General

  • Target

    9160127d9e0c4956785732b8fbab8b6b

  • Size

    372KB

  • Sample

    240205-h6gcgaadd8

  • MD5

    9160127d9e0c4956785732b8fbab8b6b

  • SHA1

    28a4a219e2250b81985b5478952ce334199af055

  • SHA256

    46ec6b8148d1f10dc4d5c4c98f718753ece64fce640c23a45de4c25695a05725

  • SHA512

    ef9daf571c618036cb0ad90cf3b8744075942cdd4c28235bd608f3c67caa61d721aae04dcb54915e97d1e2572810e2bbcd1d40b641d9f4459559c94cfa3e0a8c

  • SSDEEP

    6144:uOmsnZsca413O4423FuOiMS8ZbxAdHy4R+FQBACmpJtoHHa4wY0aV:uOmsnla41+4X3FuxPLS7FQBeyHEYZV

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

osna-ware.sytes.net:1100

Mutex

jajajajaja

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    win32

  • install_file

    notepad.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      9160127d9e0c4956785732b8fbab8b6b

    • Size

      372KB

    • MD5

      9160127d9e0c4956785732b8fbab8b6b

    • SHA1

      28a4a219e2250b81985b5478952ce334199af055

    • SHA256

      46ec6b8148d1f10dc4d5c4c98f718753ece64fce640c23a45de4c25695a05725

    • SHA512

      ef9daf571c618036cb0ad90cf3b8744075942cdd4c28235bd608f3c67caa61d721aae04dcb54915e97d1e2572810e2bbcd1d40b641d9f4459559c94cfa3e0a8c

    • SSDEEP

      6144:uOmsnZsca413O4423FuOiMS8ZbxAdHy4R+FQBACmpJtoHHa4wY0aV:uOmsnla41+4X3FuxPLS7FQBeyHEYZV

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks