General

  • Target

    cfcb797a57ffa7daf5cfc4cd8047ace4

  • Size

    305KB

  • Sample

    240317-dv937ade4x

  • MD5

    cfcb797a57ffa7daf5cfc4cd8047ace4

  • SHA1

    4545940f5e79c9e4d413a44190eb299b6616a1a9

  • SHA256

    a87a2ad0f5b6b5eadb3654a130e9d41424a90129ca929a0b404ce0bf15e74f14

  • SHA512

    4a76af29c89f22eb38677805e44150c97ae667a5d96c9ad20bf2cc3d5c36166ed9f9c67f755352bbae5f2b292cf165aa7c1e8f13d3ebe235f63cdfd19dc4b5e6

  • SSDEEP

    6144:nk4qmPOjrTQS3QWJTnS9JARmEkq2TW5HyQOkDJng:k9ISo70H6G2kd

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Kurban

C2

spy991.no-ip.org:8181

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    svchost

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    1111

  • regkey_hkcu

    HKCU

Targets

    • Target

      cfcb797a57ffa7daf5cfc4cd8047ace4

    • Size

      305KB

    • MD5

      cfcb797a57ffa7daf5cfc4cd8047ace4

    • SHA1

      4545940f5e79c9e4d413a44190eb299b6616a1a9

    • SHA256

      a87a2ad0f5b6b5eadb3654a130e9d41424a90129ca929a0b404ce0bf15e74f14

    • SHA512

      4a76af29c89f22eb38677805e44150c97ae667a5d96c9ad20bf2cc3d5c36166ed9f9c67f755352bbae5f2b292cf165aa7c1e8f13d3ebe235f63cdfd19dc4b5e6

    • SSDEEP

      6144:nk4qmPOjrTQS3QWJTnS9JARmEkq2TW5HyQOkDJng:k9ISo70H6G2kd

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks