General

  • Target

    f2f49e3a823d52b275daaca457bc4bb5efb4dc0755c4bf26bdedad0c660baf79

  • Size

    3.7MB

  • Sample

    230129-wncs8ahg4x

  • MD5

    756f806fc3a122c401a1e0a0f91f01c9

  • SHA1

    4ae952bb680a195ef40ea71164dc4a4c0477c1e1

  • SHA256

    f2f49e3a823d52b275daaca457bc4bb5efb4dc0755c4bf26bdedad0c660baf79

  • SHA512

    fd24b83fba18f1937aae06600de1caf356eb0ef6dca703f8970c53276b07387d11b00f3e969c87b6fff943e3208ca433aea73c6733ea23ebc02802c9c44fab90

  • SSDEEP

    98304:TZmGgcZoDf6GKSmnbLzk7NlK36ayximOiNSBQ298oW8:Tngior6iyL2NA36xxiHiNSBj9Dp

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

127.0.0.1:220

cro35.ddns.net:220

Mutex

X8CAG35L0B6112

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Driver

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    You need net framework to run this application

  • message_box_title

    Net framework error

  • password

    crocro35

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      f2f49e3a823d52b275daaca457bc4bb5efb4dc0755c4bf26bdedad0c660baf79

    • Size

      3.7MB

    • MD5

      756f806fc3a122c401a1e0a0f91f01c9

    • SHA1

      4ae952bb680a195ef40ea71164dc4a4c0477c1e1

    • SHA256

      f2f49e3a823d52b275daaca457bc4bb5efb4dc0755c4bf26bdedad0c660baf79

    • SHA512

      fd24b83fba18f1937aae06600de1caf356eb0ef6dca703f8970c53276b07387d11b00f3e969c87b6fff943e3208ca433aea73c6733ea23ebc02802c9c44fab90

    • SSDEEP

      98304:TZmGgcZoDf6GKSmnbLzk7NlK36ayximOiNSBQ298oW8:Tngior6iyL2NA36xxiHiNSBj9Dp

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks