General
-
Target
f2f49e3a823d52b275daaca457bc4bb5efb4dc0755c4bf26bdedad0c660baf79
-
Size
3.7MB
-
Sample
230129-wncs8ahg4x
-
MD5
756f806fc3a122c401a1e0a0f91f01c9
-
SHA1
4ae952bb680a195ef40ea71164dc4a4c0477c1e1
-
SHA256
f2f49e3a823d52b275daaca457bc4bb5efb4dc0755c4bf26bdedad0c660baf79
-
SHA512
fd24b83fba18f1937aae06600de1caf356eb0ef6dca703f8970c53276b07387d11b00f3e969c87b6fff943e3208ca433aea73c6733ea23ebc02802c9c44fab90
-
SSDEEP
98304:TZmGgcZoDf6GKSmnbLzk7NlK36ayximOiNSBQ298oW8:Tngior6iyL2NA36xxiHiNSBj9Dp
Static task
static1
Behavioral task
behavioral1
Sample
f2f49e3a823d52b275daaca457bc4bb5efb4dc0755c4bf26bdedad0c660baf79.exe
Resource
win7-20221111-en
Malware Config
Extracted
cybergate
v3.4.2.2
remote
127.0.0.1:220
cro35.ddns.net:220
X8CAG35L0B6112
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Driver
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
You need net framework to run this application
-
message_box_title
Net framework error
-
password
crocro35
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
f2f49e3a823d52b275daaca457bc4bb5efb4dc0755c4bf26bdedad0c660baf79
-
Size
3.7MB
-
MD5
756f806fc3a122c401a1e0a0f91f01c9
-
SHA1
4ae952bb680a195ef40ea71164dc4a4c0477c1e1
-
SHA256
f2f49e3a823d52b275daaca457bc4bb5efb4dc0755c4bf26bdedad0c660baf79
-
SHA512
fd24b83fba18f1937aae06600de1caf356eb0ef6dca703f8970c53276b07387d11b00f3e969c87b6fff943e3208ca433aea73c6733ea23ebc02802c9c44fab90
-
SSDEEP
98304:TZmGgcZoDf6GKSmnbLzk7NlK36ayximOiNSBQ298oW8:Tngior6iyL2NA36xxiHiNSBj9Dp
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-