General

  • Target

    cce4eabc36dc02963c964cf02b19f8d1

  • Size

    431KB

  • Sample

    240316-c3yvfsbg39

  • MD5

    cce4eabc36dc02963c964cf02b19f8d1

  • SHA1

    292dbda9fbd0181e5c9a34669c6db0ccad601812

  • SHA256

    e249d51228e1d27ae9fb4ada896dc2b185d8d9dece31a1b4a445e07993907e2d

  • SHA512

    bf6be63bb2a6ffc606a5c9419f38507d2ded56861dd8f9300ceff42b0d9da64b764364a1221686223737a908d770245fde5e268b7a3dc24d083d237c30c99044

  • SSDEEP

    6144:oweKa0YWNbOvg8dvoTw2IgYXbxx5Y3gzYeUOTqyle7YgHd1W/WA0cfUTv5GUn0Rr:ow9x+Q+RXbQkKOTqy47YC6WArea4F

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÈÑäÇãÌ ÊÍæíá

C2

mohmed113.no-ip.biz:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_file

    system 32.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    t?tulo da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      cce4eabc36dc02963c964cf02b19f8d1

    • Size

      431KB

    • MD5

      cce4eabc36dc02963c964cf02b19f8d1

    • SHA1

      292dbda9fbd0181e5c9a34669c6db0ccad601812

    • SHA256

      e249d51228e1d27ae9fb4ada896dc2b185d8d9dece31a1b4a445e07993907e2d

    • SHA512

      bf6be63bb2a6ffc606a5c9419f38507d2ded56861dd8f9300ceff42b0d9da64b764364a1221686223737a908d770245fde5e268b7a3dc24d083d237c30c99044

    • SSDEEP

      6144:oweKa0YWNbOvg8dvoTw2IgYXbxx5Y3gzYeUOTqyle7YgHd1W/WA0cfUTv5GUn0Rr:ow9x+Q+RXbQkKOTqy47YC6WArea4F

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks