Overview

overview

10

Static

static

3

Easy Fishi...ng.exe

windows7-x64

10

Easy Fishi...ng.exe

windows10-2004-x64

10

Easy Fishi...DF.dll

windows7-x64

3

Easy Fishi...DF.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a8ea259167c889b01d474ecea56dc945_JaffaCakes118

  • Size

    910KB

  • Sample

    241127-v3afzayrhp

  • MD5

    a8ea259167c889b01d474ecea56dc945

  • SHA1

    c7597bde52094d45b978a4bd6807b04969df102d

  • SHA256

    1970cd087ba6230f44469526b47f404511dcfc0cc4b3e90b306bad752b692ff8

  • SHA512

    43403ca11bd319310efd8a31e8b46783c419769928fdece4308a07e62fee7e00501f4a4aabaef888bc69ea9f862c8e81a4ead415691812959c7bbc0866ebc56c

  • SSDEEP

    12288:2PDqqO6vou2pF1FxzAibFOFu430VXrkivN+XH/GnN4FcBTSRZWSjDJfCyl90mjxY:qO0YF1fbYRofl+XeN4FPRZWSLxlWcO

Score
10/10
cybergatebalýkbotudiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Balýkbotu

C2

cehennem93.zapto.org:1604

Mutex

8RVVU2H68056KX

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install1

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    1111

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      Easy Fishing/Easy Fishing.exe

    • Size

      780KB

    • MD5

      c4066eb4c8d64dde2bcdb31a04bb6e21

    • SHA1

      40c35581e7e27c8fb241d4b84102c9b55e0964b3

    • SHA256

      a3820d3e9c570d6607071e8f877c26334b81a11a4fef59f748ee8cd378164386

    • SHA512

      c68fca616f1e6de3607101ee97bfb825dbb1ecd27bb1f23a3630e90dca494ef4c514e590384621db6c8cabbe32786837b1f7dc2fa492b227f3523cd8e2052578

    • SSDEEP

      24576:2qdhnAVHAJkV38Hk00IlM3cmLMbFIgl6KL:XhNMMHkQM33MbT6k

    Score
    10/10
    cybergatebalýkbotudiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      Easy Fishing/MDT2DF.DLL

    • Size

      594KB

    • MD5

      c213bc5f07ecab712fb8ee45b33b5b51

    • SHA1

      84df619b0169504a9e81746b8c845313b98b3f33

    • SHA256

      d0c7b97acb7989dc20eb8fc1313a0585fb1a0cc03d13f3fc1dd429ab7cad4b93

    • SHA512

      dd9b6a267c7408e490a7c07e18a5bd2258690c118080e57f68cd988297f0fed3af9477482de62f7be90495a291086dd92ed81d6fad1997e3fc95ee1eda665788

    • SSDEEP

      12288:yedIo3ARh7DHgwyTTiEX25+fPDkNlfX9O7:992h70wiJ37T

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks