General

  • Target

    815939b2abe161442823c69586b9162a

  • Size

    367KB

  • Sample

    240130-bpmplaegb2

  • MD5

    815939b2abe161442823c69586b9162a

  • SHA1

    11fdada1953c8911dc6b46b5fdfc1dfb4fe11373

  • SHA256

    8a0e38ac386c9f267a178138c5d0d1c4ba22f220660a31ff8dcce523c6b22731

  • SHA512

    667f46a7339ea76caae3e23b359b6cb752ba8cace8b5a3213882b3b3b1dc0a122a76a689bf604b7d9a9d6b2bd026941a8cc05d0cac99027b8fc556c86b6674e7

  • SSDEEP

    6144:OIalhZ4ThYjAqv8hvHW/oDdJZX/PbaKxqNZleHTNfE7cZSo/F1lvllE5OWw:OICv8g/oDdJVGKxqVezZ2Kx/F5Ghw

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

than.no-ip.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      815939b2abe161442823c69586b9162a

    • Size

      367KB

    • MD5

      815939b2abe161442823c69586b9162a

    • SHA1

      11fdada1953c8911dc6b46b5fdfc1dfb4fe11373

    • SHA256

      8a0e38ac386c9f267a178138c5d0d1c4ba22f220660a31ff8dcce523c6b22731

    • SHA512

      667f46a7339ea76caae3e23b359b6cb752ba8cace8b5a3213882b3b3b1dc0a122a76a689bf604b7d9a9d6b2bd026941a8cc05d0cac99027b8fc556c86b6674e7

    • SSDEEP

      6144:OIalhZ4ThYjAqv8hvHW/oDdJZX/PbaKxqNZleHTNfE7cZSo/F1lvllE5OWw:OICv8g/oDdJVGKxqVezZ2Kx/F5Ghw

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks