General

  • Target

    c9993c21263eac0d39bd89fe000ab980N.exe

  • Size

    487KB

  • Sample

    240903-javewssckg

  • MD5

    c9993c21263eac0d39bd89fe000ab980

  • SHA1

    0825c7cce43ae0d98b9b193a48a3f40d9ff79d65

  • SHA256

    ce6a6921e4a8650f7417c304da4db3d4d9809688d1a5e78c0ad967f24bd1d356

  • SHA512

    fc7a4abfa2bce50aaf4a310b35bf5e5e0a16eb99b402887b54321a11d0c1120f9718f2e2c942bb3cf1bba46a9e7db1b9908ffcb900422a0cb979a59d47d1d990

  • SSDEEP

    12288:rVxnFiVNpaT8ZnAf6nqy5B8IgTUMqIp5M9cfU8Nt8Tz5:r7aNphZAf6nqy5BLQ1p5M9cf/uTz

Malware Config

Extracted

Family

cybergate

Version

v1.18.0

Botnet

remote

C2

vic.myftp.biz:2121

127.0.0.1:2121

Mutex

NIN84A414O4FB7

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    myvic

Targets

    • Target

      c9993c21263eac0d39bd89fe000ab980N.exe

    • Size

      487KB

    • MD5

      c9993c21263eac0d39bd89fe000ab980

    • SHA1

      0825c7cce43ae0d98b9b193a48a3f40d9ff79d65

    • SHA256

      ce6a6921e4a8650f7417c304da4db3d4d9809688d1a5e78c0ad967f24bd1d356

    • SHA512

      fc7a4abfa2bce50aaf4a310b35bf5e5e0a16eb99b402887b54321a11d0c1120f9718f2e2c942bb3cf1bba46a9e7db1b9908ffcb900422a0cb979a59d47d1d990

    • SSDEEP

      12288:rVxnFiVNpaT8ZnAf6nqy5B8IgTUMqIp5M9cfU8Nt8Tz5:r7aNphZAf6nqy5BLQ1p5M9cf/uTz

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks