General

  • Target

    9569901ea02343601b2055f4a7d7c55a

  • Size

    699KB

  • Sample

    240206-zetxxsffc3

  • MD5

    9569901ea02343601b2055f4a7d7c55a

  • SHA1

    3a9e03a98556bf6fc96255234d0d167f2b0174b0

  • SHA256

    16038b9a55ac01103225c61e36978f8ddb2b3e20e74d15831af1f0c7f900b492

  • SHA512

    9ddf01384bf82066413d69c55ceb2e41cb5b092287ab873de9347fd427f2f40f09ca2fe652fdb1c7f9b6fba700fa9764e0adb0cf76c7f00900bc9a5b877c6eb2

  • SSDEEP

    12288:kBMmKGnhDT+JlCMT79AihWFkU4eqHR1Jx0dWQLkpLHjwtQ:mMmnDC+/IWWi6Hn

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

EL NUEVO FDP

C2

operspicaz.no-ip.biz:1982

infosfenix.no-ip.org :6001

Mutex

Java(TM) Plarform SE 9 U19

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./novo/

  • ftp_interval

    30

  • injected_process

    jusched.exe

  • install_dir

    Java\jre6\bin

  • install_file

    java(TM).exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Targets

    • Target

      9569901ea02343601b2055f4a7d7c55a

    • Size

      699KB

    • MD5

      9569901ea02343601b2055f4a7d7c55a

    • SHA1

      3a9e03a98556bf6fc96255234d0d167f2b0174b0

    • SHA256

      16038b9a55ac01103225c61e36978f8ddb2b3e20e74d15831af1f0c7f900b492

    • SHA512

      9ddf01384bf82066413d69c55ceb2e41cb5b092287ab873de9347fd427f2f40f09ca2fe652fdb1c7f9b6fba700fa9764e0adb0cf76c7f00900bc9a5b877c6eb2

    • SSDEEP

      12288:kBMmKGnhDT+JlCMT79AihWFkU4eqHR1Jx0dWQLkpLHjwtQ:mMmnDC+/IWWi6Hn

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks