General
-
Target
4745f41abd722950f7b2e3c0fd30aace
-
Size
370KB
-
Sample
231226-a34plaggf8
-
MD5
4745f41abd722950f7b2e3c0fd30aace
-
SHA1
16a8f7a82ed344d107d14f0c3014c5f4cf00dd54
-
SHA256
e81eeb1814c5b94e1d83a907dfcf36bf813607e0875f3a62a084e259b1318db1
-
SHA512
b354e6fb2a20d94f35fe635d909167cdeac1ba9356dd1fc4f53b13d371e5db99451d6eef1be4ad64f2c0989f821fadc2352efa0d4dd652523cf3c39388449a99
-
SSDEEP
6144:bUo/7RXFWecXkJXv510tkiqIV/X/HnN8DyX33K+mOSwjLMJ8DDRQ/+Lhh49NjBaJ:4w1FN4k/10tr9yyX33K+mO9HystL0aJ
Malware Config
Extracted
cybergate
v1.07.5
Victime
pedrologue.no-ip.org:81
5K1FQ4L182DDX0
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
windir
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Le bot Dofus n'est pas compatible avec votre Ordinateur actuel. Merci d'essayer de relancer le bot sur un nouvel ordinateur
-
message_box_title
INCOMPATIBLE
-
password
123456
-
regkey_hkcu
svchost.exe
-
regkey_hklm
svchost.exe
Targets
-
-
Target
TS3HackToken.exe
-
Size
405KB
-
MD5
6d5ccb56c9aa12c579d0f20fe1c9163a
-
SHA1
0fa7b41bf999f6d2e6b4caf6f1b2cf00acb7720d
-
SHA256
937c41971fded46ea59c6d248eca33fb494204541a6e5983f0f21b6bcd435710
-
SHA512
986abf3629c917890cc0ca232d5e287f55f497486e79db0d6fbd369afd443d883e4f5c5febaf3d6bb239e44300e407455734420b78a8a248a93bebd55ea9d365
-
SSDEEP
12288:KVUBLwLg2RgfLkz1qtrVyUX33w+mO9Hystr0py:KVUBf4ZKJ3w3y
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-