General
-
Target
NEAS.26e8967c890e0b482a58dde5b4e44140.exe
-
Size
456KB
-
Sample
231013-ysqxrafc3s
-
MD5
26e8967c890e0b482a58dde5b4e44140
-
SHA1
af34e2a6f14bc8234f5ffa70143521aebf5334cb
-
SHA256
86fc3c38e6b366ffef622f7548eb6dd7ae820e78c3deffd5de285d14de47e4f8
-
SHA512
112c1e9e526a999982099fccc7c5870ef6f05a36470142f29265cd6b0d38dcc5f85129fe08a770e76aa79afb7c02e0e4dd1bc6a57fbbb5c670454b01bd762866
-
SSDEEP
6144:S8Bb1lv7X1g5sUM0MpCzxP8b3vNvdQ4KKEfWamjTY/0OC/1fwPDy/ZkvR:SkDVUMlwZ8LVva6E+aETYhS14u/4
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.26e8967c890e0b482a58dde5b4e44140.exe
Resource
win7-20230831-en
Malware Config
Extracted
cybergate
v1.05.1
1111
autoescuela.hopto.org:1551
4GRCJDP3X2P8B4
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Boot
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
12345
-
regkey_hkcu
AdobeReader
Targets
-
-
Target
NEAS.26e8967c890e0b482a58dde5b4e44140.exe
-
Size
456KB
-
MD5
26e8967c890e0b482a58dde5b4e44140
-
SHA1
af34e2a6f14bc8234f5ffa70143521aebf5334cb
-
SHA256
86fc3c38e6b366ffef622f7548eb6dd7ae820e78c3deffd5de285d14de47e4f8
-
SHA512
112c1e9e526a999982099fccc7c5870ef6f05a36470142f29265cd6b0d38dcc5f85129fe08a770e76aa79afb7c02e0e4dd1bc6a57fbbb5c670454b01bd762866
-
SSDEEP
6144:S8Bb1lv7X1g5sUM0MpCzxP8b3vNvdQ4KKEfWamjTY/0OC/1fwPDy/ZkvR:SkDVUMlwZ8LVva6E+aETYhS14u/4
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-