General

  • Target

    c2111180adbb1816c083e3d245c7f5c1

  • Size

    550KB

  • Sample

    240312-bffvpabe3s

  • MD5

    c2111180adbb1816c083e3d245c7f5c1

  • SHA1

    4484d8b1bff4976f3a889eb4483d9a526670213d

  • SHA256

    cde354f099e1a042ec7cb8f40bc672234c4c0cee8d052fed3915ec4c8931d61a

  • SHA512

    882b7be24d6652e6854436663fd0488ee29e600c1e72c214431d47a3199c71fc49e7fce8ea3cbe01c6d34bbdd741f298319da03e1e62c8d5abb4239ab9c8052a

  • SSDEEP

    6144:yb7Xqx/gH5oBZYKCUbA8BRnweB2kz2AKD1HvfLa+lJgdadFmFiRfMS3fRJiwf6DK:8qxGhuABkqtW+laqmPcfRQwSdmtDDb

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

denemeolur1.no-ip.org:81

Mutex

asdqwe54

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    drivers

  • install_file

    servces.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    driv

  • regkey_hklm

    driv

Targets

    • Target

      c2111180adbb1816c083e3d245c7f5c1

    • Size

      550KB

    • MD5

      c2111180adbb1816c083e3d245c7f5c1

    • SHA1

      4484d8b1bff4976f3a889eb4483d9a526670213d

    • SHA256

      cde354f099e1a042ec7cb8f40bc672234c4c0cee8d052fed3915ec4c8931d61a

    • SHA512

      882b7be24d6652e6854436663fd0488ee29e600c1e72c214431d47a3199c71fc49e7fce8ea3cbe01c6d34bbdd741f298319da03e1e62c8d5abb4239ab9c8052a

    • SSDEEP

      6144:yb7Xqx/gH5oBZYKCUbA8BRnweB2kz2AKD1HvfLa+lJgdadFmFiRfMS3fRJiwf6DK:8qxGhuABkqtW+laqmPcfRQwSdmtDDb

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks