General

  • Target

    897e9877bfac8a4a0c5f645db281d0d1b2b7d83f52f542991e686ab80591c18aN.exe

  • Size

    850KB

  • Sample

    241203-xf9zestpaq

  • MD5

    bdc5e5711dd5726128133578df8360e0

  • SHA1

    f1b40ef289db01ad1cd2cee98ceb2d017f0f28e6

  • SHA256

    897e9877bfac8a4a0c5f645db281d0d1b2b7d83f52f542991e686ab80591c18a

  • SHA512

    3639eaf6bdfb106569e3a61a517cdf19ed5f25b790a211f64f11031a25b708245d4c5958de73fb19371bdf32584dd012f17ea12800dde97f8a97bd0a59696291

  • SSDEEP

    24576:51dlZo5NFWhF5XUIQkVesLDsMXRSNEXxBx+htNPXIW:51dlZo3Wffl1SGjEtNPYW

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

OVERBOOKING

C2

sn.all-google.com:9990

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    BOOKIG

  • install_file

    CLAREK.EXE

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    google

  • regkey_hkcu

    OVER

  • regkey_hklm

    BOOk

Targets

    • Target

      897e9877bfac8a4a0c5f645db281d0d1b2b7d83f52f542991e686ab80591c18aN.exe

    • Size

      850KB

    • MD5

      bdc5e5711dd5726128133578df8360e0

    • SHA1

      f1b40ef289db01ad1cd2cee98ceb2d017f0f28e6

    • SHA256

      897e9877bfac8a4a0c5f645db281d0d1b2b7d83f52f542991e686ab80591c18a

    • SHA512

      3639eaf6bdfb106569e3a61a517cdf19ed5f25b790a211f64f11031a25b708245d4c5958de73fb19371bdf32584dd012f17ea12800dde97f8a97bd0a59696291

    • SSDEEP

      24576:51dlZo5NFWhF5XUIQkVesLDsMXRSNEXxBx+htNPXIW:51dlZo3Wffl1SGjEtNPYW

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks