General

  • Target

    VirusShare_507e1a6a0432d3d63a92f91192fe02f2

  • Size

    1.2MB

  • Sample

    240130-2k417afhdl

  • MD5

    507e1a6a0432d3d63a92f91192fe02f2

  • SHA1

    f1eb699cbabcd697fd9501b237fb97403536e6d5

  • SHA256

    0a1921daf98651f0ba2eafdfe3884e44c8d098885a7a1282b0b3d5fea15f1c93

  • SHA512

    2ccd3e7eaf07cf2d5926598e8867246e28e45ebf42b0065a0cdd2e158d8fbd7d0f9c9e0fc07728fe624f060ce8c1ca8c14bdf890a4fc41eb4ad85f0a2013268c

  • SSDEEP

    24576:dIlIi6S9baGrDjLP/yeuWPyi1osGQMtwxSt0RmHwiF4B:gIi6S9LX3W3Zt0kDF4B

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

C2

xcxz.no-ip.biz:1604

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    winupdate.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    229669

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      VirusShare_507e1a6a0432d3d63a92f91192fe02f2

    • Size

      1.2MB

    • MD5

      507e1a6a0432d3d63a92f91192fe02f2

    • SHA1

      f1eb699cbabcd697fd9501b237fb97403536e6d5

    • SHA256

      0a1921daf98651f0ba2eafdfe3884e44c8d098885a7a1282b0b3d5fea15f1c93

    • SHA512

      2ccd3e7eaf07cf2d5926598e8867246e28e45ebf42b0065a0cdd2e158d8fbd7d0f9c9e0fc07728fe624f060ce8c1ca8c14bdf890a4fc41eb4ad85f0a2013268c

    • SSDEEP

      24576:dIlIi6S9baGrDjLP/yeuWPyi1osGQMtwxSt0RmHwiF4B:gIi6S9LX3W3Zt0kDF4B

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Detects binaries and memory artifacts referencing sandbox product IDs

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks