cybergate | c977ad9044bb20f176f8ef1c1f0c311092be604fc985e3b579ad3c965ba4b76f

General

Target

a1a296b76be90dd04c3c671b670145a5_JaffaCakes118
Size

3.4MB
Sample

240817-h3s7vstcqf
MD5

a1a296b76be90dd04c3c671b670145a5
SHA1

92634cc255631c557dd8ac3b53f9d33de931a5a2
SHA256

c977ad9044bb20f176f8ef1c1f0c311092be604fc985e3b579ad3c965ba4b76f
SHA512

04cd1cc96ab1dbbfea0b9bf0d7b6d43b517b02b600017209af4333e0ae2e5aeafc4d200738b4691dd731918df8d80fbfd660a6506bf2a5c358d00506dd8b2a0e
SSDEEP

49152:mcD5EcpDgsiwEY21Xn0uyoW3L2HOUARbMvl4ePASbANkrNDkyPgTrPvJxk7W+JiU:v20Q3ZQKNARgvllANkrNvPar5aaPc

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

fmsserver.dyndns.biz:81

fmsserver.dyndns.biz:999

fmsserver.dyndns.biz:1111

newnewnewdslnew.zapto.org:81

newnewnewdslnew.zapto.org:999

newnewnewdslnew.zapto.org:1111

newnewnewdslnew.zapto.org:80

127.0.0.1:81

Mutex

K305AR06NSGF4W

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
winlogon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
nonono
message_box_title
nonono
password
cybergate

Extracted

Family

latentbot

C2

newnewnewdslnew.zapto.org

Targets

- Target
  
  a1a296b76be90dd04c3c671b670145a5_JaffaCakes118
- Size
  
  3.4MB
- MD5
  
  a1a296b76be90dd04c3c671b670145a5
- SHA1
  
  92634cc255631c557dd8ac3b53f9d33de931a5a2
- SHA256
  
  c977ad9044bb20f176f8ef1c1f0c311092be604fc985e3b579ad3c965ba4b76f
- SHA512
  
  04cd1cc96ab1dbbfea0b9bf0d7b6d43b517b02b600017209af4333e0ae2e5aeafc4d200738b4691dd731918df8d80fbfd660a6506bf2a5c358d00506dd8b2a0e
- SSDEEP
  
  49152:mcD5EcpDgsiwEY21Xn0uyoW3L2HOUARbMvl4ePASbANkrNDkyPgTrPvJxk7W+JiU:v20Q3ZQKNARgvllANkrNvPar5aaPc
Score

10^/10

cybergate latentbot remote discovery stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

CyberGate, Rebhip

LatentBot

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2