General

  • Target

    cbc7d9e761f5fb361eb0207e5d04809d

  • Size

    344KB

  • Sample

    240315-sz453aca5x

  • MD5

    cbc7d9e761f5fb361eb0207e5d04809d

  • SHA1

    cc420a886364d0a67b9bb60390716b364f56b175

  • SHA256

    04fdfec50c939d4733c63934cdb4d0d0230107a8724eaa4c09643c05b02ad715

  • SHA512

    f39e587ef8bb933400e31decf439e609abfed094fdbc04547728411f0a6be0b3bb1025a48360a9c120464dd705086bc1d12a2dbb36c7c634e1412cc4b45b558d

  • SSDEEP

    6144:h2TFGGEwdLFB2nTIbTU81sfZMC7mjDkohdf1k/phjQveI2iyPE4S:mUGflFB2n8fh+7ohddkVI2iyP

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

MMMM

C2

logao500.no-ip.org:1337

Mutex

((Word))

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Abutafog

  • install_file

    Abutafog.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

Targets

    • Target

      cbc7d9e761f5fb361eb0207e5d04809d

    • Size

      344KB

    • MD5

      cbc7d9e761f5fb361eb0207e5d04809d

    • SHA1

      cc420a886364d0a67b9bb60390716b364f56b175

    • SHA256

      04fdfec50c939d4733c63934cdb4d0d0230107a8724eaa4c09643c05b02ad715

    • SHA512

      f39e587ef8bb933400e31decf439e609abfed094fdbc04547728411f0a6be0b3bb1025a48360a9c120464dd705086bc1d12a2dbb36c7c634e1412cc4b45b558d

    • SSDEEP

      6144:h2TFGGEwdLFB2nTIbTU81sfZMC7mjDkohdf1k/phjQveI2iyPE4S:mUGflFB2n8fh+7ohddkVI2iyP

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks