Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    77a531c73cfb4426964029e611f438cd

  • Size

    392KB

  • Sample

    240126-r7sassgaf6

  • MD5

    77a531c73cfb4426964029e611f438cd

  • SHA1

    9078b6f8d51dce6a347379665f0f3a9494bead2e

  • SHA256

    6d65f698915ffeb197d4c5852a8b5275eac96174b94a5a911e9e7dde2b21edeb

  • SHA512

    ce25b192d8beeddae1c822dcc9c9fcc2bcbfe94e931b42f165626c171a117703732d6ce1bcd5a544646c732e0a6dda10263bd1289bfd2c0797efb70f2ca80a5f

  • SSDEEP

    6144:nD/bumn1Ns48rVcrQfxy6cfQm72K/jJBFozz8zyNW91k28DdQrPvWbwCLcqujY6c:njKm1Ns/QQU605bpFJE5dQawwbeY4BQ

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÈÏí Çäíßß

C2

mohammad2010.no-ip.biz:100

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    system32

  • install_file

    system32.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    t?tulo da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      77a531c73cfb4426964029e611f438cd

    • Size

      392KB

    • MD5

      77a531c73cfb4426964029e611f438cd

    • SHA1

      9078b6f8d51dce6a347379665f0f3a9494bead2e

    • SHA256

      6d65f698915ffeb197d4c5852a8b5275eac96174b94a5a911e9e7dde2b21edeb

    • SHA512

      ce25b192d8beeddae1c822dcc9c9fcc2bcbfe94e931b42f165626c171a117703732d6ce1bcd5a544646c732e0a6dda10263bd1289bfd2c0797efb70f2ca80a5f

    • SSDEEP

      6144:nD/bumn1Ns48rVcrQfxy6cfQm72K/jJBFozz8zyNW91k28DdQrPvWbwCLcqujY6c:njKm1Ns/QQU605bpFJE5dQawwbeY4BQ

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks