General
-
Target
86eff49d6b9768385aafdc9643469a83
-
Size
4.3MB
-
Sample
240201-1fbcmsghdq
-
MD5
86eff49d6b9768385aafdc9643469a83
-
SHA1
1a00ee636e0a70822d8274975bb8d80d5fa1163c
-
SHA256
152b87f0633ecb72ffa1580354762e07ece7bd3d53c27807845fbbf1666427f1
-
SHA512
e143614827418b4c71b84715452bf7083be47fb9e26d186de05f3527dfca1738423b7bb6b469a63464380f8e26b7c96130094183d264d2ba4bb071ac79a47679
-
SSDEEP
98304:F0ibuQTZiqn8KG8+ohaHntVWOcRuF5NuWgw25oyK1VZQ:eEnTZi+y8+UaHDaE5Q7m1G
Static task
static1
Behavioral task
behavioral1
Sample
spe3/Read_me_for_Info_to_trade_new_stuff_2011_DONT_REposT.txt.exe
Resource
win7-20231215-en
Malware Config
Extracted
cybergate
2.6
10
googleud7.dyndns-server.com:81
***MUTEX***
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
win64ini
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
1
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
spe3/Read_me_for_Info_to_trade_new_stuff_2011_DONT_REposT.txt.exe
-
Size
784KB
-
MD5
851de3d0db1b2ffe29414cb75715473f
-
SHA1
cc645d4b3426d7073f02b1c4db6858c64e10997b
-
SHA256
12193c733668672c9e6b88abb40d99c1d22679d84d619666ffc1b0b5c974a453
-
SHA512
8a47fc7c739ddeae734896deb470e2282a37b574c19ca351d5b646df901475f3eda536161a0e80af0fb1c6a4db5fb9947618420be48584767daf622d5944b044
-
SSDEEP
12288:qX3RvFGVNZxSvfdFPBsojcerNjwS4TV13rYeAiS34nua3sB8ezehm/P:qXPuNeLB7rSbXkxihtk8G/
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-