Overview

overview

10

Static

static

7

TV SITE/AD...0.html

windows7-x64

1

TV SITE/AD...0.html

windows10-2004-x64

1

TV SITE/ADENSER.html

windows7-x64

1

TV SITE/ADENSER.html

windows10-2004-x64

1

TV SITE/INICIO.html

windows7-x64

1

TV SITE/INICIO.html

windows10-2004-x64

1

TV SITE/fo...te.exe

windows7-x64

10

TV SITE/fo...te.exe

windows10-2004-x64

1

TV SITE/index.html

windows7-x64

1

TV SITE/index.html

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    61aa19af9375a75eb4f6efa15a7620ee.rar

  • Size

    704KB

  • Sample

    240106-mwtbhaeecr

  • MD5

    61aa19af9375a75eb4f6efa15a7620ee

  • SHA1

    100f6ae1f242f3b65fa7b2f508586684c9ae0b54

  • SHA256

    e264a8aedefdae99854d0e4c1d6be46e2f49ef9d435d7c2398d07f60de6b410b

  • SHA512

    6886a476efe23ea098f4d0d8b03c8fa28960916297e0ce551aa37c3f9a1bf9379da26abeb969b3cf32adc77114c8c6c4ee7a31175387d67d02a901e4edc68ed5

  • SSDEEP

    12288:Lv63iOt6arVLEnClqyGTcsT1oYa6NSNiuMoly6OiVaVKrnLLkaWoOcENofQz00hR:O3iTwhvKo7AuMCy3KrnLLBamTdmD

Score
10/10
cybergatesite de tvpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

site de tv

C2

giovanih1.no-ip.org:999

Mutex

087T2DY24M2620

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    Windows.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    sus xat foi um suseso!!!!!!!!!500power

  • message_box_title

    xat

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      TV SITE/ADENSER 728X90.html

    • Size

      638B

    • MD5

      79d834481e83d8ecf4bc4ae46ba7a7f4

    • SHA1

      3f06b4a3f3ce7b606cd28b87ce9f0a57c506b540

    • SHA256

      c39a9728c0f0d564f99c6e4cbf9a6eb200956ff7b6bb412fcf64b84fff3d8eb1

    • SHA512

      59607abe581abcb353aef61db5e77a5a7c226c824a5b8f9e83c24b19c896f08417257a7d93724a8b155ce57a9ee5518f4a81a8f14da7a5eac0710daebc4393ae

    Score
    1/10
    behavioral1behavioral2

    • Target

      TV SITE/ADENSER.html

    • Size

      640B

    • MD5

      bb6cda827e7fe3061c8b10b5d0b6c695

    • SHA1

      730d09de9a79712658d2aca6d9f3db369e3282f3

    • SHA256

      e87c9399b0c55a0b8035d197322b44ab7f1ad1e1ab33128d9281198cc0be2969

    • SHA512

      31ad05905eb2aeaf5d08370f84e782b76c333c30e1273c5c0e63fc5870b0c2a53b4d0fa6be0e6cf67e26bdae2e1e8a28b5570b70ee95e6b5b1e667dd224ceb5d

    Score
    1/10
    behavioral3behavioral4

    • Target

      TV SITE/INICIO.html

    • Size

      2KB

    • MD5

      e84798b0ef5bcafa71ae649d6af3039f

    • SHA1

      b316c97923025616ac0349ca97cbfaa068db300d

    • SHA256

      ff76fa247a59066b02822841afd3d69f3271fa2a828d1ea5177c087be4d78354

    • SHA512

      740bd96767c6ae6424375e99c695a65d6127c42d53dcb57d54435ba7e4fdbaf06198e9ce22771b9e4dfc66afa780d8b0cc5172b24d65c9a936850f64e43a6a16

    Score
    1/10
    behavioral5behavioral6

    • Target

      TV SITE/fotodosite.exe

    • Size

      613KB

    • MD5

      f5a51ddbdc7d90a6173cb960873439e8

    • SHA1

      7bfe25cf782fa37d1bfae645a22d58a0ca492c30

    • SHA256

      4cf127ca51aa574a5e78cea4b1ee9401cf9963025ac648157efa5f0290c74853

    • SHA512

      13c4b67cdc7c810cd82110c56fe0bcc5e12ec3548b0ac2b55bcd10000db97a59efc171959b4a5df3b3578e77e661ba6d03f3ef43ce36752016ea70e27e2a3f15

    • SSDEEP

      12288:4HLUMuiv9RgfSjAzRty6epvZHktQfgyCpmrc7OZyu8pAs1T8/lG/:CtARPepxH/fgyYmrasyuO8U/

    Score
    10/10
    cybergatesite de tvpersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Adds policy Run key to start application

      persistence

    • Modifies Installed Components in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      TV SITE/index.html

    • Size

      32KB

    • MD5

      d23a8a6c6df700ac4aacbf509b3ba1b8

    • SHA1

      d7f78372473ca1a79864681094f05654a64033d7

    • SHA256

      48e3acf48ca837dee5fa86c82c8ee8697365edc88ef8b47272dffd261ed25b71

    • SHA512

      08bd0b420328ecb7ec51401ebe24ffd655fae19ea55aff085490b2e3f03bec9cd5c26a3e676eaa9d61b2be53d161bf94d1c06225eb0c4dbf878262216e65a51e

    • SSDEEP

      384:wpJ0Hib1fCh3tTl96+EUoMOAkhmeoaJqbDoiEyBiYeNXb2S3SsmatcPPem:kJom1f8tTHgmwee5NSsmnem

    Score
    1/10
    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Tasks