cybergate | a609525d4634a2f95581ee076b3077d51c75af110f37ed8ba6ce4c2cafecffcf | Triage

Sharing

General

Target

125cab42cc4ba8ab8ae34a671068dca7_JaffaCakes118
Size

952KB
Sample

241004-h3ygks1dkk
MD5

125cab42cc4ba8ab8ae34a671068dca7
SHA1

b3103535e46ca9861bb675bfe6463e0a251ec84f
SHA256

a609525d4634a2f95581ee076b3077d51c75af110f37ed8ba6ce4c2cafecffcf
SHA512

12cefe599cc7e48916f997a837ecfb7a87b54091f6654d6195e418ccb175166b6cd63923fac47cd0f7f6107420ef2109363d4253b1a1e3a4bfe9d1df790a2c54
SSDEEP

24576:DsHVFiBc/55ybm93fvdxhvhTUV0o5HwzMozwbOqakHmfJe9WPJSdH9m:wHVFocibm93fvdxhvhTUVv5HEhR6mxew

Score

10^/10

cybergate latentbot adamabensharmuta discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

AdamAbenSharmuta

C2

silenceplease.zapto.org:1234

Mutex

V7T26U2POMSC5M

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
iexplorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Extracted

Family

latentbot

C2

silenceplease.zapto.org

Targets

- Target
  
  125cab42cc4ba8ab8ae34a671068dca7_JaffaCakes118
- Size
  
  952KB
- MD5
  
  125cab42cc4ba8ab8ae34a671068dca7
- SHA1
  
  b3103535e46ca9861bb675bfe6463e0a251ec84f
- SHA256
  
  a609525d4634a2f95581ee076b3077d51c75af110f37ed8ba6ce4c2cafecffcf
- SHA512
  
  12cefe599cc7e48916f997a837ecfb7a87b54091f6654d6195e418ccb175166b6cd63923fac47cd0f7f6107420ef2109363d4253b1a1e3a4bfe9d1df790a2c54
- SSDEEP
  
  24576:DsHVFiBc/55ybm93fvdxhvhTUV0o5HwzMozwbOqakHmfJe9WPJSdH9m:wHVFocibm93fvdxhvhTUVv5HEhR6mxew
Score

10^/10

cybergate latentbot adamabensharmuta discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatelatentbotadamabensharmutadiscoverypersistencestealertrojanupx

behavioral2