General

  • Target

    bc500b8a6c897f33f9623961ce58e0fe

  • Size

    649KB

  • Sample

    240309-vcdqpsdc3s

  • MD5

    bc500b8a6c897f33f9623961ce58e0fe

  • SHA1

    5dad5a3374d3998eeb8a60de7390612da41b6f41

  • SHA256

    3d1bc5b5462fe94a97a76643bf7477b86475beaf5ae819963ede6226fbe647b3

  • SHA512

    d94af33f34b1d775868a655504bb5853af6c29f8246b8aa315288f42c702f250c47b90f10bbb17a3e36dd5855d126f939ad6caa8388960a090fbf7c00ee7dbf6

  • SSDEEP

    12288:ncD66AQ4dLOSwCDfJqlE6uGiGSAlVLuBRzXA2oAMHVB66EYAUTS9D/ksSzQR:n5LtwCc26uGi2VCHXSBzTaDMsAQR

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

C2

127.0.0.1:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • ftp_password

    ªš÷Öº+Þ

  • ftp_port

    21

  • ftp_server

    ftp.server.com

  • ftp_username

    ftp_user

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Targets

    • Target

      bc500b8a6c897f33f9623961ce58e0fe

    • Size

      649KB

    • MD5

      bc500b8a6c897f33f9623961ce58e0fe

    • SHA1

      5dad5a3374d3998eeb8a60de7390612da41b6f41

    • SHA256

      3d1bc5b5462fe94a97a76643bf7477b86475beaf5ae819963ede6226fbe647b3

    • SHA512

      d94af33f34b1d775868a655504bb5853af6c29f8246b8aa315288f42c702f250c47b90f10bbb17a3e36dd5855d126f939ad6caa8388960a090fbf7c00ee7dbf6

    • SSDEEP

      12288:ncD66AQ4dLOSwCDfJqlE6uGiGSAlVLuBRzXA2oAMHVB66EYAUTS9D/ksSzQR:n5LtwCc26uGi2VCHXSBzTaDMsAQR

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks