General
-
Target
c2c6b9b2ec0b30df7e09ee60e254724b
-
Size
403KB
-
Sample
240312-h58qbsdd33
-
MD5
c2c6b9b2ec0b30df7e09ee60e254724b
-
SHA1
f8092391f8fc52f062e79ded88aaf700e5df5805
-
SHA256
14f08cf65757ace423f6dee88b9e1cfbfb3cafe04c5ddfe7258c29a8b3bae140
-
SHA512
1a3611188d1bc618d1cf6fccdaf2f451e82b507b9036c4fe625e692db4270c8a8601654ca876554a905453f56f9e483d3e65bd2046dfd19e1ff05f0c93a4ab86
-
SSDEEP
6144:kVnsmzOsu+BgmHpY2uAyQHQuojOWmDMrf7Sd+xcrRIPCVNCTT9YqDOS:WXggp8AFHDMzudTrZVcv
Behavioral task
behavioral1
Sample
c2c6b9b2ec0b30df7e09ee60e254724b.exe
Resource
win7-20240220-en
Malware Config
Extracted
cybergate
v1.07.5
remote
ayoubass.no-ip.biz:81
L115C1WLVN5555
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
c2c6b9b2ec0b30df7e09ee60e254724b
-
Size
403KB
-
MD5
c2c6b9b2ec0b30df7e09ee60e254724b
-
SHA1
f8092391f8fc52f062e79ded88aaf700e5df5805
-
SHA256
14f08cf65757ace423f6dee88b9e1cfbfb3cafe04c5ddfe7258c29a8b3bae140
-
SHA512
1a3611188d1bc618d1cf6fccdaf2f451e82b507b9036c4fe625e692db4270c8a8601654ca876554a905453f56f9e483d3e65bd2046dfd19e1ff05f0c93a4ab86
-
SSDEEP
6144:kVnsmzOsu+BgmHpY2uAyQHQuojOWmDMrf7Sd+xcrRIPCVNCTT9YqDOS:WXggp8AFHDMzudTrZVcv
-
Modifies firewall policy service
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Defense Evasion
Modify Registry
8Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3