cybergate | c4a9d00cc5bb80c22881db982b7626b84c353489c8ee777e2b44d8a00ca0d475 | Triage

Submit
Reports

Overview

overview

Static

static

3

6af60821c6...18.exe

windows7-x64

6af60821c6...18.exe

windows10-2004-x64

Sharing

General

Target

6af60821c65d180519b28b9e1c84d339_JaffaCakes118
Size

308KB
Sample

241022-sck4nssglq
MD5

6af60821c65d180519b28b9e1c84d339
SHA1

8dd22160f1573f3236499defd84012a61ba4811a
SHA256

c4a9d00cc5bb80c22881db982b7626b84c353489c8ee777e2b44d8a00ca0d475
SHA512

7a0950831b4e2696b6221b5204c8a5025464da613d71352c3319c59537fc61a2de43278c225dd9573cafcb17634232c8530e6724302eb14436fb2590f14881c9
SSDEEP

6144:XVvgMDg5vgu8eESgxxWQr8BqxLx/BxdRgOx/YqoDhSN8RDWX+tJ:5gME54pelYEQYeLLxdRgkN1+tJ

Score

10^/10

cybergate latentbot remote discovery persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6af60821c65d180519b28b9e1c84d339_JaffaCakes118.exe

Resource

win7-20240708-en

cybergate latentbot remote discovery persistence stealer trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

6af60821c65d180519b28b9e1c84d339_JaffaCakes118.exe

Resource

win10v2004-20241007-en

latentbot discovery persistence trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

krasnodarcheg.zapto.org:1600

Mutex

5JODQ1H002BP1J

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
5
ftp_password
WhrxBlIi
ftp_port
21
ftp_server
krasnodarche.h16.ru
ftp_username
krasno18
injected_process
explorer.exe
install_dir
systemcfg
install_file
systemcfg.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
419843qq
regkey_hkcu
HKCU
regkey_hklm
HKLM

Extracted

Family

latentbot

C2

krasnodarcheg.zapto.org

Targets

- Target
  
  6af60821c65d180519b28b9e1c84d339_JaffaCakes118
- Size
  
  308KB
- MD5
  
  6af60821c65d180519b28b9e1c84d339
- SHA1
  
  8dd22160f1573f3236499defd84012a61ba4811a
- SHA256
  
  c4a9d00cc5bb80c22881db982b7626b84c353489c8ee777e2b44d8a00ca0d475
- SHA512
  
  7a0950831b4e2696b6221b5204c8a5025464da613d71352c3319c59537fc61a2de43278c225dd9573cafcb17634232c8530e6724302eb14436fb2590f14881c9
- SSDEEP
  
  6144:XVvgMDg5vgu8eESgxxWQr8BqxLx/BxdRgOx/YqoDhSN8RDWX+tJ:5gME54pelYEQYeLLxdRgkN1+tJ
Score

10^/10

cybergate latentbot remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergatelatentbotremotediscoverypersistencestealertrojanupx

behavioral2

latentbotdiscoverypersistencetrojanupx

© 2018-2024

Terms | Privacy