General

  • Target

    e3650602b298989b355590b3760d57635e92b498d0886d4d6f0c92cf5b866832

  • Size

    2.6MB

  • Sample

    230130-bafbzabg88

  • MD5

    dd1da0c7325cba351137c748eb9273a2

  • SHA1

    bca1cff9c21a25393b8b36bbcd69f8b60f691721

  • SHA256

    e3650602b298989b355590b3760d57635e92b498d0886d4d6f0c92cf5b866832

  • SHA512

    d38aa663992bd4da8efb7e8fef74866d87c9084cf702954747041a0479a0effa3efef7372f29e78cf897b21cee4f6d9de35e1600b761da15d34962d8175ab7b9

  • SSDEEP

    49152:0Qcqpge8BrwsjL4Czy4b6Dj8Bz3GAw9tqSpV/6F7jR6SzpM0r:jWh3LBYn8J3GtjC1l6sf

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

fmsserver.dyndns.biz:81

fmsserver.dyndns.biz:999

fmsserver.dyndns.biz:1111

newnewnewdslnew.zapto.org:81

newnewnewdslnew.zapto.org:999

newnewnewdslnew.zapto.org:1111

newnewnewdslnew.zapto.org:80

127.0.0.1:81

Mutex

K305AR06NSGF4W

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    winlogon.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    nonono

  • message_box_title

    nonono

  • password

    cybergate

Targets

    • Target

      e3650602b298989b355590b3760d57635e92b498d0886d4d6f0c92cf5b866832

    • Size

      2.6MB

    • MD5

      dd1da0c7325cba351137c748eb9273a2

    • SHA1

      bca1cff9c21a25393b8b36bbcd69f8b60f691721

    • SHA256

      e3650602b298989b355590b3760d57635e92b498d0886d4d6f0c92cf5b866832

    • SHA512

      d38aa663992bd4da8efb7e8fef74866d87c9084cf702954747041a0479a0effa3efef7372f29e78cf897b21cee4f6d9de35e1600b761da15d34962d8175ab7b9

    • SSDEEP

      49152:0Qcqpge8BrwsjL4Czy4b6Dj8Bz3GAw9tqSpV/6F7jR6SzpM0r:jWh3LBYn8J3GtjC1l6sf

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks