General

  • Target

    cb46c0d6e0fd8c2c63ad1fef2363cd90

  • Size

    404KB

  • Sample

    240315-ngc7eahc34

  • MD5

    cb46c0d6e0fd8c2c63ad1fef2363cd90

  • SHA1

    443caea99bc26e37b7d526561beb431a22a6c73a

  • SHA256

    00a34c4f5f42bddd5e71cbdb417ca650f100f0b342e6dcc8b9198006365dd916

  • SHA512

    2a0ef69e92a389c95aac1cb990ed58dc7ffffcbcc73a5c55b9a0d718ed87a5dda9ce53d5ed25a9e0b472bf132d77a675f5b6b61c93bbd2606f2876160b577927

  • SSDEEP

    6144:cV1OAurpFyHemqzYBQCZztwoGpbaOJNMDdpyPlmbcbIx/dLHBKP:8slpFyHfLBfZBe0pyN3bIxZ0P

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

XXXXX

C2

199.no-ip.info:12345

Mutex

Fuckedintheasss

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    Explorer.exe

  • install_dir

    Microsoft_KLB8187

  • install_file

    Windefender.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    assfucked

  • regkey_hkcu

    ePower Management

  • regkey_hklm

    Adobe Reader Tray

Targets

    • Target

      cb46c0d6e0fd8c2c63ad1fef2363cd90

    • Size

      404KB

    • MD5

      cb46c0d6e0fd8c2c63ad1fef2363cd90

    • SHA1

      443caea99bc26e37b7d526561beb431a22a6c73a

    • SHA256

      00a34c4f5f42bddd5e71cbdb417ca650f100f0b342e6dcc8b9198006365dd916

    • SHA512

      2a0ef69e92a389c95aac1cb990ed58dc7ffffcbcc73a5c55b9a0d718ed87a5dda9ce53d5ed25a9e0b472bf132d77a675f5b6b61c93bbd2606f2876160b577927

    • SSDEEP

      6144:cV1OAurpFyHemqzYBQCZztwoGpbaOJNMDdpyPlmbcbIx/dLHBKP:8slpFyHfLBfZBe0pyN3bIxZ0P

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks