General

  • Target

    973b3fe59d26d76c8be5493bab3a13079426b87470463e46bf563dc3745d9ebe

  • Size

    397KB

  • Sample

    230129-q4ygzahh85

  • MD5

    563eef82823877a384d1c1c45f4bd8c9

  • SHA1

    fc1456fc9f5ffd6123936da47354cf879a22ef58

  • SHA256

    973b3fe59d26d76c8be5493bab3a13079426b87470463e46bf563dc3745d9ebe

  • SHA512

    24592a617f7c53717558fcca803184b5e5ace11b6df1d40a418a2f5f6579b7dc6a521fdd2dbc2bd9f3164080e6134e2f4e0c56e050139a992383a934fc128389

  • SSDEEP

    6144:+SlNmf3/PdCmNNL6hCCMNVYLbRWMNCrlX2uPqQdY+R7u9ukz9Z9iDiSzga:+SlNmnocL6CUDCBXwQqjQokhT

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

alexalex.no-ip.info:1234

Mutex

YV0YG5N2077S80

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    win32

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Du bist toll :)!

  • message_box_title

    Hey :)

  • password

    alex

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      973b3fe59d26d76c8be5493bab3a13079426b87470463e46bf563dc3745d9ebe

    • Size

      397KB

    • MD5

      563eef82823877a384d1c1c45f4bd8c9

    • SHA1

      fc1456fc9f5ffd6123936da47354cf879a22ef58

    • SHA256

      973b3fe59d26d76c8be5493bab3a13079426b87470463e46bf563dc3745d9ebe

    • SHA512

      24592a617f7c53717558fcca803184b5e5ace11b6df1d40a418a2f5f6579b7dc6a521fdd2dbc2bd9f3164080e6134e2f4e0c56e050139a992383a934fc128389

    • SSDEEP

      6144:+SlNmf3/PdCmNNL6hCCMNVYLbRWMNCrlX2uPqQdY+R7u9ukz9Z9iDiSzga:+SlNmnocL6CUDCBXwQqjQokhT

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks