cybergate | 1cd2706f80c7067c674d1f6d1dc99388ec7756ed6ee07c0a692612ec14a9bd3a

Sharing

Copy URL

Twitter E-mail

General

Target

19ecec81fc0af53bf8bf575022f26695_JaffaCakes118
Size

340KB
Sample

240506-axg9eaea76
MD5

19ecec81fc0af53bf8bf575022f26695
SHA1

6bf06e1f9701a5faf23e47e3f73d4bc9fb3ef0db
SHA256

1cd2706f80c7067c674d1f6d1dc99388ec7756ed6ee07c0a692612ec14a9bd3a
SHA512

154d51afd64c8376be0144991234db28c6014abbaf81c8676830efa53fa470db6250253a2a5800ae6608cf3e4d3c62dc44b4cb509951a4eccac36c41713b359c
SSDEEP

6144:VmcD66R7o2P3b49n2P3b49G5JGmrpQsK3RD2u270jupCJsCxC:QcD66a/nZ2zkPaCx

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

127.0.0.1:81

wassimderbel.zapto.org:81

bayci.zapto.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Could not find dll
message_box_title
erreur
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Extracted

Family

latentbot

wassimderbel.zapto.org

Targets

- Target
  
  19ecec81fc0af53bf8bf575022f26695_JaffaCakes118
- Size
  
  340KB
- MD5
  
  19ecec81fc0af53bf8bf575022f26695
- SHA1
  
  6bf06e1f9701a5faf23e47e3f73d4bc9fb3ef0db
- SHA256
  
  1cd2706f80c7067c674d1f6d1dc99388ec7756ed6ee07c0a692612ec14a9bd3a
- SHA512
  
  154d51afd64c8376be0144991234db28c6014abbaf81c8676830efa53fa470db6250253a2a5800ae6608cf3e4d3c62dc44b4cb509951a4eccac36c41713b359c
- SSDEEP
  
  6144:VmcD66R7o2P3b49n2P3b49G5JGmrpQsK3RD2u270jupCJsCxC:QcD66a/nZ2zkPaCx
Score

10^/10

cybergate latentbot vítima persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

CyberGate, Rebhip

LatentBot

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2