cybergate | 4876014b50fbd615ef3b9bbeeee26f1e8b451be39fc7aa553eaea6068847fb45

General

Target

d9eaf987ee3a0f3bac692e9e21b6b89c_JaffaCakes118
Size

672KB
Sample

240911-jvgdrszdrq
MD5

d9eaf987ee3a0f3bac692e9e21b6b89c
SHA1

aac15b5ec0ab1913fc5b6f5397518573c4af17fd
SHA256

4876014b50fbd615ef3b9bbeeee26f1e8b451be39fc7aa553eaea6068847fb45
SHA512

e7776c20cc5bfaa5334a667f972b3addfbd8b1772e9aef33768f53e98c5ad3f44965dc8c56c00ac96f99a430bb0866dd4c13849bae9ff2d5951ae59e3e8d83d5
SSDEEP

12288:b4EKFlzysA9dVcLAdByeH35XQOu64RUZ9TpZCpMhV7q0KvCXMzTT:4/aVu2pHpA5YZFGC8z

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.13.1

Botnet

GLA1802

C2

tranoglaros13.zapto.org:3780

192.168.0.10:110

Mutex

620O044E6CSQT8

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
27042704

Extracted

Family

latentbot

C2

tranoglaros13.zapto.org

Targets

- Target
  
  d9eaf987ee3a0f3bac692e9e21b6b89c_JaffaCakes118
- Size
  
  672KB
- MD5
  
  d9eaf987ee3a0f3bac692e9e21b6b89c
- SHA1
  
  aac15b5ec0ab1913fc5b6f5397518573c4af17fd
- SHA256
  
  4876014b50fbd615ef3b9bbeeee26f1e8b451be39fc7aa553eaea6068847fb45
- SHA512
  
  e7776c20cc5bfaa5334a667f972b3addfbd8b1772e9aef33768f53e98c5ad3f44965dc8c56c00ac96f99a430bb0866dd4c13849bae9ff2d5951ae59e3e8d83d5
- SSDEEP
  
  12288:b4EKFlzysA9dVcLAdByeH35XQOu64RUZ9TpZCpMhV7q0KvCXMzTT:4/aVu2pHpA5YZFGC8z
Score

10^/10

cybergate latentbot gla1802 discovery stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

CyberGate, Rebhip

LatentBot

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

UPX packed file

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2