General
-
Target
dbff07879c538b4a031dd7e866f307f2
-
Size
1.7MB
-
Sample
240321-s43sssgc9y
-
MD5
dbff07879c538b4a031dd7e866f307f2
-
SHA1
379060d9d7f5137c96d1c6d841fad0f1ad212e27
-
SHA256
2cadda88bd88792b1af7b862ecff967f4101ac6135cbeb176ee0512fb4c5193b
-
SHA512
cb524a05db0b7d8a809df3f8246847e8390c365313b24426180a9c42054d65b8718e8ffa0432dacd14945d83fe4139fb3a55afdfb3d73c59e1f896a19e81d8ae
-
SSDEEP
49152:GSGkM7b3fZOH3yOHOugNTLbygC7kbcvYroFsomG2:G5T7zfZOXtHvIfb/C7kAL2
Behavioral task
behavioral1
Sample
ACTIVA~1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ACTIVA~1.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
DISCON~1.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
DISCON~1.exe
Resource
win10v2004-20240319-en
Malware Config
Extracted
cybergate
v1.07.5
remote
yah-crackers.no-ip.org:81
yah-crackers.no-ip.org:80
N4BWU1CUG7KKN1
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
sshost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
Targets
-
-
Target
ACTIVA~1.EXE
-
Size
530KB
-
MD5
9f364255f13d78f6b20d52820ea820ec
-
SHA1
2ee3204092b74d83e79210e4f03960a5ebb57750
-
SHA256
9ef3758b79cb7e402c4c68c00cd5a10e8a00a3673aa51ddc7ea4cdec9ffaf85f
-
SHA512
f1f73fb5d40d1a891b562d5f122d65194e7bc07b9d18a84ed62dcde998487c2220a55260bd51881c21097544f8327d4f7c4422a28829693790dfb5a5a00bb417
-
SSDEEP
12288:FBOnwbGThnQi8IdUCzm8Fsxbv3IqTbZRdLVSfR3QnoS:FPssCzrFsxbvNZDW3
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
DISCON~1.EXE
-
Size
4.8MB
-
MD5
dec9b3f0f8752a09e8d02e6130547cbe
-
SHA1
b41822135f534f2469e8f9b0e758826739eb85f3
-
SHA256
dfad39a0d306b9a7659f2ebe9bdb25e376e38fdfd712e548e1b9f2c3561d8554
-
SHA512
efc9e289662f25b2a0ad5a24d5fd0ced645ae5512579f8b6a1509d3a31dbe784bd8cd53e25168a2b8d56a65429bee126df1a5f03fbbb6e3f51423d437e80ac25
-
SSDEEP
49152:pEy5qyKMQTgbT/AIk+n7/ruXHJoHhh9JyCLMyx46HFH:VQ83/AIk+7/SH8h4F6JH9
Score1/10 -