General

  • Target

    a0f0cb6565266020446bb4c9ca0f30c153a62c7c7a281000fec6aa1728dba960

  • Size

    780KB

  • Sample

    230129-pjfkzsgc31

  • MD5

    5ca450b4399e82759612fae32ac62ae8

  • SHA1

    2b273491eb335bf50e00f93172e7303ac3856a48

  • SHA256

    a0f0cb6565266020446bb4c9ca0f30c153a62c7c7a281000fec6aa1728dba960

  • SHA512

    b438ae73f75ac01a5eaa7313afa971658b5e78354ef9db0084209d912a5f4e4289c3e82e03b2432623a68eae7e7ca68dfc1cb4bb91fd6826d11bf525f8546866

  • SSDEEP

    12288:dEQ11fwzZoOc7WiK+ntXiPD/nqvm+NN9j/OGSA1ofeilKBrDMBXQNNlo:dEc9wnc9K6tXiPLRInsA6WGKap6

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

mediawindows.redirectme.net:81

Mutex

M8ES0T1E3RBJ60

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Targets

    • Target

      a0f0cb6565266020446bb4c9ca0f30c153a62c7c7a281000fec6aa1728dba960

    • Size

      780KB

    • MD5

      5ca450b4399e82759612fae32ac62ae8

    • SHA1

      2b273491eb335bf50e00f93172e7303ac3856a48

    • SHA256

      a0f0cb6565266020446bb4c9ca0f30c153a62c7c7a281000fec6aa1728dba960

    • SHA512

      b438ae73f75ac01a5eaa7313afa971658b5e78354ef9db0084209d912a5f4e4289c3e82e03b2432623a68eae7e7ca68dfc1cb4bb91fd6826d11bf525f8546866

    • SSDEEP

      12288:dEQ11fwzZoOc7WiK+ntXiPD/nqvm+NN9j/OGSA1ofeilKBrDMBXQNNlo:dEc9wnc9K6tXiPLRInsA6WGKap6

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks