211195ac21eb346fa2daa526a7f6d292
-
SHA1
1f448ad122f9d3ed3ae89eb0a7851c02bc6be004
-
SHA256
e22a92a192751ca568942939c56829a1f00067427a809b7b7f77ca88b68f344b
-
SHA512
c4dc5c2c3a41ee0821866924b3ce21191a63ab6163bcbed5dc60fb57acac3f38ac915d2e1617b76cb0c4b3b8209a37bb5a8c5dcbef1601a963489c6b37859bff
-
SSDEEP
6144:ZFtTlXtdNCMHIwXFWXOd7YRqG2VSUhZBafR/8+scysK5G6sAebxZ1nW9YrTBsiBH:ZxX7NCA9XFWXP4G0SUhZBSRkmMvsfxZT
Static task
static1
Behavioral task
behavioral1
Sample
e22a92a192751ca568942939c56829a1f00067427a809b7b7f77ca88b68f344b.exe
Resource
win7-20221111-en
Malware Config
Extracted
cybergate
v1.07.5
123
onski123.no-ip.biz:9876
3IN7F8CKT1P2EL
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./public_html/logs/
-
ftp_interval
20
-
ftp_password
6a8w73bdOO
-
ftp_port
21
-
ftp_server
merch4gold.com
-
ftp_username
merch4go
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
false
-
keylogger_enable_ftp
true
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
Targets
-
-
Target
e22a92a192751ca568942939c56829a1f00067427a809b7b7f77ca88b68f344b
-
Size
347KB
-
MD5
211195ac21eb346fa2daa526a7f6d292
-
SHA1
1f448ad122f9d3ed3ae89eb0a7851c02bc6be004
-
SHA256
e22a92a192751ca568942939c56829a1f00067427a809b7b7f77ca88b68f344b
-
SHA512
c4dc5c2c3a41ee0821866924b3ce21191a63ab6163bcbed5dc60fb57acac3f38ac915d2e1617b76cb0c4b3b8209a37bb5a8c5dcbef1601a963489c6b37859bff
-
SSDEEP
6144:ZFtTlXtdNCMHIwXFWXOd7YRqG2VSUhZBafR/8+scysK5G6sAebxZ1nW9YrTBsiBH:ZxX7NCA9XFWXP4G0SUhZBSRkmMvsfxZT
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-