Overview

overview

10

Static

static

3

3eb98bcd75...3a.exe

windows7-x64

10

3eb98bcd75...3a.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    3eb98bcd758359e21ff3191cd3f6ef3a.exe

  • Size

    780KB

  • Sample

    240103-sfdh1ahgd7

  • MD5

    3eb98bcd758359e21ff3191cd3f6ef3a

  • SHA1

    2ecad9383cdeb82e9a2f48e581cbb71a454bb74a

  • SHA256

    e5cf0507595f0b88e092d709217f0b51aea46d30678644ebdc6705e1c9a63477

  • SHA512

    33647ec7fd29ae70ce031b115467b4fbe3694bb69f6fb0c41be673aff0f6888ec1251f63ba2907a4bfd2e434e175122517a4e15a71fdbdff47029bf1021c09b4

  • SSDEEP

    12288:Cu17/xLgn40HRD/NwpBxnMa4OTunN78TLWpNXldfZ7OLrC8SJAPQEGBgMvUlKpFU:CuH0nxyKaBSYWTVdxgKtgTV5n

Score
10/10
cybergatenewtestpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

NewTest

C2

mihajlovo.no-ip.biz:85

Mutex

lkhjbjhbgjkhbskbgruy87

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    System

  • install_file

    OUTLO0K.EXE

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    123

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      3eb98bcd758359e21ff3191cd3f6ef3a.exe

    • Size

      780KB

    • MD5

      3eb98bcd758359e21ff3191cd3f6ef3a

    • SHA1

      2ecad9383cdeb82e9a2f48e581cbb71a454bb74a

    • SHA256

      e5cf0507595f0b88e092d709217f0b51aea46d30678644ebdc6705e1c9a63477

    • SHA512

      33647ec7fd29ae70ce031b115467b4fbe3694bb69f6fb0c41be673aff0f6888ec1251f63ba2907a4bfd2e434e175122517a4e15a71fdbdff47029bf1021c09b4

    • SSDEEP

      12288:Cu17/xLgn40HRD/NwpBxnMa4OTunN78TLWpNXldfZ7OLrC8SJAPQEGBgMvUlKpFU:CuH0nxyKaBSYWTVdxgKtgTV5n

    Score
    10/10
    cybergatenewtestpersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Adds policy Run key to start application

      persistence

    • Modifies Installed Components in the registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks