General

  • Target

    b2e05949125c84e9d2a2c69c92978cebc6ba7309f768557997bfd17f136e5014

  • Size

    332KB

  • Sample

    230129-lzxbwsbg9x

  • MD5

    c200517b139a9cf1c906e162ee8fc44e

  • SHA1

    fc408595d087ff5346e213f4a7b1d154550e0a4f

  • SHA256

    b2e05949125c84e9d2a2c69c92978cebc6ba7309f768557997bfd17f136e5014

  • SHA512

    df0bcc1d1876cbfa974d5cbe0defb3169e3b08f5cad4a2773f153df4885a4d66e683ac511ea3674bd38f7c68d661e4ccfdc5000c1eabdb3b6e181e54db4ecb16

  • SSDEEP

    6144:iMJqHcH75CDS4LbC1H4xcBCu8zRENUJbRS+X6tEEFauFfv5eT:il0QI8u8VENUDSW6tvfv5eT

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

remote

C2

madoxx.no-ip.biz:1002

Mutex

68OI7C1I82S4XV

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Targets

    • Target

      b2e05949125c84e9d2a2c69c92978cebc6ba7309f768557997bfd17f136e5014

    • Size

      332KB

    • MD5

      c200517b139a9cf1c906e162ee8fc44e

    • SHA1

      fc408595d087ff5346e213f4a7b1d154550e0a4f

    • SHA256

      b2e05949125c84e9d2a2c69c92978cebc6ba7309f768557997bfd17f136e5014

    • SHA512

      df0bcc1d1876cbfa974d5cbe0defb3169e3b08f5cad4a2773f153df4885a4d66e683ac511ea3674bd38f7c68d661e4ccfdc5000c1eabdb3b6e181e54db4ecb16

    • SSDEEP

      6144:iMJqHcH75CDS4LbC1H4xcBCu8zRENUJbRS+X6tEEFauFfv5eT:il0QI8u8VENUDSW6tvfv5eT

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks