cybergate | 28b7ddcc8adf11fb406198b688da89add30e58765c88b7a3b46faf50ab7ee2c5

General

Target

1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118
Size

1000KB
Sample

240701-vvl5sstepk
MD5

1bd831b3e9b8824b97dd4b591b24a492
SHA1

3ec7ccc1afdf3e1c3f461aead688055bb7a733d2
SHA256

28b7ddcc8adf11fb406198b688da89add30e58765c88b7a3b46faf50ab7ee2c5
SHA512

57506aa5b042b4ddc54e20b5953b863a50baa84c7a4504cd24f3b001c5f1d5bb8b6dfb826ca4fbaaf8d41903d6bdc98ba676c42659fc4f2e8cb336c9bd53fb21
SSDEEP

24576:6sSXVmefVMTqtjP7tg7Vx8JbvJxnsA9zyYpdvV44plDAI:6sKz8ezZumFzfrp

Score

10^/10

Malware Config

Extracted

Family

xtremerat

C2

medoseleman.zapto.org

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

127.0.0.1:288

medoseleman.zapto.org:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Extracted

Family

latentbot

C2

medoseleman.zapto.org

Targets

- Target
  
  1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118
- Size
  
  1000KB
- MD5
  
  1bd831b3e9b8824b97dd4b591b24a492
- SHA1
  
  3ec7ccc1afdf3e1c3f461aead688055bb7a733d2
- SHA256
  
  28b7ddcc8adf11fb406198b688da89add30e58765c88b7a3b46faf50ab7ee2c5
- SHA512
  
  57506aa5b042b4ddc54e20b5953b863a50baa84c7a4504cd24f3b001c5f1d5bb8b6dfb826ca4fbaaf8d41903d6bdc98ba676c42659fc4f2e8cb336c9bd53fb21
- SSDEEP
  
  24576:6sSXVmefVMTqtjP7tg7Vx8JbvJxnsA9zyYpdvV44plDAI:6sKz8ezZumFzfrp
Score

10^/10

cybergate latentbot xtremerat öííé persistence rat spyware stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Detect XtremeRAT payload
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2