General
-
Target
cbde9bb059cd4c4b9594776cafe124e6
-
Size
400KB
-
Sample
240315-tvkfjafb26
-
MD5
cbde9bb059cd4c4b9594776cafe124e6
-
SHA1
21c315c6b81440baa5c93d32b6916467a108651d
-
SHA256
34b82111250b75b694fef3abb954c8dd45966385fc50e3012028d341c08ca24a
-
SHA512
ad3201c84a9b2bbc42b4183bcd4c1de9de006975c7cdc7c1288c98f12c9224676a8035c62db4ae3015fe0c1fb58f9a67960a9e81360fc0d4f7e4f4e4eea487d3
-
SSDEEP
6144:aeepBpYbpP+crf5/lJ2ixU1WOTYmF4b1WAE1fMTyWLXXxQ0yCyz9OmAp/vQYNy:NePebAinOTINEbmXXxXyCb4
Static task
static1
Behavioral task
behavioral1
Sample
cbde9bb059cd4c4b9594776cafe124e6.exe
Resource
win7-20240221-en
Malware Config
Extracted
cybergate
v1.02.0
remote
7r0.no-ip.info:81
D2LEMBP4H7F0LB
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Winbooter
-
install_file
Explorer1.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
cbde9bb059cd4c4b9594776cafe124e6
-
Size
400KB
-
MD5
cbde9bb059cd4c4b9594776cafe124e6
-
SHA1
21c315c6b81440baa5c93d32b6916467a108651d
-
SHA256
34b82111250b75b694fef3abb954c8dd45966385fc50e3012028d341c08ca24a
-
SHA512
ad3201c84a9b2bbc42b4183bcd4c1de9de006975c7cdc7c1288c98f12c9224676a8035c62db4ae3015fe0c1fb58f9a67960a9e81360fc0d4f7e4f4e4eea487d3
-
SSDEEP
6144:aeepBpYbpP+crf5/lJ2ixU1WOTYmF4b1WAE1fMTyWLXXxQ0yCyz9OmAp/vQYNy:NePebAinOTINEbmXXxXyCb4
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-