General

  • Target

    95e42cc171429038d6cdfaf7dc7e6c14

  • Size

    671KB

  • Sample

    240212-bvfs8sgc93

  • MD5

    95e42cc171429038d6cdfaf7dc7e6c14

  • SHA1

    86ae6a7b1b99d37dfb4b7c46eedc31d65395512a

  • SHA256

    6559fff4a3cf0f463b6a864eb3e8198d7bc127fdb5df34b0f6d78ea951f54fb7

  • SHA512

    10b3271ed193061c73c43e1b2de3917a8fdf6bf1bfe0c8080d31dea024350a08957d3fcd55865920773d35c8cf69c5a299cdffbd1dd9ece647a8e2d2d6abc23e

  • SSDEEP

    12288:G5GzsTX4Tz4zLHMKZGXzSzyS9qyf4dCkaKAfqe+qgkWEEXvqS6FooFy7IFRPEnnq:G1LvsSYraee9xIx6z

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

Sheikh

C2

curtis50.no-ip.info:8898

Mutex

O72AY8U13G601O

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    Windefender.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    omolabi

Targets

    • Target

      95e42cc171429038d6cdfaf7dc7e6c14

    • Size

      671KB

    • MD5

      95e42cc171429038d6cdfaf7dc7e6c14

    • SHA1

      86ae6a7b1b99d37dfb4b7c46eedc31d65395512a

    • SHA256

      6559fff4a3cf0f463b6a864eb3e8198d7bc127fdb5df34b0f6d78ea951f54fb7

    • SHA512

      10b3271ed193061c73c43e1b2de3917a8fdf6bf1bfe0c8080d31dea024350a08957d3fcd55865920773d35c8cf69c5a299cdffbd1dd9ece647a8e2d2d6abc23e

    • SSDEEP

      12288:G5GzsTX4Tz4zLHMKZGXzSzyS9qyf4dCkaKAfqe+qgkWEEXvqS6FooFy7IFRPEnnq:G1LvsSYraee9xIx6z

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Drops startup file

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks