General

  • Target

    2591a5278d4d76c6a7789a09942636cb.bin

  • Size

    396KB

  • Sample

    240201-br7sjsgcf3

  • MD5

    2591a5278d4d76c6a7789a09942636cb

  • SHA1

    654e5368d77948233928c3a9cb7985f0db430305

  • SHA256

    44429bc59bb8394e9685b18e8ea5e707aa7be127ea871bb1e396d2e2a152f5b0

  • SHA512

    c881ccb42a2113db14f86db07b86e7bbe198a2b04f9f98a23c1cd1416396e64e1dd01517cc6bbf2b0f94005d3ea4ae0b54d5735811e7ec71773d34b9817344ff

  • SSDEEP

    6144:egK6AfgVFBw/gASLVRu9QTFZ3sAiJRFuyZSTwh3zhBgIMYiHy0yOOOmbJYyLLl:ZK6Aue/g/VRmrJRcGSTwJqYWy5NYy

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

uncontroller.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    rundll32.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      2591a5278d4d76c6a7789a09942636cb.bin

    • Size

      396KB

    • MD5

      2591a5278d4d76c6a7789a09942636cb

    • SHA1

      654e5368d77948233928c3a9cb7985f0db430305

    • SHA256

      44429bc59bb8394e9685b18e8ea5e707aa7be127ea871bb1e396d2e2a152f5b0

    • SHA512

      c881ccb42a2113db14f86db07b86e7bbe198a2b04f9f98a23c1cd1416396e64e1dd01517cc6bbf2b0f94005d3ea4ae0b54d5735811e7ec71773d34b9817344ff

    • SSDEEP

      6144:egK6AfgVFBw/gASLVRu9QTFZ3sAiJRFuyZSTwh3zhBgIMYiHy0yOOOmbJYyLLl:ZK6Aue/g/VRmrJRcGSTwJqYWy5NYy

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks