General

  • Target

    c0c225e9ae2c853eb7ed5b3349e04081

  • Size

    548KB

  • Sample

    240311-q81swscd3w

  • MD5

    c0c225e9ae2c853eb7ed5b3349e04081

  • SHA1

    abcb002a06b138ab79694bdd1da119c8430faa68

  • SHA256

    045c99196c1bdd7c3c199365876db6b4df7bbb748d75e2af6adc798ea0b2e21f

  • SHA512

    6183a975c33fdf4b3d6962982381424df9ca6dceddeb0695635e8fb677ff1536c06fbe46a8016e94489d3c3fe916c1a3aac08665220d770c685621e1063f5479

  • SSDEEP

    12288:yuC0B61rn9DTZb8OrUnEY9XN5Q2xuQwGT7qoQTMSfcHgUMPB:yuuxDbXriNNxJw9TCTA

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

blast3r.no-ip.biz:80

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    spynet

  • install_file

    iexplorer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      c0c225e9ae2c853eb7ed5b3349e04081

    • Size

      548KB

    • MD5

      c0c225e9ae2c853eb7ed5b3349e04081

    • SHA1

      abcb002a06b138ab79694bdd1da119c8430faa68

    • SHA256

      045c99196c1bdd7c3c199365876db6b4df7bbb748d75e2af6adc798ea0b2e21f

    • SHA512

      6183a975c33fdf4b3d6962982381424df9ca6dceddeb0695635e8fb677ff1536c06fbe46a8016e94489d3c3fe916c1a3aac08665220d770c685621e1063f5479

    • SSDEEP

      12288:yuC0B61rn9DTZb8OrUnEY9XN5Q2xuQwGT7qoQTMSfcHgUMPB:yuuxDbXriNNxJw9TCTA

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks