General

  • Target

    80c65520a426ed977843f25fc4928120

  • Size

    343KB

  • Sample

    240129-y4ct9sbeam

  • MD5

    80c65520a426ed977843f25fc4928120

  • SHA1

    e4720d3608d0efaf088a5dc309ac3f3af350e225

  • SHA256

    78da4b9f9fb6b94ca72f501b28cad8461f8897e4281da8ad269d9a8ce0cc9290

  • SHA512

    0aca0700e4374aebf10e82d3be763f7e2d61c1f2a19a21af751287ef820208ffe05b4776abe0157c2d8a9198e7fdd79300bc0a8f79c5ddea2f40227b204c1dc6

  • SSDEEP

    6144:PhGfJyQ3CPtFK+h7UWT5LwShJME09x5mhrujGJMvj79XbGWBKl9e7Bi6SDzlFfjw:PhGfJyXPtzIwEEoTmhru6Jqj0WBg9161

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

spyonepepsico.no-ip.org:81

spyonepepsico.no-ip.org:1338

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Windows Live Messenger

  • install_file

    Windows Live Messenger.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    123456

  • regkey_hkcu

    Windows Live Messenger

  • regkey_hklm

    Windows Live Messenger

Targets

    • Target

      80c65520a426ed977843f25fc4928120

    • Size

      343KB

    • MD5

      80c65520a426ed977843f25fc4928120

    • SHA1

      e4720d3608d0efaf088a5dc309ac3f3af350e225

    • SHA256

      78da4b9f9fb6b94ca72f501b28cad8461f8897e4281da8ad269d9a8ce0cc9290

    • SHA512

      0aca0700e4374aebf10e82d3be763f7e2d61c1f2a19a21af751287ef820208ffe05b4776abe0157c2d8a9198e7fdd79300bc0a8f79c5ddea2f40227b204c1dc6

    • SSDEEP

      6144:PhGfJyQ3CPtFK+h7UWT5LwShJME09x5mhrujGJMvj79XbGWBKl9e7Bi6SDzlFfjw:PhGfJyXPtzIwEEoTmhru6Jqj0WBg9161

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks