MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CyberGate

Vendor detections: 20

Intelligence 20 IOCs 1 YARA 28 File information Comments

SHA256 hash:	1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec
SHA3-384 hash:	ae620478322e269532ee4590b5b92a983c87a33fa078b2167a2ac7c69a522a1fc98fb7c5fdca98bc218ca6e883c07ab5
SHA1 hash:	dfe387fade7536e5518a751afa2155dfe3263a72
MD5 hash:	241acfdded078727d52c85b6e7c72a2d
humanhash:	three-papa-sixteen-bacon
File name:	241ACFDDED078727D52C85B6E7C72A2D.exe
Download:	download sample
Signature	CyberGate Create hunting rule
File size:	299'520 bytes
First seen:	2025-10-13 17:55:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	af27d1ccae4b19fbc8ccd3f6805f8491 (4 x CyberGate, 2 x Smoke Loader)
ssdeep	6144:dOpslFlqKhdBCkWYxuukP1pjSKSNVkq/MVJb5:dwslNTBd47GLRMTb5
TLSH	T11C54F152B4C194F3D3250DBCAC0692A8550D7F322D376897BAFD2F0DC97A282EA5D493
TrID	98.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 0.6% (.EXE) Win32 Executable (generic) (4504/4/1) 0.3% (.EXE) Win16/32 Executable Delphi generic (2072/23) 0.2% (.EXE) OS/2 Executable (generic) (2029/13) 0.2% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	abuse_ch
Tags:	CyberGate exe

abuse_ch

CyberGate C2:
209.74.66.25:3002

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
209.74.66.25:3002	https://threatfox.abuse.ch/ioc/1610233/

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

Vendor Threat Intelligence

Malware family:

cybergate

ID:

File name:

241ACFDDED078727D52C85B6E7C72A2D.exe

Verdict:

Malicious activity

Analysis date:

2025-10-13 17:57:14 UTC

Tags:

cybergate rat backdoor rebhip spyrat remote anti-evasion xor-url generic upx

Link:

https://app.any.run/tasks/53ca9ca1-3bca-40ba-8a8f-90d4c96e195a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CyberGate

Link:

https://www.capesandbox.com/analysis/32569/

Detection(s):

Win.Trojan.Agent-36200

Win.Worm.Explorerhijack-6999913-0

Win.Trojan.Zusy-7001017-0

ditekSHen.MALWARE.Win.Trojan.CyberGate.UNOFFICIAL

Win.Packed.Spynet-6841468-0

Win.Trojan.Agent-229540

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ed3d2c777ae46bec428c4b

Tags:

vmdetect autorun emotet rebhip

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm anti-vm anubis autorun borland_delphi bublik crypto cybergate explorer fingerprint lolbin obfuscated packed rat rat xor-url xor-url

Link:

https://www.filescan.io/uploads/68ed3d2c71883144ef34bf65/reports/eddd6bc8-06c9-4302-bf66-c123a9c10924/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-10T18:11:00Z UTC

Last seen:

2025-10-14T10:35:00Z UTC

Hits:

~10

Detections:

Trojan-Downloader.Win32.Banload.sb Trojan.Win32.Inject.sb Trojan.Win32.RokRat.sb Trojan.Win32.Bublik.elhu HEUR:Trojan.Win32.Generic PDM:HackTool.Win32.VBInject.a Trojan-Spy.Win32.Xegumumune.sba Trojan.Win32.Vimditator.sb Trojan.Win32.Llac.has Trojan.Win32.Llac Backdoor.Win32.Cybergate.sb Trojan.Reconyc.HTTP.ServerRequest PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.Win32.Injector.sb Backdoor.Win32.Androm

Link:

https://opentip.kaspersky.com/1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec/results?tab=lookup

Malware family:

Rebhip

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/35faaff5-c8c4-4b16-a582-ae18be09500a

Result

Threat name:

CyberGate

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1794297

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Internet Explorer form passwords

Creates a thread in another existing process (thread injection)

Creates an undocumented autostart registry key

Deletes itself after installation

Drops PE files with benign system names

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected CyberGate RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/241acfdded078727d52c85b6e7c72a2d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec/

Verdict:

Malicious

Threat:

Family.CYBERGATE

Link:

https://tip.neiki.dev/file/1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec

Threat name:

Win32.Spyware.Rebhip

Status:

Malicious

First seen:

2025-10-09 17:26:51 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

34 of 36 (94.44%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=catk5pxiq4ny254gicbicv4r36ziykgayi2pwevqnde25lqt73wa._file

Verdict:

malicious

Label(s):

cybergate

Similar samples:

error

CyberGate

Result

Malware family:

cybergate

Score:

10/10

Tags:

family:cybergate botnet:explorer discovery persistence stealer trojan upx

Link:

https://tria.ge/reports/251013-whxlfafy8a/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Drops file in Program Files directory

UPX packed file

Adds Run key to start application

Checks computer location settings

Deletes itself

Executes dropped EXE

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

CyberGate, Rebhip

Cybergate family

Malware Config

C2 Extraction:

209.74.66.25:3002

Verdict:

Malicious

Tags:

rat cybergate trojan Win.Trojan.Agent-36200

YARA:

Windows_Trojan_CyberGate_c219a2f3 RAT_CyberGate MALWARE_Win_CyberGate

Link:

https://app.threat.zone/submission/2299b799-1867-49fd-ac32-1add63b6dc5f

Unpacked files

SH256 hash:

1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec

MD5 hash:

241acfdded078727d52c85b6e7c72a2d

SHA1 hash:

dfe387fade7536e5518a751afa2155dfe3263a72

Detections:

win_cybergate_auto

win_cybergate_w0

Link:

https://www.unpac.me/results/88832cf0-8263-4d17-aefc-12642e0f3e98/

SH256 hash:

dd25c682416c42f88113126104ab6f33e6b8ebd35792d0fb5cad40a2737f87f7

MD5 hash:

74580843292d27d262fd9002912fa035

SHA1 hash:

a82f7078aefad768e59be1ed5b91209f1c5ee2ea

Detections:

win_cybergate_auto

win_cybergate_w0

Malware_QA_update

Link:

https://www.unpac.me/results/88832cf0-8263-4d17-aefc-12642e0f3e98/

Parent samples :

8c0ad323d189a9eac013425b57059204c026454d49a4a35d545e013d9d99b756
f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305
16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
be404ffc5c363f80e7099a43a46c1ccd39f8593c660fd947bd8898ab44dd9731
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5
c9438b713777ed2c8a044560495e0a07e7c7ad74e74e51fa736fa7cad0127ca4
d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624
10214ec31eefe2eabd38262e9a404f781949bd09ff3831ffd3a9d9f9c8a277eb
3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec

SH256 hash:

9c4979eeb3b37c074bb960382a24610344dc0520e42e1283681acc087c0c4e6c

MD5 hash:

1268ff8f3a5a4b63e87d93e26712bf9c

SHA1 hash:

388f0d1faa03328fed1e5ad475704dc8062686eb

Detections:

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Link:

https://www.unpac.me/results/88832cf0-8263-4d17-aefc-12642e0f3e98/

Parent samples :

3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	Check_Dlls Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxProductID Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox product IDs

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Malware_QA_update_RID2DAD Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	MALWARE_Win_CyberGate Create hunting rule
Author:	ditekSHen
Description:	Detects CyberGate/Spyrat/Rebhip RTA

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RAT_CyberGate Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects CyberGate RAT
Reference:	http://malwareconfig.com/stats/CyberGate

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	test_Malaysia Create hunting rule
Author:	rectifyq
Description:	Detects file containing malaysia string

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Trojan_CyberGate_c219a2f3 Create hunting rule
Author:	Elastic Security

Rule name:	win_cybergate_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_cybergate_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32569/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample