General
-
Target
c1f6c82a94a7efdbffd6130192256ab64a9caf8d9cb0613edc46f3eaf2a7cadb
-
Size
401KB
-
Sample
230130-dzjf2afd88
-
MD5
b019df9dd9e96b7e32b668b100a21efa
-
SHA1
0514ccfc1dcb91eba65c5de3a12641d0e0d4a6eb
-
SHA256
c1f6c82a94a7efdbffd6130192256ab64a9caf8d9cb0613edc46f3eaf2a7cadb
-
SHA512
14ffd5425c6fdb37dbc379f44155c482f13ef9df8d0ea9b1803ae498b43e0cf0398b383de41b47aba489cc0619987fb2263fa501488a40ccd3fb78eddb4ec80f
-
SSDEEP
12288:YVthCrStUVt2159HbedfFdXUcksKeA3WeGVGO:YVtErSKVoj9qtEcRK3GGO
Static task
static1
Behavioral task
behavioral1
Sample
c1f6c82a94a7efdbffd6130192256ab64a9caf8d9cb0613edc46f3eaf2a7cadb.exe
Resource
win7-20221111-en
Malware Config
Extracted
cybergate
v1.02.1
Lammer
127.0.0.1:81
Pluguin
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Microsoft
-
install_file
Pluguin.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
-
message_box_title
LAMMER
-
password
123
-
regkey_hkcu
Avirnt
-
regkey_hklm
Avgnt
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
c1f6c82a94a7efdbffd6130192256ab64a9caf8d9cb0613edc46f3eaf2a7cadb
-
Size
401KB
-
MD5
b019df9dd9e96b7e32b668b100a21efa
-
SHA1
0514ccfc1dcb91eba65c5de3a12641d0e0d4a6eb
-
SHA256
c1f6c82a94a7efdbffd6130192256ab64a9caf8d9cb0613edc46f3eaf2a7cadb
-
SHA512
14ffd5425c6fdb37dbc379f44155c482f13ef9df8d0ea9b1803ae498b43e0cf0398b383de41b47aba489cc0619987fb2263fa501488a40ccd3fb78eddb4ec80f
-
SSDEEP
12288:YVthCrStUVt2159HbedfFdXUcksKeA3WeGVGO:YVtErSKVoj9qtEcRK3GGO
-
Modifies firewall policy service
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-