General

  • Target

    ccd7d0f2a3ace2f99864584aead863ab

  • Size

    924KB

  • Sample

    240316-ck5kaahd5z

  • MD5

    ccd7d0f2a3ace2f99864584aead863ab

  • SHA1

    f666e955ceb8018818e238ba4fad3705afc96937

  • SHA256

    bc8a67e5eb696b837f52fe568ffdd7d46ae22ec17dd7941111c165718e8e6fe7

  • SHA512

    30ce73dd9ffdfd8ecff03c097b41cebef200982b65279563cbe5c3a9ff92aabc9fa62566d151fa40c71b4b0a30d86319bb8af0eb24bad369cb332e1d9226e83a

  • SSDEEP

    12288:Adp6FM6GSd46QdU1aadk/FYXpIImDoD2cZvk2N0l32pQwgY8sacuZrUl3wF:AzsM63dUdUJdk/FYZIfDoV7sa9wrU

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

gnid0s

C2

109.236.61.60:81

109.236.61.60:80

109.236.61.60:120

109.236.61.60:800

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • install_dir

    Microsoft

  • install_file

    Opera.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    gnidos

  • regkey_hkcu

    Opera

  • regkey_hklm

    Opea

Targets

    • Target

      ccd7d0f2a3ace2f99864584aead863ab

    • Size

      924KB

    • MD5

      ccd7d0f2a3ace2f99864584aead863ab

    • SHA1

      f666e955ceb8018818e238ba4fad3705afc96937

    • SHA256

      bc8a67e5eb696b837f52fe568ffdd7d46ae22ec17dd7941111c165718e8e6fe7

    • SHA512

      30ce73dd9ffdfd8ecff03c097b41cebef200982b65279563cbe5c3a9ff92aabc9fa62566d151fa40c71b4b0a30d86319bb8af0eb24bad369cb332e1d9226e83a

    • SSDEEP

      12288:Adp6FM6GSd46QdU1aadk/FYXpIImDoD2cZvk2N0l32pQwgY8sacuZrUl3wF:AzsM63dUdUJdk/FYZIfDoV7sa9wrU

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks