Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

fe216e8dc4...03.exe

windows7-x64

10

fe216e8dc4...03.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fe216e8dc4be9d92f715802d2f70069e2e2b6084d1fd205db9997d966c9ac303.exe

  • Size

    850KB

  • Sample

    241203-2ql3katngm

  • MD5

    25422e48a71c2ead7a0b0899b75f0152

  • SHA1

    57a259604cffcfa188ef13dc56477fbf065a6696

  • SHA256

    fe216e8dc4be9d92f715802d2f70069e2e2b6084d1fd205db9997d966c9ac303

  • SHA512

    db0d59e07b994618c46e44544704f7ab1a489850d8f7b5816092dc9fd868850a278793cfe0cf8c1b5b1f8f8cab8cc32a3f96aa644821a1a5f6c34454e5f74685

  • SSDEEP

    24576:51dlZo5NFWhF5XUIQkVesLDsMXRSNEXxBx+htNPXIW:51dlZo3Wffl1SGjEtNPYW

Score
10/10
cybergateoverbookingbootkitdiscoverypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

OVERBOOKING

C2

sn.all-google.com:9990

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    BOOKIG

  • install_file

    CLAREK.EXE

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    google

  • regkey_hkcu

    OVER

  • regkey_hklm

    BOOk

Targets

    • Target

      fe216e8dc4be9d92f715802d2f70069e2e2b6084d1fd205db9997d966c9ac303.exe

    • Size

      850KB

    • MD5

      25422e48a71c2ead7a0b0899b75f0152

    • SHA1

      57a259604cffcfa188ef13dc56477fbf065a6696

    • SHA256

      fe216e8dc4be9d92f715802d2f70069e2e2b6084d1fd205db9997d966c9ac303

    • SHA512

      db0d59e07b994618c46e44544704f7ab1a489850d8f7b5816092dc9fd868850a278793cfe0cf8c1b5b1f8f8cab8cc32a3f96aa644821a1a5f6c34454e5f74685

    • SSDEEP

      24576:51dlZo5NFWhF5XUIQkVesLDsMXRSNEXxBx+htNPXIW:51dlZo3Wffl1SGjEtNPYW

    Score
    10/10
    cybergateoverbookingbootkitdiscoverypersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Cybergate family

      cybergate

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.