General

  • Target

    952e05922ff5517c7c6c06f6ed408541

  • Size

    374KB

  • Sample

    240206-w3j6vaefck

  • MD5

    952e05922ff5517c7c6c06f6ed408541

  • SHA1

    03180ec34e59fa83bfa3595402cd9a4e99096f05

  • SHA256

    48eed8db62e44802c629a879afe05a84141f7fdd8a767974e9b4f096895eaab4

  • SHA512

    eac3dff8e2a8ace4151b88af7e4873b0a72774f88d21885387198549bc1f6f3cee4b46eeed4a5af7afe764733f93e31b221d55c3bfe7433569b1b83c1f300b30

  • SSDEEP

    6144:fx1cYovhquINc4YRuLiyweNITw4D4Be2P7oamoyCtXeMHZLrO4OAj5HdL:ovh174suLiylNIM46joamPCleiFrtOGL

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Sans mdp chrome

C2

thesebo258.no-ip.biz:86

Mutex

2KSEAOLYHFT8L2

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Install

  • install_file

    install.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    The file no exist !

  • message_box_title

    Error

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      952e05922ff5517c7c6c06f6ed408541

    • Size

      374KB

    • MD5

      952e05922ff5517c7c6c06f6ed408541

    • SHA1

      03180ec34e59fa83bfa3595402cd9a4e99096f05

    • SHA256

      48eed8db62e44802c629a879afe05a84141f7fdd8a767974e9b4f096895eaab4

    • SHA512

      eac3dff8e2a8ace4151b88af7e4873b0a72774f88d21885387198549bc1f6f3cee4b46eeed4a5af7afe764733f93e31b221d55c3bfe7433569b1b83c1f300b30

    • SSDEEP

      6144:fx1cYovhquINc4YRuLiyweNITw4D4Be2P7oamoyCtXeMHZLrO4OAj5HdL:ovh174suLiylNIM46joamPCleiFrtOGL

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks