General

  • Target

    bb285b35aea99f1cb60363d6d77960279c21b0f24b4e23c1079e9ec16a359983

  • Size

    268KB

  • Sample

    230130-dkfrlagb5s

  • MD5

    81b05691ba387fdaa9bd013c71c79e5a

  • SHA1

    3b3bc5c0a0e34f228f50630d1ff288a0f7480e39

  • SHA256

    bb285b35aea99f1cb60363d6d77960279c21b0f24b4e23c1079e9ec16a359983

  • SHA512

    6c97c74548432ab07e029c321582bc334a49e7f7314c0c8f46e8584812a5cfcda10c48f1fb0e98559e4845eeb6552dfc5254e09242126cb8c14bf0ab1b52a87e

  • SSDEEP

    6144:GkLIF7pSCS/b7QVbDdOAEG8FJ8ECNVDq+RJGHv/Gz9S1I4a7nq:5LIF78/Xob8GauEeVP+89jn7q

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

Botnet

remote

C2

algoker2.no-ip.info:81

5.2.66.234:81

Mutex

8C324L7258ER5L

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    hack

  • install_file

    gaf-wr.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    You Are Hacked By Black_Hacker

  • message_box_title

    Hacked

  • password

    medo1995

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      bb285b35aea99f1cb60363d6d77960279c21b0f24b4e23c1079e9ec16a359983

    • Size

      268KB

    • MD5

      81b05691ba387fdaa9bd013c71c79e5a

    • SHA1

      3b3bc5c0a0e34f228f50630d1ff288a0f7480e39

    • SHA256

      bb285b35aea99f1cb60363d6d77960279c21b0f24b4e23c1079e9ec16a359983

    • SHA512

      6c97c74548432ab07e029c321582bc334a49e7f7314c0c8f46e8584812a5cfcda10c48f1fb0e98559e4845eeb6552dfc5254e09242126cb8c14bf0ab1b52a87e

    • SSDEEP

      6144:GkLIF7pSCS/b7QVbDdOAEG8FJ8ECNVDq+RJGHv/Gz9S1I4a7nq:5LIF78/Xob8GauEeVP+89jn7q

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks