General

  • Target

    cfcee69cb1926bbbe9b6b9bff5529f59

  • Size

    413KB

  • Sample

    240317-dz82padd37

  • MD5

    cfcee69cb1926bbbe9b6b9bff5529f59

  • SHA1

    242e53f8611a91e868baae5652231ce2d26b044a

  • SHA256

    7a053ac887f88da4c3c4f07da216cd1b146d7ab9d6e8c008140c2e8f3fe49372

  • SHA512

    de745f77e071d8eda60560306e691ccea960f77d4a2691e2113ec36ae2ca5c697fd4f75c6dc2b90c2ffb9262aa348b13b03b7a068f7a6d29c837e0051bc1c1bb

  • SSDEEP

    6144:LbQRMt41KYyd/6ubI6CTUP/OmZFemZeqA6FFecv0AjGV9KH6imusfjZMa:Lb61h86QhWMO1mMERvTG72Btxa

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

TUBCITY

C2

missmollymars.dyndns.org:82

togastand.zapto.org:82

Mutex

5JM1U63858544G

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    60

  • injected_process

    java.exe

  • install_dir

    System32

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Please run as administrator!

  • message_box_title

    Data Execution Problem

  • password

    ALCOHOL101

  • regkey_hkcu

    Policies

  • regkey_hklm

    Policies

Targets

    • Target

      cfcee69cb1926bbbe9b6b9bff5529f59

    • Size

      413KB

    • MD5

      cfcee69cb1926bbbe9b6b9bff5529f59

    • SHA1

      242e53f8611a91e868baae5652231ce2d26b044a

    • SHA256

      7a053ac887f88da4c3c4f07da216cd1b146d7ab9d6e8c008140c2e8f3fe49372

    • SHA512

      de745f77e071d8eda60560306e691ccea960f77d4a2691e2113ec36ae2ca5c697fd4f75c6dc2b90c2ffb9262aa348b13b03b7a068f7a6d29c837e0051bc1c1bb

    • SSDEEP

      6144:LbQRMt41KYyd/6ubI6CTUP/OmZFemZeqA6FFecv0AjGV9KH6imusfjZMa:Lb61h86QhWMO1mMERvTG72Btxa

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks