General
-
Target
Sa777d.exe
-
Size
427KB
-
MD5
a9323c7e6e3213d3cf6f8c36d072af49
-
SHA1
c180cb5b99d726333e5077c0271291337727ca8e
-
SHA256
569a9e1f7fe5fa60891d25fe3b5e9327c00f9c35a3503689d632e66a8d505554
-
SHA512
d7847ec7b026830f56a4b8b4ceeffc8aa3204230ae8de3db386036711d054d38d5d6fe82ad7a00a5084b71680409728b8032a29922ff539bdd31e8955bddf130
-
SSDEEP
12288:puMwuBi8vvrHxVPKyv2m77sZB07FxObO32T:pHwX8vrx52t07FQaC
Malware Config
Extracted
cybergate
v3.4.2.2
ddd
23.84.85.170:5632
OON4EK3B243DN8
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Broke dude to windows falied
-
message_box_title
Windows Error
-
password
123
Signatures
-
Cybergate family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource Sa777d.exe
Files
-
Sa777d.exe.exe windows:4 windows x86 arch:x86
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
Sections
CODE Size: 35KB - Virtual size: 34KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
DATA Size: 512B - Virtual size: 292B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BSS Size: - Virtual size: 2KB
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.idata Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.tls Size: - Virtual size: 8B
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rdata Size: 512B - Virtual size: 24B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 385KB - Virtual size: 385KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ