General
-
Target
e3650602b298989b355590b3760d57635e92b498d0886d4d6f0c92cf5b866832
-
Size
2.6MB
-
Sample
230130-bafbzabg88
-
MD5
dd1da0c7325cba351137c748eb9273a2
-
SHA1
bca1cff9c21a25393b8b36bbcd69f8b60f691721
-
SHA256
e3650602b298989b355590b3760d57635e92b498d0886d4d6f0c92cf5b866832
-
SHA512
d38aa663992bd4da8efb7e8fef74866d87c9084cf702954747041a0479a0effa3efef7372f29e78cf897b21cee4f6d9de35e1600b761da15d34962d8175ab7b9
-
SSDEEP
49152:0Qcqpge8BrwsjL4Czy4b6Dj8Bz3GAw9tqSpV/6F7jR6SzpM0r:jWh3LBYn8J3GtjC1l6sf
Static task
static1
Behavioral task
behavioral1
Sample
e3650602b298989b355590b3760d57635e92b498d0886d4d6f0c92cf5b866832.exe
Resource
win7-20221111-en
Malware Config
Extracted
cybergate
v1.07.5
remote
fmsserver.dyndns.biz:81
fmsserver.dyndns.biz:999
fmsserver.dyndns.biz:1111
newnewnewdslnew.zapto.org:81
newnewnewdslnew.zapto.org:999
newnewnewdslnew.zapto.org:1111
newnewnewdslnew.zapto.org:80
127.0.0.1:81
K305AR06NSGF4W
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
winlogon.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
nonono
-
message_box_title
nonono
-
password
cybergate
Targets
-
-
Target
e3650602b298989b355590b3760d57635e92b498d0886d4d6f0c92cf5b866832
-
Size
2.6MB
-
MD5
dd1da0c7325cba351137c748eb9273a2
-
SHA1
bca1cff9c21a25393b8b36bbcd69f8b60f691721
-
SHA256
e3650602b298989b355590b3760d57635e92b498d0886d4d6f0c92cf5b866832
-
SHA512
d38aa663992bd4da8efb7e8fef74866d87c9084cf702954747041a0479a0effa3efef7372f29e78cf897b21cee4f6d9de35e1600b761da15d34962d8175ab7b9
-
SSDEEP
49152:0Qcqpge8BrwsjL4Czy4b6Dj8Bz3GAw9tqSpV/6F7jR6SzpM0r:jWh3LBYn8J3GtjC1l6sf
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-