General

  • Target

    c8d63fabb444fefb5199df3be8f67fb421fe96ec4301a3709253ee1a7729022a

  • Size

    1008KB

  • Sample

    240313-a69p1shg73

  • MD5

    65ba853b862ef14ef7e0f0fc2b899d45

  • SHA1

    71427e66914058ea4fbba7e20b8e9f661401c273

  • SHA256

    c8d63fabb444fefb5199df3be8f67fb421fe96ec4301a3709253ee1a7729022a

  • SHA512

    bdf62ecf5e0e7316534886f80001c44909687649538bc2523820d06897ab821a78fd50891c318dc07a98154fce79a168a3260918e310d919fde0328da1046e93

  • SSDEEP

    12288:+pqiC/2OGAtkCP4cejGSOpRKxC1T79AihWFkQ4eqHR1Jx0dWQLkpLHjwtQ:+po/2+ttPJLfpRKxC4IWWW6Hn

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

EL NUEVO FDP

C2

operspicaz.no-ip.biz:1982

infosfenix.no-ip.org :6001

Mutex

Java(TM) Plarform SE 9 U19

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./novo/

  • ftp_interval

    30

  • injected_process

    jusched.exe

  • install_dir

    Java\jre6\bin

  • install_file

    java(TM).exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Targets

    • Target

      c8d63fabb444fefb5199df3be8f67fb421fe96ec4301a3709253ee1a7729022a

    • Size

      1008KB

    • MD5

      65ba853b862ef14ef7e0f0fc2b899d45

    • SHA1

      71427e66914058ea4fbba7e20b8e9f661401c273

    • SHA256

      c8d63fabb444fefb5199df3be8f67fb421fe96ec4301a3709253ee1a7729022a

    • SHA512

      bdf62ecf5e0e7316534886f80001c44909687649538bc2523820d06897ab821a78fd50891c318dc07a98154fce79a168a3260918e310d919fde0328da1046e93

    • SSDEEP

      12288:+pqiC/2OGAtkCP4cejGSOpRKxC1T79AihWFkQ4eqHR1Jx0dWQLkpLHjwtQ:+po/2+ttPJLfpRKxC4IWWW6Hn

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Detects binaries and memory artifacts referencing sandbox product IDs

    • UPX dump on OEP (original entry point)

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks