General

  • Target

    57836661773d8d7db1dcd9a39c140416

  • Size

    308KB

  • Sample

    240113-avz2fahdd8

  • MD5

    57836661773d8d7db1dcd9a39c140416

  • SHA1

    8e5abe34f55d2083da1a1c8bde323f172aa6719d

  • SHA256

    72d27a9e3dbbe2499ef6247806eb1109b56f8b748667930e854cb00c60cc47f8

  • SHA512

    0dacc1c5322b6835a43faf487caec7ad25fbac095a382dffb3c642d9372e8b0a7f12c67a4efee1bd3086c7787f3bed45993d662a9cea0a00463137b651d01af0

  • SSDEEP

    6144:doyMEgbVeaUm+XXWJsRSK8VwwnSXIWTv0Fc7/7R9+YHciXrwvHuA//:hg5ep43KkwtXrTKc7jR9+YHc4w7/

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

spy

C2

jurizaran0ff.zapto.org:2050

Mutex

1DKLHH3T02R81V

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • ftp_password

    ficken123

  • ftp_port

    21

  • ftp_server

    fbook123.fb.ohost.de

  • ftp_username

    ftp1802466

  • injected_process

    explorer.exe

  • install_dir

    dll

  • install_file

    winconfig32.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    Cannot open file

  • message_box_title

    Error

  • password

    ficken123

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

latentbot

C2

jurizaran0ff.zapto.org

Targets

    • Target

      57836661773d8d7db1dcd9a39c140416

    • Size

      308KB

    • MD5

      57836661773d8d7db1dcd9a39c140416

    • SHA1

      8e5abe34f55d2083da1a1c8bde323f172aa6719d

    • SHA256

      72d27a9e3dbbe2499ef6247806eb1109b56f8b748667930e854cb00c60cc47f8

    • SHA512

      0dacc1c5322b6835a43faf487caec7ad25fbac095a382dffb3c642d9372e8b0a7f12c67a4efee1bd3086c7787f3bed45993d662a9cea0a00463137b651d01af0

    • SSDEEP

      6144:doyMEgbVeaUm+XXWJsRSK8VwwnSXIWTv0Fc7/7R9+YHciXrwvHuA//:hg5ep43KkwtXrTKc7jR9+YHc4w7/

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Defense Evasion

Modify Registry

3
T1112

Discovery

System Information Discovery

1
T1082

Tasks