General

  • Target

    b608f752c2ad5f0aa7f8cac73f95a9a4058f58798e7a72752cec3921d9b399b0

  • Size

    2.0MB

  • Sample

    230129-ljn1ksba6v

  • MD5

    881abef617e128f46bc14b7840348c8d

  • SHA1

    3c752e4ebcefb03be990ad28f3cb48552894b076

  • SHA256

    b608f752c2ad5f0aa7f8cac73f95a9a4058f58798e7a72752cec3921d9b399b0

  • SHA512

    f1f14ee84595a11498fcc425ebbdfd35acb47472271963c50483cb484da001a22190c8cd120c430a996fd27f4ba12d2af314a81a0edcd928264e9a28ad4abf58

  • SSDEEP

    49152:NQgKmgrOqfhzQlVy/28iPR4uywMwwxC+X23Q638wByp4nKj:qlm+zQlVDPR4uyrwwxs30cGKQ

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

rex32.no-ip.biz:100

Mutex

E28ORAW7VLA4Q2

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

Targets

    • Target

      b608f752c2ad5f0aa7f8cac73f95a9a4058f58798e7a72752cec3921d9b399b0

    • Size

      2.0MB

    • MD5

      881abef617e128f46bc14b7840348c8d

    • SHA1

      3c752e4ebcefb03be990ad28f3cb48552894b076

    • SHA256

      b608f752c2ad5f0aa7f8cac73f95a9a4058f58798e7a72752cec3921d9b399b0

    • SHA512

      f1f14ee84595a11498fcc425ebbdfd35acb47472271963c50483cb484da001a22190c8cd120c430a996fd27f4ba12d2af314a81a0edcd928264e9a28ad4abf58

    • SSDEEP

      49152:NQgKmgrOqfhzQlVy/28iPR4uywMwwxC+X23Q638wByp4nKj:qlm+zQlVDPR4uyrwwxs30cGKQ

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks