General

  • Target

    8f0ea10b8cae746778dc6cb321606e90

  • Size

    477KB

  • Sample

    240204-nryk4aaehn

  • MD5

    8f0ea10b8cae746778dc6cb321606e90

  • SHA1

    4a624bffbfed4e8f557c0b483692e316ff4069bf

  • SHA256

    075356f1135c4a9025fb55cb99a6474e60ef646731ab0e9eee3615d632058962

  • SHA512

    f0d377b249800b50bee7c6eb94aa142041227a63ea8d8486c1d62c5a50dfce47aedda99e994fd92503199db18eed5677091b7e5cbe3d40b19f4c9ed24a4503a9

  • SSDEEP

    12288:2P1FVkA1lkLe66G3w4q42kON2WtRcl5NTXdVGU5S:eDVtlkL3st9NBEnjd38

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

newone

C2

don31.no-ip.org:100

Mutex

GRL2PXA5E753U7

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    system32

  • install_file

    explorer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_title

    Error

  • password

    ultramuc

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      8f0ea10b8cae746778dc6cb321606e90

    • Size

      477KB

    • MD5

      8f0ea10b8cae746778dc6cb321606e90

    • SHA1

      4a624bffbfed4e8f557c0b483692e316ff4069bf

    • SHA256

      075356f1135c4a9025fb55cb99a6474e60ef646731ab0e9eee3615d632058962

    • SHA512

      f0d377b249800b50bee7c6eb94aa142041227a63ea8d8486c1d62c5a50dfce47aedda99e994fd92503199db18eed5677091b7e5cbe3d40b19f4c9ed24a4503a9

    • SSDEEP

      12288:2P1FVkA1lkLe66G3w4q42kON2WtRcl5NTXdVGU5S:eDVtlkL3st9NBEnjd38

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks