cybergate | 3df4065f1402791df276957eee37edd2eddce79df67aeb274d0da426b01e6cde

General

Target

0e75bd63a8758981b03cc6436339e2ae_JaffaCakes118
Size

1.0MB
Sample

240625-r32zfawcmf
MD5

0e75bd63a8758981b03cc6436339e2ae
SHA1

e567e3645721296c23159f3b42258be5611ca729
SHA256

3df4065f1402791df276957eee37edd2eddce79df67aeb274d0da426b01e6cde
SHA512

6647e0fd3c7b83b5449841070b246cd3ed6c40a792863ec43e2d1510497fda8b1c6a7b686a6e3dc6567e067d495498a376c49faf2f2f78d1101af81911451362
SSDEEP

24576:1pqW/xLv1cRnxlFCwoOUgYAzopXFYFAh:nqW/1v6xxl5ocSF

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.12.0

Botnet

GLA0402

C2

tranoglaros13.zapto.org:3780

192.168.0.10:110

Mutex

DVUP5XSFL574A7

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
27042704

Extracted

Family

latentbot

C2

tranoglaros13.zapto.org

Targets

- Target
  
  0e75bd63a8758981b03cc6436339e2ae_JaffaCakes118
- Size
  
  1.0MB
- MD5
  
  0e75bd63a8758981b03cc6436339e2ae
- SHA1
  
  e567e3645721296c23159f3b42258be5611ca729
- SHA256
  
  3df4065f1402791df276957eee37edd2eddce79df67aeb274d0da426b01e6cde
- SHA512
  
  6647e0fd3c7b83b5449841070b246cd3ed6c40a792863ec43e2d1510497fda8b1c6a7b686a6e3dc6567e067d495498a376c49faf2f2f78d1101af81911451362
- SSDEEP
  
  24576:1pqW/xLv1cRnxlFCwoOUgYAzopXFYFAh:nqW/1v6xxl5ocSF
Score

10^/10

cybergate latentbot gla0402 stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

CyberGate, Rebhip

LatentBot

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

UPX packed file

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2