General
-
Target
159753f08c597f1dc20284bc7287f469
-
Size
3.3MB
-
Sample
231230-mapfeshhe2
-
MD5
159753f08c597f1dc20284bc7287f469
-
SHA1
fd1ae62a7d2265236a0e2a9a2927f26a7e89709d
-
SHA256
e687316d7ff6885f2635083ad69b08e059860957ab5549a9cf5d1b580aae08ab
-
SHA512
8acbfc7a9b344270f075d2a270605ef32948f732962f818370bc4718dc8f87d23e7cbdd6230873d03aca30f1fc171c9513dca7125ae3a17d458d6b343d8f8b08
-
SSDEEP
49152:hSViq6P+OT7z1ox9y8fDu5dmaY4+q8v1c3ogXA1IEX7mpHKDRQstflm:hSXg+2+f473Gc3o1vXypFstc
Behavioral task
behavioral1
Sample
159753f08c597f1dc20284bc7287f469.exe
Resource
win7-20231215-en
Malware Config
Extracted
cybergate
v1.07.5
vic
spuelmittel.kicks-ass.org:7789
F785015O1J48BF
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Crysis
-
install_file
cry.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
45717893
-
regkey_hkcu
explorer
-
regkey_hklm
explorer
Targets
-
-
Target
159753f08c597f1dc20284bc7287f469
-
Size
3.3MB
-
MD5
159753f08c597f1dc20284bc7287f469
-
SHA1
fd1ae62a7d2265236a0e2a9a2927f26a7e89709d
-
SHA256
e687316d7ff6885f2635083ad69b08e059860957ab5549a9cf5d1b580aae08ab
-
SHA512
8acbfc7a9b344270f075d2a270605ef32948f732962f818370bc4718dc8f87d23e7cbdd6230873d03aca30f1fc171c9513dca7125ae3a17d458d6b343d8f8b08
-
SSDEEP
49152:hSViq6P+OT7z1ox9y8fDu5dmaY4+q8v1c3ogXA1IEX7mpHKDRQstflm:hSXg+2+f473Gc3o1vXypFstc
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-