General

  • Target

    8e3a6580fe508c9484f5cd0563a4fd53

  • Size

    857KB

  • Sample

    240204-e8hrjacagl

  • MD5

    8e3a6580fe508c9484f5cd0563a4fd53

  • SHA1

    7fe5c3a57f73cd41f35854ea45345e7ad53c521c

  • SHA256

    0b298b129b1b286425781c3efd5a23bb228e37015e6807d803de07308d4bd20c

  • SHA512

    bffb7656e56796bca251a5754872229b20cef57d8d514988c858cacbf836ca460d1992cbc28176197c61c51cd0d88eb8c8df6a670a13c35434e3590516fdb0d9

  • SSDEEP

    24576:aIvfdryGialGcdTkTFiVALUgUmP+tWJljDVZsWFFeI:Vfd3ikGakTchzmWwnD/sWFAI

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

hardick.no-ip.biz:2000

Mutex

jajaja***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    5

  • injected_process

    explorer.exe

  • install_dir

    win32

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      Data installer.exe

    • Size

      169KB

    • MD5

      ce3ef20cf976e1bb5a7066dded82be02

    • SHA1

      0911f72d97a58bab2f27663a8d3f8460209c1260

    • SHA256

      188f8a51d75c0af055f7ca63f994c4b66e0d8e7176774f5bc1cfc6bcce0ad9d9

    • SHA512

      96efd9a4928d1ee092277f67d2da293d9b2f3bb6b2f9e1767368ddc21ee65b42674413456bc5f2eedd9804c83f88be9840a68791cce0043e1df8ab0037751702

    • SSDEEP

      3072:ej/HLrGfKGSq7yTfPu8K00X2Ed/vxHoWn/jMTn8lz7FnprBDCI6nr:y/HHXQ7yHLd2v+QIG3rAIy

    Score
    5/10
    • Suspicious use of SetThreadContext

    • Target

      Setup_Runtime1.exe

    • Size

      719KB

    • MD5

      92d0a8e359593547d860f8c84e974f31

    • SHA1

      61951c82c77cb2165b3d20028b5981febecc3d5c

    • SHA256

      346e6d3078bfe9cc5ac3b95368af977a86e606c393cff0040b9357e9faac89a2

    • SHA512

      3be9c89ad113701b3346a7db2a48aa387a4b8b5d657bd951ceb4bf51a9f89d11bd6f63c5a70bf3916cab85afba2a42f5c520cfec0d9228b5071482d47c37e99c

    • SSDEEP

      12288:0FszBhqS5mai7cHFrqCVnpHlyFFxAMni6od7BcqmoPZI2//87DA7NhnJ4c9:0FszWS5xtHdqChby+MiHd7BFZR/WmhnR

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks