General

  • Target

    90b95838b53ddb4b5f27ac4931025c38

  • Size

    338KB

  • Sample

    240205-cbbkvafhh7

  • MD5

    90b95838b53ddb4b5f27ac4931025c38

  • SHA1

    0fb4e595d4ee58ef5e5e595fbcab4dc990b7c388

  • SHA256

    5d3b91ec8534ee3eaa751ba7c4a9625850c915afdbf2307ae32d6343780a5d7a

  • SHA512

    701f23f1de7fef7af124bd763f16cde586d28ee45786855875e6bea79426e7269b1adfcd9d7b01566d3d52af73faf8aa350b7c053db22b0d61904426555d4cf7

  • SSDEEP

    6144:Rr0b4VROJBCL3ce5ncyzG23UbuasNPp4boJi0oIDVOCmY31g/RVKEJRxUt0tLkpq:NHsC7AKEJgtztDNnIYddy

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

linux

C2

anonimous.no-ip.biz:11500

Mutex

SoundRealtek

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft

  • install_file

    update.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    211971

  • regkey_hkcu

    RealtekSound

  • regkey_hklm

    RealtekSound

Targets

    • Target

      90b95838b53ddb4b5f27ac4931025c38

    • Size

      338KB

    • MD5

      90b95838b53ddb4b5f27ac4931025c38

    • SHA1

      0fb4e595d4ee58ef5e5e595fbcab4dc990b7c388

    • SHA256

      5d3b91ec8534ee3eaa751ba7c4a9625850c915afdbf2307ae32d6343780a5d7a

    • SHA512

      701f23f1de7fef7af124bd763f16cde586d28ee45786855875e6bea79426e7269b1adfcd9d7b01566d3d52af73faf8aa350b7c053db22b0d61904426555d4cf7

    • SSDEEP

      6144:Rr0b4VROJBCL3ce5ncyzG23UbuasNPp4boJi0oIDVOCmY31g/RVKEJRxUt0tLkpq:NHsC7AKEJgtztDNnIYddy

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks