cybergate | 23903bdf6ee51de7d00487c3525e3c3d6ae8a8dca3b124717c4b535e541cc6b0 | Triage

Submit
Reports

Overview

overview

Static

static

3

b0c3d26466...18.exe

windows7-x64

b0c3d26466...18.exe

windows10-2004-x64

Sharing

General

Target

b0c3d26466f5a5bf2216402cdf0f7c85_JaffaCakes118
Size

422KB
Sample

240820-zhkhnasdph
MD5

b0c3d26466f5a5bf2216402cdf0f7c85
SHA1

c01d4b6bb07b95a0a63b7af1e45af213b3ac3f5b
SHA256

23903bdf6ee51de7d00487c3525e3c3d6ae8a8dca3b124717c4b535e541cc6b0
SHA512

ccef9de8a68d8e09eda82003ff39fee4a02275e1298784351cc4809714c873d218a908871c56246565df5e39d7866edc71f92c412c9662d9eafc7a53a24f8f2c
SSDEEP

6144:dsyONZF2GMupeRw22tXjJg4oeMosnqD1ijXdwqFa3VM3OZCy38Iffy6ac48Ks:zONZ5in2/otaitwxsOPZfa6H5v

Score

10^/10

cybergate latentbot prueba004 discovery persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

b0c3d26466f5a5bf2216402cdf0f7c85_JaffaCakes118.exe

Resource

win7-20240704-en

cybergate latentbot prueba004 discovery persistence stealer trojan upx

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

b0c3d26466f5a5bf2216402cdf0f7c85_JaffaCakes118.exe

Resource

win10v2004-20240802-en

cybergate latentbot prueba004 discovery persistence stealer trojan upx

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

prueba004

C2

cerberusprueba.zapto.org:99

Mutex

realteksound

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
iexplore.exe
install_dir
sistem32
install_file
realteksound.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
daniel
regkey_hkcu
realteksound
regkey_hklm
realteksound

Extracted

Family

latentbot

C2

cerberusprueba.zapto.org

Targets

- Target
  
  b0c3d26466f5a5bf2216402cdf0f7c85_JaffaCakes118
- Size
  
  422KB
- MD5
  
  b0c3d26466f5a5bf2216402cdf0f7c85
- SHA1
  
  c01d4b6bb07b95a0a63b7af1e45af213b3ac3f5b
- SHA256
  
  23903bdf6ee51de7d00487c3525e3c3d6ae8a8dca3b124717c4b535e541cc6b0
- SHA512
  
  ccef9de8a68d8e09eda82003ff39fee4a02275e1298784351cc4809714c873d218a908871c56246565df5e39d7866edc71f92c412c9662d9eafc7a53a24f8f2c
- SSDEEP
  
  6144:dsyONZF2GMupeRw22tXjJg4oeMosnqD1ijXdwqFa3VM3OZCy38Iffy6ac48Ks:zONZ5in2/otaitwxsOPZfa6H5v
Score

10^/10

cybergate latentbot prueba004 discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatelatentbotprueba004discoverypersistencestealertrojanupx

behavioral2

cybergatelatentbotprueba004discoverypersistencestealertrojanupx

© 2018-2024

Terms | Privacy