General

  • Target

    cc2908ad16283c8275dbea39dd762480

  • Size

    910KB

  • Sample

    240315-xhf45agb8y

  • MD5

    cc2908ad16283c8275dbea39dd762480

  • SHA1

    00b6cac132e27a200d91615773135b55da224c10

  • SHA256

    4451845cbd95ea1225340ab35096daeeff626d5a8c538b06492cdfaf0d4b11f6

  • SHA512

    398f536bc475c85d33f2fd000b8e42db4df8b5ba6ec9d869872cff35de0db6a16c660c69f5023608abf3f04740ef90b887f09fc50deec41fedc5e2bbebcb6bd0

  • SSDEEP

    12288:8ZjMLf11MmPQeRXEHYYS3gA0FJO1t37nMtfM6JrcmIH3cUKnqLej/PJ5Reg:8afIiy4NwdLTtfBre5KnqkJJ

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

bisou

C2

127.0.0.1:81

Mutex

R0WAH730645N01

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

Targets

    • Target

      cc2908ad16283c8275dbea39dd762480

    • Size

      910KB

    • MD5

      cc2908ad16283c8275dbea39dd762480

    • SHA1

      00b6cac132e27a200d91615773135b55da224c10

    • SHA256

      4451845cbd95ea1225340ab35096daeeff626d5a8c538b06492cdfaf0d4b11f6

    • SHA512

      398f536bc475c85d33f2fd000b8e42db4df8b5ba6ec9d869872cff35de0db6a16c660c69f5023608abf3f04740ef90b887f09fc50deec41fedc5e2bbebcb6bd0

    • SSDEEP

      12288:8ZjMLf11MmPQeRXEHYYS3gA0FJO1t37nMtfM6JrcmIH3cUKnqLej/PJ5Reg:8afIiy4NwdLTtfBre5KnqkJJ

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks