General

  • Target

    7a6e18bea7c56c118397b416e1d401ef

  • Size

    428KB

  • Sample

    240127-q9njysfdem

  • MD5

    7a6e18bea7c56c118397b416e1d401ef

  • SHA1

    d8263e457522cfb901659415d23ee342dbdf3b94

  • SHA256

    0d35286789958c13122d4b61f3a793ed3cc10a204320d3460c7157ee56b4dd0a

  • SHA512

    a8b838ee45a7483ff9897db0a3c71d68ffcae7a75c69a22bce0904a44347392e5163eddcca8a0a59a9c3254c61da9f4af039fe760f027f3643234bdc340d8dad

  • SSDEEP

    6144:Pv2mt+/7OdThwus5emGSRgtBiOmSmQi2uSTsV5eQjCgNm2o0E62BPPb70ow3UtF0:j+/7zempyaHYQXNFErb70R3GaZAY0n6

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

201.235.69.27:2020

Mutex

aw45h

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Windows Version incompatible.

  • message_box_title

    error

  • password

    asd123

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      7a6e18bea7c56c118397b416e1d401ef

    • Size

      428KB

    • MD5

      7a6e18bea7c56c118397b416e1d401ef

    • SHA1

      d8263e457522cfb901659415d23ee342dbdf3b94

    • SHA256

      0d35286789958c13122d4b61f3a793ed3cc10a204320d3460c7157ee56b4dd0a

    • SHA512

      a8b838ee45a7483ff9897db0a3c71d68ffcae7a75c69a22bce0904a44347392e5163eddcca8a0a59a9c3254c61da9f4af039fe760f027f3643234bdc340d8dad

    • SSDEEP

      6144:Pv2mt+/7OdThwus5emGSRgtBiOmSmQi2uSTsV5eQjCgNm2o0E62BPPb70ow3UtF0:j+/7zempyaHYQXNFErb70R3GaZAY0n6

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks