General

  • Target

    b6f7e05c5f645bdf60db0e6e5cefb8b9

  • Size

    293KB

  • Sample

    240306-kbm8mseh7t

  • MD5

    b6f7e05c5f645bdf60db0e6e5cefb8b9

  • SHA1

    118f086c8240f1b7dd3e8af6361a74263604b37a

  • SHA256

    82e4b967b47b9fe38088245f60958031a55f61d173d08e822925d34cad404b44

  • SHA512

    d3d9371e98ad94e4a041de6af586307128cd299b33b014bfacd2d279076ba4f6d3e4fecef78684f210db36e984b08fdb09ba792fa806f83d0462eb0629b67f99

  • SSDEEP

    6144:So+7tWoUS6CqCiBoIR4ixh3xq5h4DE9fj6mRRnTqYYy9qqueCCp5/EH4:Z+7Eo1qMIRDs5xfjnRJTjEeCCfEY

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

3r9-hak.no-ip.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Windows Live Messenger

  • install_file

    msn.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    ÏäÊÇ ÛáÈÇä

  • message_box_title

    åá ÇäÊ ÑÇÖí Çä ÇÎÊÑÞ ÌåÇÒß

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      b6f7e05c5f645bdf60db0e6e5cefb8b9

    • Size

      293KB

    • MD5

      b6f7e05c5f645bdf60db0e6e5cefb8b9

    • SHA1

      118f086c8240f1b7dd3e8af6361a74263604b37a

    • SHA256

      82e4b967b47b9fe38088245f60958031a55f61d173d08e822925d34cad404b44

    • SHA512

      d3d9371e98ad94e4a041de6af586307128cd299b33b014bfacd2d279076ba4f6d3e4fecef78684f210db36e984b08fdb09ba792fa806f83d0462eb0629b67f99

    • SSDEEP

      6144:So+7tWoUS6CqCiBoIR4ixh3xq5h4DE9fj6mRRnTqYYy9qqueCCp5/EH4:Z+7Eo1qMIRDs5xfjnRJTjEeCCfEY

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks