cybergate | 49e53532d4a0273790822a26a308d1d353b439f84cd7665293facda7ebf734de

General

Target

0a19f9916742820cf9b1dcb4a45a846e_JaffaCakes118
Size

1.0MB
Sample

240624-wzv4yazakj
MD5

0a19f9916742820cf9b1dcb4a45a846e
SHA1

c0fdcdea3d65fb3b9723d712a91ffe9d108f194e
SHA256

49e53532d4a0273790822a26a308d1d353b439f84cd7665293facda7ebf734de
SHA512

e83a73fdae20dff984bb934eaaed768a83f33845a365977d4442c0c371b928eea1a42ff79408a132be3941fae8f14f7bfab6457288f34ddcafc232676d74890a
SSDEEP

24576:GpWuZcnunDM8eyvkyFXfAYG6sa7gpEfV+SYR/xXQIPYtiYBtt:axOMo8rvkyFXfhtT7gy9BYR/xgIwtiYz

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

incoming

C2

fmsserver.dyndns.biz:81

fmsserver.dyndns.biz:999

fmsserver.dyndns.biz:1111

newnewnewdslnew.zapto.org:81

newnewnewdslnew.zapto.org:999

newnewnewdslnew.zapto.org:1111

newnewnewdslnew.zapto.org:80

Mutex

66FBA55C46U2PX

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
winlogon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Installation 100% COOL
message_box_title
Installation Abgeschlossen
password
dsl5000

Extracted

Family

latentbot

C2

newnewnewdslnew.zapto.org

Targets

- Target
  
  0a19f9916742820cf9b1dcb4a45a846e_JaffaCakes118
- Size
  
  1.0MB
- MD5
  
  0a19f9916742820cf9b1dcb4a45a846e
- SHA1
  
  c0fdcdea3d65fb3b9723d712a91ffe9d108f194e
- SHA256
  
  49e53532d4a0273790822a26a308d1d353b439f84cd7665293facda7ebf734de
- SHA512
  
  e83a73fdae20dff984bb934eaaed768a83f33845a365977d4442c0c371b928eea1a42ff79408a132be3941fae8f14f7bfab6457288f34ddcafc232676d74890a
- SSDEEP
  
  24576:GpWuZcnunDM8eyvkyFXfAYG6sa7gpEfV+SYR/xXQIPYtiYBtt:axOMo8rvkyFXfhtT7gy9BYR/xgIwtiYz
Score

10^/10

cybergate latentbot incoming stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

CyberGate, Rebhip

LatentBot

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2