Overview

overview

10

Static

static

3

fe216e8dc4...03.exe

windows7-x64

10

fe216e8dc4...03.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fe216e8dc4be9d92f715802d2f70069e2e2b6084d1fd205db9997d966c9ac303.exe

  • Size

    850KB

  • Sample

    241203-2kw1ksxqfw

  • MD5

    25422e48a71c2ead7a0b0899b75f0152

  • SHA1

    57a259604cffcfa188ef13dc56477fbf065a6696

  • SHA256

    fe216e8dc4be9d92f715802d2f70069e2e2b6084d1fd205db9997d966c9ac303

  • SHA512

    db0d59e07b994618c46e44544704f7ab1a489850d8f7b5816092dc9fd868850a278793cfe0cf8c1b5b1f8f8cab8cc32a3f96aa644821a1a5f6c34454e5f74685

  • SSDEEP

    24576:51dlZo5NFWhF5XUIQkVesLDsMXRSNEXxBx+htNPXIW:51dlZo3Wffl1SGjEtNPYW

Score
10/10
cybergateoverbookingbootkitdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

OVERBOOKING

C2

sn.all-google.com:9990

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    BOOKIG

  • install_file

    CLAREK.EXE

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    google

  • regkey_hkcu

    OVER

  • regkey_hklm

    BOOk

Targets

    • Target

      fe216e8dc4be9d92f715802d2f70069e2e2b6084d1fd205db9997d966c9ac303.exe

    • Size

      850KB

    • MD5

      25422e48a71c2ead7a0b0899b75f0152

    • SHA1

      57a259604cffcfa188ef13dc56477fbf065a6696

    • SHA256

      fe216e8dc4be9d92f715802d2f70069e2e2b6084d1fd205db9997d966c9ac303

    • SHA512

      db0d59e07b994618c46e44544704f7ab1a489850d8f7b5816092dc9fd868850a278793cfe0cf8c1b5b1f8f8cab8cc32a3f96aa644821a1a5f6c34454e5f74685

    • SSDEEP

      24576:51dlZo5NFWhF5XUIQkVesLDsMXRSNEXxBx+htNPXIW:51dlZo3Wffl1SGjEtNPYW

    Score
    10/10
    cybergateoverbookingbootkitdiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks