General
-
Target
8cf00cb5b9ab6b8545426b381abe07af
-
Size
428KB
-
Sample
240203-v7mbbsegb7
-
MD5
8cf00cb5b9ab6b8545426b381abe07af
-
SHA1
2a55b6c45b51aee857befd729252327f85b6d3e1
-
SHA256
95de0e4b1dc614990ce5131af0a5997302fb41196fa7086ccfa51b5f3df5b7b9
-
SHA512
a02462690f500b0f56d774c1e3989527cd4866c6721c47a5cd26eeec3ef4a3f0f0235f044f72674dd490a2552ba205470d27541876c02e6d3da234bf6bc7a323
-
SSDEEP
6144:MGqeN5GCiTG3qFjqZBdM1THz8yf5V9n/vCLF3YCnCWLbgrryFjaP6msn8JVJCz:KtcyTHzB5/v6YJ5f+eCmsnK
Static task
static1
Behavioral task
behavioral1
Sample
8cf00cb5b9ab6b8545426b381abe07af.exe
Resource
win7-20231215-en
Malware Config
Extracted
cybergate
v1.02.0
Victime
lol77.no-ip.biz:83
BV4U8WS6A2U25A
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
ju101194do
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
8cf00cb5b9ab6b8545426b381abe07af
-
Size
428KB
-
MD5
8cf00cb5b9ab6b8545426b381abe07af
-
SHA1
2a55b6c45b51aee857befd729252327f85b6d3e1
-
SHA256
95de0e4b1dc614990ce5131af0a5997302fb41196fa7086ccfa51b5f3df5b7b9
-
SHA512
a02462690f500b0f56d774c1e3989527cd4866c6721c47a5cd26eeec3ef4a3f0f0235f044f72674dd490a2552ba205470d27541876c02e6d3da234bf6bc7a323
-
SSDEEP
6144:MGqeN5GCiTG3qFjqZBdM1THz8yf5V9n/vCLF3YCnCWLbgrryFjaP6msn8JVJCz:KtcyTHzB5/v6YJ5f+eCmsnK
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-