cybergate | 09c0ffa8861927a9ddfbe851b4c9e0c08137d7117a5b381a2cda9f49e8c552ef | Triage

Submit
Reports

Overview

overview

Static

static

3

19a173e4cd...18.exe

windows7-x64

19a173e4cd...18.exe

windows10-2004-x64

Sharing

General

Target

19a173e4cd83f0ea7024cb9808f2c375_JaffaCakes118
Size

348KB
Sample

240628-lgk6xascpc
MD5

19a173e4cd83f0ea7024cb9808f2c375
SHA1

229584f2c83199df3c5e10ba007af233779291e1
SHA256

09c0ffa8861927a9ddfbe851b4c9e0c08137d7117a5b381a2cda9f49e8c552ef
SHA512

40f718763d98b729be4daeff412bdf3d5c2819c3050f78a66d4db3587b35bc18f30d38217869fb8fa545c8d75c1c392fb8f4013ea02017f12f1b478bd4968100
SSDEEP

6144:zxwLAI9sJd5v9q9QOjEnHn+pJ8D1MY1MT3kP7/skPUmDW5UYfQnqqWLW:9wkYin9Hn+pJ8D1M6a3kDUkMF5UYonq4

Score

10^/10

cybergate latentbot muajaja!persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

19a173e4cd83f0ea7024cb9808f2c375_JaffaCakes118.exe

Resource

win7-20240611-en

cybergate latentbot muajaja!persistence stealer trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

19a173e4cd83f0ea7024cb9808f2c375_JaffaCakes118.exe

Resource

win10v2004-20240611-en

cybergate latentbot muajaja!persistence stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Muajaja!

C2

daniielalex.zapto.org:8080

Mutex

***Rataa***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Windonws
install_file
Win32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
daniel55
regkey_hkcu
HKCU
regkey_hklm
HKLM

Extracted

Family

latentbot

C2

daniielalex.zapto.org

Targets

- Target
  
  19a173e4cd83f0ea7024cb9808f2c375_JaffaCakes118
- Size
  
  348KB
- MD5
  
  19a173e4cd83f0ea7024cb9808f2c375
- SHA1
  
  229584f2c83199df3c5e10ba007af233779291e1
- SHA256
  
  09c0ffa8861927a9ddfbe851b4c9e0c08137d7117a5b381a2cda9f49e8c552ef
- SHA512
  
  40f718763d98b729be4daeff412bdf3d5c2819c3050f78a66d4db3587b35bc18f30d38217869fb8fa545c8d75c1c392fb8f4013ea02017f12f1b478bd4968100
- SSDEEP
  
  6144:zxwLAI9sJd5v9q9QOjEnHn+pJ8D1MY1MT3kP7/skPUmDW5UYfQnqqWLW:9wkYin9Hn+pJ8D1M6a3kDUkMF5UYonq4
Score

10^/10

cybergate latentbot muajaja!persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatelatentbotmuajaja!persistencestealertrojanupx

behavioral2

cybergatelatentbotmuajaja!persistencestealertrojanupx

© 2018-2024

Terms | Privacy