Overview

overview

10

Static

static

3

13384f7179...2d.exe

windows7-x64

10

13384f7179...2d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    13384f7179292b455c2d786ff594992d

  • Size

    399KB

  • Sample

    231230-j66g2aheem

  • MD5

    13384f7179292b455c2d786ff594992d

  • SHA1

    bb04f75828cb110ad4acd5faeffa925e298be607

  • SHA256

    6d46885121a426d22e3b7e06b5771dfc9b5b560593826379791f1129e3f28a1d

  • SHA512

    dc61f1b8e0126e06462d794d8fcd03167fd1bf148053095b7daa2e3b89ed6cb25c3ab459e985b066f274aec8bf71512e62baebfe8f9966c00b641d80bc8e37be

  • SSDEEP

    6144:X/RI/NigX+SZ1/9UN2FzNeJifYXEU4qh8WD/cPn5Ti5Rb0ktnF8gESj8CvYSGxvx:vRI//qg2iZU4qiWbcP5mbRnnEUKPoD+

Score
10/10
cybergateaissapersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Aissa

C2

82.242.250.193:81

82.242.250.193:82

82.242.250.193:83
Mutex

54D10ZT5Z5Q0GR2Z20T05ZS

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Java

  • install_file

    JavaUdapter.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Targets

    • Target

      13384f7179292b455c2d786ff594992d

    • Size

      399KB

    • MD5

      13384f7179292b455c2d786ff594992d

    • SHA1

      bb04f75828cb110ad4acd5faeffa925e298be607

    • SHA256

      6d46885121a426d22e3b7e06b5771dfc9b5b560593826379791f1129e3f28a1d

    • SHA512

      dc61f1b8e0126e06462d794d8fcd03167fd1bf148053095b7daa2e3b89ed6cb25c3ab459e985b066f274aec8bf71512e62baebfe8f9966c00b641d80bc8e37be

    • SSDEEP

      6144:X/RI/NigX+SZ1/9UN2FzNeJifYXEU4qh8WD/cPn5Ti5Rb0ktnF8gESj8CvYSGxvx:vRI//qg2iZU4qiWbcP5mbRnnEUKPoD+

    Score
    10/10
    cybergateaissapersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks