General

  • Target

    c9ac28906628eb44fe598e433278b2a7.bin

  • Size

    344KB

  • Sample

    240316-ctlhrsbd46

  • MD5

    c9ac28906628eb44fe598e433278b2a7

  • SHA1

    1a369cfa24dec23afc03810ed78fd5b34987452f

  • SHA256

    48f4ac3afbc258c06776dd34985acde5df6ae885bc24dd6fcfa5dd3d97714f05

  • SHA512

    13e42058214301f94187ead976a0049653d7ab6db00ac70e7065435f893a9b96a73b7692b5b2ea908708327b502dcf39265a9a929b08c589f13344312ed92fa8

  • SSDEEP

    6144:Ccm5KSWIVQYTe44kt8l8qXsnQg+y23W9ZEWFicfjbrqd6WDxgT3Y3A:CcQa44H8Ysp+yMWgkXAjDxgT3Y3A

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Pedal

C2

127.0.0.1:81

whybifii.myftp.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    rundll

  • install_file

    rundll32.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    rundll32

  • regkey_hklm

    rundll

Targets

    • Target

      c9ac28906628eb44fe598e433278b2a7.bin

    • Size

      344KB

    • MD5

      c9ac28906628eb44fe598e433278b2a7

    • SHA1

      1a369cfa24dec23afc03810ed78fd5b34987452f

    • SHA256

      48f4ac3afbc258c06776dd34985acde5df6ae885bc24dd6fcfa5dd3d97714f05

    • SHA512

      13e42058214301f94187ead976a0049653d7ab6db00ac70e7065435f893a9b96a73b7692b5b2ea908708327b502dcf39265a9a929b08c589f13344312ed92fa8

    • SSDEEP

      6144:Ccm5KSWIVQYTe44kt8l8qXsnQg+y23W9ZEWFicfjbrqd6WDxgT3Y3A:CcQa44H8Ysp+yMWgkXAjDxgT3Y3A

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks