cybergate | 6aacdcddef49f768858cc4cbea3782ccccbf6e73d49fb5cf2b7694b553b41288 | Triage

Submit
Reports

Overview

overview

Static

static

3

21c1660bea...18.exe

windows7-x64

21c1660bea...18.exe

windows10-2004-x64

3

Sharing

General

Target

21c1660bea914694bf07bdd82e3f3b2e_JaffaCakes118
Size

322KB
Sample

240703-kqc18avfpb
MD5

21c1660bea914694bf07bdd82e3f3b2e
SHA1

127106ecab9e18039db050bf5409e60a9490ac85
SHA256

6aacdcddef49f768858cc4cbea3782ccccbf6e73d49fb5cf2b7694b553b41288
SHA512

f70ed334303a20c8da825660d3716d8ad5896d6f28ea8ab57e7b40cee46824b125c3421858db2fb6b78ea0c049962d77f564fa96f16916d30ecd2460b647116e
SSDEEP

6144:OVROXyav0Z00PKPYzZ9DmaPD2gZ6ezI3anQVVuYYW2JqrIcqiWEq3:aROXyddPuOzDxDJjzK9mYYPmIcq93

Score

10^/10

cybergate latentbot apirilak 12 persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

21c1660bea914694bf07bdd82e3f3b2e_JaffaCakes118.exe

Resource

win7-20240419-en

cybergate latentbot apirilak 12 persistence stealer trojan upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

21c1660bea914694bf07bdd82e3f3b2e_JaffaCakes118.exe

Resource

win10v2004-20240508-en

windows10-2004-x64

2 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

apirilak 12

C2

laudioko.zapto.org:82

laudioko.zapto.org:83

ganekogorta.zapto.org:82

ganekogorta.zapto.org:83

Mutex

LXO2V512KQ6P32

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
System32
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
111165
regkey_hkcu
HKCU
regkey_hklm
HKLM

Extracted

Family

latentbot

C2

ganekogorta.zapto.org

Targets

- Target
  
  21c1660bea914694bf07bdd82e3f3b2e_JaffaCakes118
- Size
  
  322KB
- MD5
  
  21c1660bea914694bf07bdd82e3f3b2e
- SHA1
  
  127106ecab9e18039db050bf5409e60a9490ac85
- SHA256
  
  6aacdcddef49f768858cc4cbea3782ccccbf6e73d49fb5cf2b7694b553b41288
- SHA512
  
  f70ed334303a20c8da825660d3716d8ad5896d6f28ea8ab57e7b40cee46824b125c3421858db2fb6b78ea0c049962d77f564fa96f16916d30ecd2460b647116e
- SSDEEP
  
  6144:OVROXyav0Z00PKPYzZ9DmaPD2gZ6ezI3anQVVuYYW2JqrIcqiWEq3:aROXyddPuOzDxDJjzK9mYYPmIcq93
Score

10^/10

cybergate latentbot apirilak 12 persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

cybergatelatentbotapirilak 12persistencestealertrojanupx

behavioral2

© 2018-2024

Terms | Privacy