General

  • Target

    d2fbf37f71c1ad3a863d10c9530a405a

  • Size

    381KB

  • Sample

    240318-jtxz5abh35

  • MD5

    d2fbf37f71c1ad3a863d10c9530a405a

  • SHA1

    c2e15cebe59a2257d87090d61746578f3d55e0dc

  • SHA256

    dc84b22662f9fae553acefc67187214561f02fe22bf6251bec85f6ad936a8103

  • SHA512

    aa5a33ccbd91098504ba5a7d916cff99847bcb730491e8aefde9261cd2696c53aff7bf80b09604c82798a3ccb94a1a0005abcd47000cfb7d5a5f37925117de70

  • SSDEEP

    6144:pc7bGqgzh4bXcukxIx048XtLEbavvmauYxD7A5UCz44sSIDgRLP:pc7bGB+bPkxh4i4avf379tDgpP

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

happysoap.no-ip.info:81

Mutex

3UHQQ67I22I60D

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    svhost

  • install_file

    svhost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      d2fbf37f71c1ad3a863d10c9530a405a

    • Size

      381KB

    • MD5

      d2fbf37f71c1ad3a863d10c9530a405a

    • SHA1

      c2e15cebe59a2257d87090d61746578f3d55e0dc

    • SHA256

      dc84b22662f9fae553acefc67187214561f02fe22bf6251bec85f6ad936a8103

    • SHA512

      aa5a33ccbd91098504ba5a7d916cff99847bcb730491e8aefde9261cd2696c53aff7bf80b09604c82798a3ccb94a1a0005abcd47000cfb7d5a5f37925117de70

    • SSDEEP

      6144:pc7bGqgzh4bXcukxIx048XtLEbavvmauYxD7A5UCz44sSIDgRLP:pc7bGB+bPkxh4i4avf379tDgpP

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Defense Evasion

Modify Registry

3
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks