Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d54fe0fe99064b7a1e3b6db4aac87d13

  • Size

    214KB

  • Sample

    240319-f4ttnsag62

  • MD5

    d54fe0fe99064b7a1e3b6db4aac87d13

  • SHA1

    7aa9578e3ca5fd30f10de8a5c90a556085193572

  • SHA256

    3ad4e87985867c0e5313e37242a6a488b86b79085356975a32dde67bbd209856

  • SHA512

    e6643011f2f68b89985623211e0e9d90e2c5e8da3cc41b0968cb74cbbb40ac4c8cde3602401b4dda53bf17132afa8b8c7b0952e496b85cd8692384f7fed6953f

  • SSDEEP

    3072:zJem1ov4DMDwh9tvWbI8gDrXdQ+oJ96qKKaEv50QgzwuZptcniN:zJem+1atYI8StEzLKKV5HgzwuF

Malware Config

Extracted

Family

cybergate

Version

2.2.3

Botnet

vítima

C2

infectadito.sytes.net:81

Mutex

jajaja...

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    60

  • ftp_password

    deboletin123

  • ftp_port

    21

  • ftp_server

    ftp.deboleto.pe

  • ftp_username

    deboleto

  • injected_process

    explorer.exe

  • install_dir

    Win32

  • install_file

    notepad.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    Error de compatibilidad

  • message_box_title

    RunDLL

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      d54fe0fe99064b7a1e3b6db4aac87d13

    • Size

      214KB

    • MD5

      d54fe0fe99064b7a1e3b6db4aac87d13

    • SHA1

      7aa9578e3ca5fd30f10de8a5c90a556085193572

    • SHA256

      3ad4e87985867c0e5313e37242a6a488b86b79085356975a32dde67bbd209856

    • SHA512

      e6643011f2f68b89985623211e0e9d90e2c5e8da3cc41b0968cb74cbbb40ac4c8cde3602401b4dda53bf17132afa8b8c7b0952e496b85cd8692384f7fed6953f

    • SSDEEP

      3072:zJem1ov4DMDwh9tvWbI8gDrXdQ+oJ96qKKaEv50QgzwuZptcniN:zJem+1atYI8StEzLKKV5HgzwuF

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks