General

  • Target

    2f6c4a6e7b254b041bad3be62401347772287d0cb60191c4f74f5df7b8e6be5f

  • Size

    680KB

  • Sample

    230129-rdccgsad32

  • MD5

    3bd76e5d6d448df24b5cb10dbbb0f7ee

  • SHA1

    e4469b2d031ca5d35e01961228982d8b93fe2df1

  • SHA256

    2f6c4a6e7b254b041bad3be62401347772287d0cb60191c4f74f5df7b8e6be5f

  • SHA512

    03a07ce886374cda9a52cb4d0948e5213cccf09941fa302725f852516c3783cb7132c4f0c6b4ba8d50bf37db57fb0c5a5874089c9b7769f1f5b8878b5262679c

  • SSDEEP

    12288:9Imcp15ArDWMp4saDlCEUHyIelBbMB3q/NOW3HWcnGrNAHGuPCn0MS4nJZ5x:hDWM6VC5yJw32NOOGrZrS4nJZ5x

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

Botnet

remote

C2

fei-coder.zapto.org:1453

Mutex

253702R5568U57

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    scvhost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hkcu

    Facebook Update

  • regkey_hklm

    Google Update

Targets

    • Target

      2f6c4a6e7b254b041bad3be62401347772287d0cb60191c4f74f5df7b8e6be5f

    • Size

      680KB

    • MD5

      3bd76e5d6d448df24b5cb10dbbb0f7ee

    • SHA1

      e4469b2d031ca5d35e01961228982d8b93fe2df1

    • SHA256

      2f6c4a6e7b254b041bad3be62401347772287d0cb60191c4f74f5df7b8e6be5f

    • SHA512

      03a07ce886374cda9a52cb4d0948e5213cccf09941fa302725f852516c3783cb7132c4f0c6b4ba8d50bf37db57fb0c5a5874089c9b7769f1f5b8878b5262679c

    • SSDEEP

      12288:9Imcp15ArDWMp4saDlCEUHyIelBbMB3q/NOW3HWcnGrNAHGuPCn0MS4nJZ5x:hDWM6VC5yJw32NOOGrZrS4nJZ5x

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks