General
-
Target
c9993c21263eac0d39bd89fe000ab980N.exe
-
Size
487KB
-
Sample
240903-javewssckg
-
MD5
c9993c21263eac0d39bd89fe000ab980
-
SHA1
0825c7cce43ae0d98b9b193a48a3f40d9ff79d65
-
SHA256
ce6a6921e4a8650f7417c304da4db3d4d9809688d1a5e78c0ad967f24bd1d356
-
SHA512
fc7a4abfa2bce50aaf4a310b35bf5e5e0a16eb99b402887b54321a11d0c1120f9718f2e2c942bb3cf1bba46a9e7db1b9908ffcb900422a0cb979a59d47d1d990
-
SSDEEP
12288:rVxnFiVNpaT8ZnAf6nqy5B8IgTUMqIp5M9cfU8Nt8Tz5:r7aNphZAf6nqy5BLQ1p5M9cf/uTz
Static task
static1
Behavioral task
behavioral1
Sample
c9993c21263eac0d39bd89fe000ab980N.exe
Resource
win7-20240903-en
Malware Config
Extracted
cybergate
v1.18.0
remote
vic.myftp.biz:2121
127.0.0.1:2121
NIN84A414O4FB7
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
myvic
Targets
-
-
Target
c9993c21263eac0d39bd89fe000ab980N.exe
-
Size
487KB
-
MD5
c9993c21263eac0d39bd89fe000ab980
-
SHA1
0825c7cce43ae0d98b9b193a48a3f40d9ff79d65
-
SHA256
ce6a6921e4a8650f7417c304da4db3d4d9809688d1a5e78c0ad967f24bd1d356
-
SHA512
fc7a4abfa2bce50aaf4a310b35bf5e5e0a16eb99b402887b54321a11d0c1120f9718f2e2c942bb3cf1bba46a9e7db1b9908ffcb900422a0cb979a59d47d1d990
-
SSDEEP
12288:rVxnFiVNpaT8ZnAf6nqy5B8IgTUMqIp5M9cfU8Nt8Tz5:r7aNphZAf6nqy5BLQ1p5M9cf/uTz
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1