Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1d04810ce81076e4ce8aa486c9fc8e0f

  • Size

    440KB

  • Sample

    231225-atcvhscgd4

  • MD5

    1d04810ce81076e4ce8aa486c9fc8e0f

  • SHA1

    1d1903b97dff422798f4a175fd0de38247bc4809

  • SHA256

    f8c70a0ef93d08809afe39a33bd5c547502e300551839c78fc6299449e299395

  • SHA512

    ae513d6d93eb65621df54344408b7129b30487b0725bc18ca2bf8374c7134fb571c2a1b03142a768efe63066204867dc1771f8c96dbc599c114df4c4915dac06

  • SSDEEP

    12288:/+/7zemHlkCfLEAegIUT2f1SFTCPn9D4ZJ+vz1:W/9lDb5TKQBMDUJ+L1

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

kabala

C2

kabala1324.dyndns.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    svchost

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Net Frework 4.0

  • message_box_title

    Windows

  • password

    1111

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      1d04810ce81076e4ce8aa486c9fc8e0f

    • Size

      440KB

    • MD5

      1d04810ce81076e4ce8aa486c9fc8e0f

    • SHA1

      1d1903b97dff422798f4a175fd0de38247bc4809

    • SHA256

      f8c70a0ef93d08809afe39a33bd5c547502e300551839c78fc6299449e299395

    • SHA512

      ae513d6d93eb65621df54344408b7129b30487b0725bc18ca2bf8374c7134fb571c2a1b03142a768efe63066204867dc1771f8c96dbc599c114df4c4915dac06

    • SSDEEP

      12288:/+/7zemHlkCfLEAegIUT2f1SFTCPn9D4ZJ+vz1:W/9lDb5TKQBMDUJ+L1

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks