Overview
overview
10Static
static
10ABO.exe
windows7-x64
10ABO.exe
windows10-2004-x64
10ABO.exe
windows7-x64
10ABO.exe
windows10-2004-x64
10Adobe.exe
windows7-x64
10Adobe.exe
windows10-2004-x64
8CGserver.exe
windows7-x64
10CGserver.exe
windows10-2004-x64
10COON.exe
windows7-x64
10COON.exe
windows10-2004-x64
10FFA.exe
windows7-x64
10FFA.exe
windows10-2004-x64
10FIle Rustyz bot.exe
windows7-x64
8FIle Rustyz bot.exe
windows10-2004-x64
8FrostBot v1.exe
windows7-x64
10FrostBot v1.exe
windows10-2004-x64
10Google.exe
windows7-x64
10Google.exe
windows10-2004-x64
10MORPH_9359...79.exe
windows7-x64
3MORPH_9359...79.exe
windows10-2004-x64
3Mycrypt.exe
windows7-x64
10Mycrypt.exe
windows10-2004-x64
10PortChecker.exe
windows7-x64
10PortChecker.exe
windows10-2004-x64
10R.exe
windows7-x64
10R.exe
windows10-2004-x64
10RSBOT.exe
windows7-x64
RSBOT.exe
windows10-2004-x64
Rustyz.exe
windows7-x64
10Rustyz.exe
windows10-2004-x64
10Rustyzzbot.exe
windows7-x64
10Rustyzzbot.exe
windows10-2004-x64
10General
-
Target
4da9865240bd15b59025e9adcce95041_JaffaCakes118
-
Size
3.6MB
-
Sample
240716-k5z5asvekl
-
MD5
4da9865240bd15b59025e9adcce95041
-
SHA1
aab7bae83afe0211b7bf41628f44e1edf699d28c
-
SHA256
b2b1f374822e760b574cff680d989d0f229bdaf9029acacb2449162b92bbc16b
-
SHA512
3dc7df2d520eddc23e98337537a110ed5969222cdff76d5c7e83cffbbbf987431e09df91781789020019c32981c509e36535a74bc1913a7f5ac16359c6810ef9
-
SSDEEP
98304:GKZWKZc2golKZ8L2djKbqFYNn1bPoxMk5Aq1boWoN7:GKMKu2DlKVWbqNxpoN7
Behavioral task
behavioral1
Sample
ABO.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ABO.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
ABO.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
ABO.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Adobe.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Adobe.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
CGserver.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
CGserver.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
COON.exe
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
COON.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
FFA.exe
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
FFA.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
FIle Rustyz bot.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
FIle Rustyz bot.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
FrostBot v1.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
FrostBot v1.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
Google.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
Google.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
MORPH_93594C2E8879.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
MORPH_93594C2E8879.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
Mycrypt.exe
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
Mycrypt.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
PortChecker.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
PortChecker.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
R.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
R.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
RSBOT.exe
Resource
win7-20240705-en
Behavioral task
behavioral28
Sample
RSBOT.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
Rustyz.exe
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
Rustyz.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
Rustyzzbot.exe
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
Rustyzzbot.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
cybergate
v1.04.8
remote
fearrusty.no-ip.info:82
0DO30B5W0TAO3W
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
Facebook.com
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Extracted
cybergate
v1.07.5
Cyber
op9.no-ip.biz:100
H6Y643Q6J85D62
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
iTunes.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
Extracted
cybergate
v1.02.0
remote
fearrusty.no-ip.info:82
127.0.0.1:999
op9.no-ip.biz:82
L0J8X1U03TC2TJ
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
csrss.exe
-
install_dir
install
-
install_file
iTunes.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
12345
Targets
-
-
Target
ABO.exe
-
Size
283KB
-
MD5
650f9f3426d6e9d5f2d93c638eb2c44c
-
SHA1
925d0ab1a27ea91bc018c167435809b6908c3b97
-
SHA256
6e7d83e76ecbd7f1a860aca8b5f6bd19c0aa730bd4f884a7e683716fa66900d6
-
SHA512
4b1925996850886e3e423a81fb5d54002c3809d2244a4282784840db568be28728b45a6ac451537a2216b4c4cb7d95ac6b71ac66e34ef7935080804436144eda
-
SSDEEP
6144:N4ABF94NpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXK+:WUxGLE0kuGnESB+
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
ABO.exe.1
-
Size
283KB
-
MD5
650f9f3426d6e9d5f2d93c638eb2c44c
-
SHA1
925d0ab1a27ea91bc018c167435809b6908c3b97
-
SHA256
6e7d83e76ecbd7f1a860aca8b5f6bd19c0aa730bd4f884a7e683716fa66900d6
-
SHA512
4b1925996850886e3e423a81fb5d54002c3809d2244a4282784840db568be28728b45a6ac451537a2216b4c4cb7d95ac6b71ac66e34ef7935080804436144eda
-
SSDEEP
6144:N4ABF94NpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXK+:WUxGLE0kuGnESB+
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Adobe.exe
-
Size
296KB
-
MD5
eea330542ac27446cf64b44d471b3a39
-
SHA1
58f0ce5d435a55996c73df6a3a4ba5e1046a289d
-
SHA256
415f00cda1dd9f55669b2b0ebe6488f23e079723c75da3d78277d80683615ddd
-
SHA512
c67925e19c3fdd55d1da2ed3833d967437907a458f32fec4963a8aa5d863ae4d195fe2bd3547e7e428558e8c2169148a4897dcbf2f3ecf5f0f6ff65058d66ffe
-
SSDEEP
6144:/OpslFlq2hdBCkWYxuukP1pjSKSNVkq/MVJbJ:/wsl/TBd47GLRMTbJ
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
CGserver.exe
-
Size
264KB
-
MD5
94ae6b1aeef3dffc6b6e2ca472191f39
-
SHA1
cbbbe4b517bf30ce526444870d41307825688884
-
SHA256
bc86c552a4043dd054e346ce889fc577f4fe7f70ec796652f64bd8edaf14a50a
-
SHA512
3b8831d15fd3f14f7c33df27169eaf7e13329c6772d5306be8d01667f64f314354ade90349bb309e8f8a3519786c3ba2a9c78f15c8c783fc7d43685d409fd9ad
-
SSDEEP
6144:ukkojivbTsgtMX+UHalwvzYJMAZvRiBxta8nm3suAK:xk9syMX+k4wvz58R6xtTctAK
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
COON.exe
-
Size
283KB
-
MD5
08b1c9f40dab18bfb54311b61bca4cda
-
SHA1
c22d856fe1e40e44528ef221d852facd4b2c7e1b
-
SHA256
51e9015ca0103b4abbed0f6d85d693d6b6c081bda99fcf2d0ad24ba96cbb3e46
-
SHA512
610035f9af23d07817fc12953bdf6f0283497abedd18b8e62e7c062968f863512101b2b4d2a184e2a655a8184861aa2b41b50ae5f1e64f09293c712843951671
-
SSDEEP
6144:N4ABF94zpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXK+:WUHGLE0kuGnESB+
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
FFA.exe
-
Size
652KB
-
MD5
7589fe75123045e6f30eab511e55bc3a
-
SHA1
34e473bb2385e923feccb4aa5375a56924893a31
-
SHA256
747f15512f3b04420d0bc2264192fb1f8a4cdf81993afb191ae835d86b650cd8
-
SHA512
fba1f53b6c2e8954e906ba2343e2b1a9f0f88ae69df0eab567af3ece4bc93d6b5291cc55e0aaf2b3d7e7d4e5457ac95eaacbd027425e3fff9df467e28627adcf
-
SSDEEP
12288:sRvnERMs3azRIMbcr6ZwchpZJmdhBPrx4PkAd5EBgv5gBjl:s5nm3fe5bMprx4c05EBgxgb
-
Modifies WinLogon for persistence
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
FIle Rustyz bot.exe
-
Size
592KB
-
MD5
9975548eab59876a15169a056766b298
-
SHA1
4fedf79abf2c9c42720651d41290874aeb65669b
-
SHA256
ab41d268755d89e45bd724912a8ef248b75ea3a877217718561e81d8785adde8
-
SHA512
769d7c8378c2ebcdbacf040fcf73e1940fd479edcace1a1348330720725db580c1a10d05397a4429e66d0b2fbb2dfebe4c73e7ac5de496f53f8d46779586b886
-
SSDEEP
12288:0DGP2qDSgnZ6nf+A7OmRQqk7RsQOBxSK4XajQYt:0Keqof3AXASXKt
Score8/10-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
FrostBot v1.exe
-
Size
264KB
-
MD5
cf1bbacd8ef9fec5e72137d3da543401
-
SHA1
5cd65d1c0c3b8e8d69e9dd7807c1a19c7b277b42
-
SHA256
6c650bcd3dd6accac5cae23ed42af2a6f57d936329a8e51ee710cb9cd2e2f3f3
-
SHA512
b0c451f371f6f9e616211b0e9489c11c1a28b4a60f318f2f08889a85628f1e74a9110591da64a54a14d13f25cd8dca8ee0b587fca7649ac40321cebdbcaa0b94
-
SSDEEP
6144:Xkkog1WPDJpu1DxZXn/GmVuXNTaGFtWJtk/WgGF7hK:0kd1GDJM13+dXNTvt6ikK
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Google.exe
-
Size
264KB
-
MD5
94ae6b1aeef3dffc6b6e2ca472191f39
-
SHA1
cbbbe4b517bf30ce526444870d41307825688884
-
SHA256
bc86c552a4043dd054e346ce889fc577f4fe7f70ec796652f64bd8edaf14a50a
-
SHA512
3b8831d15fd3f14f7c33df27169eaf7e13329c6772d5306be8d01667f64f314354ade90349bb309e8f8a3519786c3ba2a9c78f15c8c783fc7d43685d409fd9ad
-
SSDEEP
6144:ukkojivbTsgtMX+UHalwvzYJMAZvRiBxta8nm3suAK:xk9syMX+k4wvz58R6xtTctAK
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
MORPH_93594C2E8879.EXE
-
Size
185KB
-
MD5
d0b8d51565528b23a4d3727b395dcc67
-
SHA1
1ba2426be4351645bee5ea613d23c0cd7adf8bb6
-
SHA256
f0786dc9282a746b73606774a6a76bb947f29b130e3647b49fedd644c7aeeeef
-
SHA512
afef7b668a5a84f4a5e8df3e0ba29e649308910a6cbb82fdf6e6d2e46a1df7df81c371db254d22d3e6353944cbb1fa8cfd1a9b8c9e5422084ff8eab429ac8f58
-
SSDEEP
3072:zPba0Z7gARaH7iLvfwH7t3NpaLzoqVe1Lxp4vrMrXBNFPKJ0FjiI:60NRaGLvfwbPYU92IzBN1oEjf
Score3/10 -
-
-
Target
Mycrypt.exe
-
Size
228KB
-
MD5
a35e683f7392d7aa6be1ac5d325a0584
-
SHA1
7b2a3dfd0579ec4a9f61e45994a48881ebb91b49
-
SHA256
85fac218aabc9a6d08380d6f4fbe07818c5f7c8dc1f630bb849ab5681c83d7de
-
SHA512
7c94c1f19f793d7efe251d9c0c4df900a10b8b85a36da9c883fce2b511f5f65d107d09be777efa92a3be6c0bdd38c302acd024ee48cf836889f79dfabb069470
-
SSDEEP
3072:R26et7TW3+lXSittze7GjsZCc8dexm1qX2Gqfkz297vslPCTjUB9LQdItu:R2BTW6ji7ZCc8dMOqX2Gb29AlPn9Mx
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Firewall
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
PortChecker.exe
-
Size
128KB
-
MD5
f9e1db23e7a2293a089963351994208d
-
SHA1
dd60e6052959bf6787e035ce4122f4b9f461ce14
-
SHA256
27a739ca787fa265624d3ab8a5311a0e0f7d39c79c3c5365aff25159b0bb8dd4
-
SHA512
7058767d13fc57534f437b6c077d70ced53a0a8f53a03259dc3cc513ab07809c04303db649ba368b67bddee854f78c8570aa46d5f468720caa26696a8d70bc8e
-
SSDEEP
1536:KENNZHJxxl+LxcZDWAy3OgHEtIyAq3Hoa35ecoNVkSQLVz4ZkNfG:pNHHgKZ4Et5lTRoNO5VEZkNe
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Firewall
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
R.exe
-
Size
264KB
-
MD5
cf1bbacd8ef9fec5e72137d3da543401
-
SHA1
5cd65d1c0c3b8e8d69e9dd7807c1a19c7b277b42
-
SHA256
6c650bcd3dd6accac5cae23ed42af2a6f57d936329a8e51ee710cb9cd2e2f3f3
-
SHA512
b0c451f371f6f9e616211b0e9489c11c1a28b4a60f318f2f08889a85628f1e74a9110591da64a54a14d13f25cd8dca8ee0b587fca7649ac40321cebdbcaa0b94
-
SSDEEP
6144:Xkkog1WPDJpu1DxZXn/GmVuXNTaGFtWJtk/WgGF7hK:0kd1GDJM13+dXNTvt6ikK
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
RSBOT.exe
-
Size
917B
-
MD5
5076a2f51f15fb1c1c8e9a53c3f7d75c
-
SHA1
1484b075977db4eea49d56ba4aa2a222afa158af
-
SHA256
1f546772433db3cf1f04cb7af5bd724190f6dbd274a6cfd3f82b6bb1c46edae5
-
SHA512
32ddc204effeb81f69a0f9dac64133ec72e90e3826ba73b3dbe563ca77e40105542eebb92ec25da5eae09af83591ead5f376ebac073d30653fca5dfda20763b6
Score1/10 -
-
-
Target
Rustyz.exe
-
Size
120KB
-
MD5
72bcd7f24413629f6b194c718af7b39e
-
SHA1
8495ab957722ea594b4a45a8a7522b9a24d23988
-
SHA256
43a8ced5b270b43b025b166f5069446de5c15479dcb049034f7db073153ebce4
-
SHA512
d5c9f01857e20fef93a8dc2e854bd3d18cf4c8d712eb6bf416f740c2e17eb14d9afa7eb9afb9241261bbfb07ab066447f6b22c9f78b815416d392329265a5213
-
SSDEEP
1536:94WHOJOV+P1tMZw1pSqvarF8TfHlo6nu/dhIo7RkSQAVE4Zks:94nzHn1nHllnu/co7aGV3Zks
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Firewall
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
Rustyzzbot.exe
-
Size
128KB
-
MD5
f9e1db23e7a2293a089963351994208d
-
SHA1
dd60e6052959bf6787e035ce4122f4b9f461ce14
-
SHA256
27a739ca787fa265624d3ab8a5311a0e0f7d39c79c3c5365aff25159b0bb8dd4
-
SHA512
7058767d13fc57534f437b6c077d70ced53a0a8f53a03259dc3cc513ab07809c04303db649ba368b67bddee854f78c8570aa46d5f468720caa26696a8d70bc8e
-
SSDEEP
1536:KENNZHJxxl+LxcZDWAy3OgHEtIyAq3Hoa35ecoNVkSQLVz4ZkNfG:pNHHgKZ4Et5lTRoNO5VEZkNe
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Firewall
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
29Registry Run Keys / Startup Folder
15Winlogon Helper DLL
5Active Setup
9Create or Modify System Process
5Windows Service
5Event Triggered Execution
5Netsh Helper DLL
5Privilege Escalation
Boot or Logon Autostart Execution
29Registry Run Keys / Startup Folder
15Winlogon Helper DLL
5Active Setup
9Create or Modify System Process
5Windows Service
5Event Triggered Execution
5Netsh Helper DLL
5Defense Evasion
Modify Registry
34Impair Defenses
5Disable or Modify System Firewall
5Subvert Trust Controls
5Install Root Certificate
5