General

  • Target

    20a9ae41fb30bf31090cb85000981930N

  • Size

    261KB

  • Sample

    240909-rzqr1atbkn

  • MD5

    20a9ae41fb30bf31090cb85000981930

  • SHA1

    429cf205e22a3ac7fb0826dad595f1bb092a3b94

  • SHA256

    235d362e4b52898ea105988fc6dfa95c9fcec275da756a6e724a70e6fcf16731

  • SHA512

    570fa0adf3bfbf56438c01256ca4888bf5b63dc3eee82c29572c7d7bbb3b9a2369148a8b4994cc85a55792f1d569ac196b2e8faaba7360bba6fa4a7b98165441

  • SSDEEP

    6144:TnkGZ6RJawiq+vQWLnDsHVRPCPBj0m6mqdH+IROhwcOq:LPQcRvnPOYV0mOeIRO0q

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

vítima

C2

lapiti.zapto.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    123

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      20a9ae41fb30bf31090cb85000981930N

    • Size

      261KB

    • MD5

      20a9ae41fb30bf31090cb85000981930

    • SHA1

      429cf205e22a3ac7fb0826dad595f1bb092a3b94

    • SHA256

      235d362e4b52898ea105988fc6dfa95c9fcec275da756a6e724a70e6fcf16731

    • SHA512

      570fa0adf3bfbf56438c01256ca4888bf5b63dc3eee82c29572c7d7bbb3b9a2369148a8b4994cc85a55792f1d569ac196b2e8faaba7360bba6fa4a7b98165441

    • SSDEEP

      6144:TnkGZ6RJawiq+vQWLnDsHVRPCPBj0m6mqdH+IROhwcOq:LPQcRvnPOYV0mOeIRO0q

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks