cybergate | 367d3b3d7a9516d083c12de5a47994519b3c4403ece4415b1ee84602fe56f55e | Triage

Sharing

General

Target

93247291a2bae5b7432fe50a0ec2a364_JaffaCakes118
Size

384KB
Sample

240813-p21zmsyfrk
MD5

93247291a2bae5b7432fe50a0ec2a364
SHA1

c69f7b7b49410c333cf24b99d62bdaec4f47c2e6
SHA256

367d3b3d7a9516d083c12de5a47994519b3c4403ece4415b1ee84602fe56f55e
SHA512

409f84b379765b1d7e6d1ff552c3fb6b95cea5fc4b089fb4504112c8b26f6244ca71dd5c0f3cd1f7cc61a74f365edb28f7f8c005c5a1b6c761a24c3ce093874f
SSDEEP

12288:x5hUSEm7ahdlcy5qAK/V2qHiGvmrVuNptx:OSjeh4uqxVDHiGveot

Score

10^/10

cybergate latentbot remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

remote

C2

afflictionrat2.zapto.org:95

Mutex

FTHKI40TGYEOFI

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
Adobe
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
getrocked
regkey_hkcu
HKCU
regkey_hklm
HKLM

Extracted

Family

latentbot

C2

afflictionrat2.zapto.org

Targets

- Target
  
  93247291a2bae5b7432fe50a0ec2a364_JaffaCakes118
- Size
  
  384KB
- MD5
  
  93247291a2bae5b7432fe50a0ec2a364
- SHA1
  
  c69f7b7b49410c333cf24b99d62bdaec4f47c2e6
- SHA256
  
  367d3b3d7a9516d083c12de5a47994519b3c4403ece4415b1ee84602fe56f55e
- SHA512
  
  409f84b379765b1d7e6d1ff552c3fb6b95cea5fc4b089fb4504112c8b26f6244ca71dd5c0f3cd1f7cc61a74f365edb28f7f8c005c5a1b6c761a24c3ce093874f
- SSDEEP
  
  12288:x5hUSEm7ahdlcy5qAK/V2qHiGvmrVuNptx:OSjeh4uqxVDHiGveot
Score

10^/10

cybergate latentbot remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Adds policy Run key to start application
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatelatentbotremotediscoverypersistencestealertrojanupx

behavioral2

cybergatelatentbotremotediscoverypersistencestealertrojanupx