MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CyberGate


Vendor detections: 11


Intelligence 11 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
SHA3-384 hash: 6bc07c06be70cb343c4be7b93529d77f19544aaa20ef012be1f20a1e32762a44d4266ed5d2cbd6f45f49d0f1bef94df0
SHA1 hash: 55facca9aab24ecef5fda454abcb13a4d96e04be
MD5 hash: 35bd0df9a23172b32b95c52483c6e7b1
humanhash: cardinal-hydrogen-golf-echo
File name:16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
Download: download sample
Signature CyberGate
Create hunting rule
File size:1'616'896 bytes
First seen:2021-02-28 07:11:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bbac62fd99326ea68ec5a33b36925dd1 (46 x AgentTesla, 38 x njrat, 27 x Formbook)
ssdeep 24576:V4lavt0LkLL9IMixoEgeaV9FSFj3MqBqMxQOKqDUTEn/QBYkuAq9MmCS:skwkn9IMHeaV9FmjBdDoThYuaPCS
Threatray 1'021 similar samples on MalwareBazaar
TLSH F475E00363DEC3A5C3725273BE65BB01AE7B7C2506A1F59B2FD5093DE920122921E673
Reporter JAMESWT_WT
Tags:CyberGate

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
Verdict:
Malicious activity
Analysis date:
2021-02-28 09:11:02 UTC
Tags:
trojan rebhip spyrat cybergate
Link:
https://app.any.run/tasks/b39b8978-9af7-4140-b960-6b28d706c9d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CyberGate
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119829/
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AutoIT-26.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Replacing files
DNS request
Blocking the User Account Control
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CyberGate
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621094
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Internet Explorer form passwords
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CyberGate RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 359540 Sample: UYn5fi3eX9 Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 42 2.tcp.ngrok.io 2->42 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 2 other signatures 2->58 10 UYn5fi3eX9.exe 8 2->10         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\Temp\...\5112.exe, PE32 10->36 dropped 13 5112.exe 3 6 10->13         started        process6 file7 38 C:\directory\CyberGate\install\server.exe, PE32 13->38 dropped 68 Antivirus detection for dropped file 13->68 70 Multi AV Scanner detection for dropped file 13->70 72 Creates an undocumented autostart registry key 13->72 74 6 other signatures 13->74 17 5112.exe 3 5 13->17         started        21 server.exe 8 13->21         started        23 iexplore.exe 13->23         started        signatures8 process9 dnsIp10 40 192.168.2.1 unknown unknown 17->40 44 Writes to foreign memory regions 17->44 46 Allocates memory in foreign processes 17->46 48 Sample uses process hollowing technique 17->48 50 Injects a PE file into a foreign processes 17->50 25 server.exe 17->25         started        28 server.exe 17->28         started        30 WerFault.exe 22 9 21->30         started        signatures11 process12 signatures13 60 Antivirus detection for dropped file 25->60 62 Multi AV Scanner detection for dropped file 25->62 64 Machine Learning detection for dropped file 25->64 66 4 other signatures 25->66 32 WerFault.exe 3 9 25->32         started        34 WerFault.exe 28->34         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 11:37:10 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=czdvwlnlzycgmdq7met235kie6346aspjtpnsk4343qhzbnopkeq._file
Verdict:
malicious
Similar samples:
089e8696eff20b84e89e801127624dada3b321b0523d45cb648d437af4271716
CyberGate
09bdb0fb2e5689963f8375783abf0d87d2dbccc6a7ed8b03d7a53af29ab2c4d6
CyberGate
1f1bc6a65867b976dd8cdc00b6519b60b4da65af780f1636c447e5ebca91da96
CyberGate
2f53c96770351e95583b6c3d3bde7c4d44f0fc9e324517fd084a61000ed63dde
CyberGate
3aedf2b9413bb9eb0af9daf292e5461a910e182ab9b30debb814f769323a85ff
CyberGate
95654631036f198ae09278641c978609781eee27cdff60dcfe05ba72b367eee7
CyberGate
accfb8da98afdd5a90448bcdead0ce0913e7c1c505a0e4a4fe661fb4dae3da6f
CyberGate
afa655613277fa5927ea6e777245abc8812101008ff0d542efd12b9ec4d9e17c
CyberGate
c148d7544c90541afc565d03219b8c579ac18a52b1baa3e70eb22bf12cc9a96e
CyberGate
d7448da27fa5cbe7df2df781ef5763cdcbb31f6e99d756a03fb1ff577e7043a2
CyberGate
+ 1'011 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan upx
Link:
https://tria.ge/reports/210228-bj92j6lb2n/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
UAC bypass
Unpacked files
SH256 hash:
9c4979eeb3b37c074bb960382a24610344dc0520e42e1283681acc087c0c4e6c
MD5 hash:
1268ff8f3a5a4b63e87d93e26712bf9c
SHA1 hash:
388f0d1faa03328fed1e5ad475704dc8062686eb
Link:
https://www.unpac.me/results/e02e5914-7cca-49bc-bd59-cf7eedc00afb/
Parent samples :
3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec
SH256 hash:
dd25c682416c42f88113126104ab6f33e6b8ebd35792d0fb5cad40a2737f87f7
MD5 hash:
74580843292d27d262fd9002912fa035
SHA1 hash:
a82f7078aefad768e59be1ed5b91209f1c5ee2ea
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/e02e5914-7cca-49bc-bd59-cf7eedc00afb/
Parent samples :
8c0ad323d189a9eac013425b57059204c026454d49a4a35d545e013d9d99b756
f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305
16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
be404ffc5c363f80e7099a43a46c1ccd39f8593c660fd947bd8898ab44dd9731
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5
c9438b713777ed2c8a044560495e0a07e7c7ad74e74e51fa736fa7cad0127ca4
d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624
10214ec31eefe2eabd38262e9a404f781949bd09ff3831ffd3a9d9f9c8a277eb
3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec
SH256 hash:
bed1a5f69e7b210b4202692e88cf2ac189ab89ad9a721327ec5d4e736eac43ae
MD5 hash:
16acc512b626bc23db92c01a67a46786
SHA1 hash:
7ec8d66f51f0b2b587d27df10a47957bd426f90c
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/e02e5914-7cca-49bc-bd59-cf7eedc00afb/
SH256 hash:
16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
MD5 hash:
35bd0df9a23172b32b95c52483c6e7b1
SHA1 hash:
55facca9aab24ecef5fda454abcb13a4d96e04be
Link:
https://www.unpac.me/results/e02e5914-7cca-49bc-bd59-cf7eedc00afb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_CyberGate
Create hunting rule
Author:ditekSHen
Description:Detects CyberGate/Spyrat/Rebhip RTA
Rule name:RAT_CyberGate
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects CyberGate RAT
Reference:http://malwareconfig.com/stats/CyberGate
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:upx_packed
Create hunting rule
Description:UPX packed file
Rule name:VMware_detection_bin_mem
Create hunting rule
Author:James_inthe_box
Description:VMWare detection
Rule name:win_cybergate_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_cybergate_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119829/

Comments