cybergate | 7eaa6277e67ab6a1c99fb7a115eb78b71c212bdae1279e64fa60c2e01c9ee7e6

General

Target

JaffaCakes118_3525d89d77c0bc722453a5e7ca5ce3d7
Size

682KB
Sample

250126-nqzf1a1qan
MD5

3525d89d77c0bc722453a5e7ca5ce3d7
SHA1

456d68e320cdd4a2c3c6913c0df2b975bbd99e36
SHA256

7eaa6277e67ab6a1c99fb7a115eb78b71c212bdae1279e64fa60c2e01c9ee7e6
SHA512

64ff3d0595ccd8301ad9f1d0fc4ad0df8ce1d12219b6c977a4ab0dd9cb9e5fbaf8251862bf634b266a3c91fe7410a4831a4f5a585b797f5ce1266dc7c49682ec
SSDEEP

12288:Dw0NwkGGjNSegGdN+4onQeuYpU0dzoi1jeCV/og:7N17jMnGdNgpL5oI9V/P

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

flaboyserver.zapto.org:1453

flaboyserver.zapto.org:3460

scriptevillestylak.no-ip.org:15987

darkstylak.zapto.org:7850

stygate.zapto.org:4560

Mutex

MUK84Y3H54XU88

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
system32
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Windows ne parvient pas à accéder au périphérique, au chemin d'accés ou au fichier spécifié. Vous ne disposez peux-être pas des autorisation appropriées pour avoir accès à l'élèment.
message_box_title
Windows Security
password
vauban
regkey_hkcu
HKCU
regkey_hklm
HKLM

Extracted

Family

latentbot

C2

flaboyserver.zapto.org

Targets

- Target
  
  JaffaCakes118_3525d89d77c0bc722453a5e7ca5ce3d7
- Size
  
  682KB
- MD5
  
  3525d89d77c0bc722453a5e7ca5ce3d7
- SHA1
  
  456d68e320cdd4a2c3c6913c0df2b975bbd99e36
- SHA256
  
  7eaa6277e67ab6a1c99fb7a115eb78b71c212bdae1279e64fa60c2e01c9ee7e6
- SHA512
  
  64ff3d0595ccd8301ad9f1d0fc4ad0df8ce1d12219b6c977a4ab0dd9cb9e5fbaf8251862bf634b266a3c91fe7410a4831a4f5a585b797f5ce1266dc7c49682ec
- SSDEEP
  
  12288:Dw0NwkGGjNSegGdN+4onQeuYpU0dzoi1jeCV/og:7N17jMnGdNgpL5oI9V/P
Score

10^/10

cybergate latentbot remote discovery persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Latentbot family
  latentbot
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2