MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 269aff53e58f71f5893d6d4bb552e57ab3f56d8b797259f8ed9a3ffc18a295b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CyberGate

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	269aff53e58f71f5893d6d4bb552e57ab3f56d8b797259f8ed9a3ffc18a295b4
SHA3-384 hash:	9106d2c41776c59ba3f10482ed016042aa8436dc22ad9e4fd216fa9fa398761a09053b7c20a361d0adfb39e06e1587fc
SHA1 hash:	284969a5d4a4437199dc529226191cad976c2206
MD5 hash:	2b541ce551764cda4ec19cf40a6d62a6
humanhash:	zebra-vegan-artist-dakota
File name:	server.exe
Download:	download sample
Signature	CyberGate Create hunting rule
File size:	437'760 bytes
First seen:	2023-07-14 17:11:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a1ca9f77a798c9b4f0e454a9da75459d (13 x Cybergate)
ssdeep	12288:FuMwCBi8vvrHxVPKyv2m77sZB07FxObO32k:FHwb8vrx52t07FQaX
TLSH	T18E9413E6F0549CB7DBA18AFD1D2CE784EB6D7A212C27409359FE3F88C71C262160D196
TrID	35.7% (.EXE) Win32 Executable (generic) (4505/5/1) 16.4% (.EXE) Win16/32 Executable Delphi generic (2072/23) 16.0% (.EXE) OS/2 Executable (generic) (2029/13) 15.8% (.EXE) Generic Win/DOS Executable (2002/3) 15.8% (.EXE) DOS Executable Generic (2000/1)
Reporter	billthebadboy
Tags:	CyberGate exe

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

Vendor Threat Intelligence

Detection:

Spynet

Link:

https://www.capesandbox.com/analysis/419650/

Detection(s):

PUA.Win.Packer.Pequake-4

Win.Packed.Spynet-6841468-0

Win.Trojan.Agent-556250

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Creating a file in the %temp% directory

Searching for the window

Launching a process

Searching for synchronization primitives

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending a custom TCP request

Delayed writing of the file

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Dropper.Trojan.Agent

Link:

https://www.hybrid-analysis.com/sample/269aff53e58f71f5893d6d4bb552e57ab3f56d8b797259f8ed9a3ffc18a295b4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Rebhip

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d3fcd73b-7591-4438-a1f4-7bc10006c734

Result

Threat name:

CyberGate

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1273340

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to inject threads in other processes

Contains functionality to modify clipboard data

Creates a thread in another existing process (thread injection)

Found malware configuration

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected CyberGate RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/269aff53e58f71f5893d6d4bb552e57ab3f56d8b797259f8ed9a3ffc18a295b4/

Threat name:

Win32.Backdoor.Spyrat

Status:

Malicious

First seen:

2023-07-07 07:35:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=e2np6u7fr5y7lcj5nvf3kuxfpkz7k3mlpfzft6hnti77ygfcsw2a._file

Result

Malware family:

cybergate

Score:

10/10

Tags:

family:cybergate botnet:remote upx

Link:

https://tria.ge/reports/230714-vqtn3sfe99/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

UPX packed file

Malware Config

C2 Extraction:

127.0.0.1:999
127.0.0.1:81

Unpacked files

SH256 hash:

269aff53e58f71f5893d6d4bb552e57ab3f56d8b797259f8ed9a3ffc18a295b4

MD5 hash:

2b541ce551764cda4ec19cf40a6d62a6

SHA1 hash:

284969a5d4a4437199dc529226191cad976c2206

Detections:

win_cybergate_w0

Link:

https://www.unpac.me/results/b132ca1f-8c88-41e9-8f28-9b935f0cb795/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/269aff53e58f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxProductID Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox product IDs

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Malware_QA_update_RID2DAD Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	SUSP_OneNote Create hunting rule
Author:	spatronn
Description:	Hard-Detect One

Rule name:	win_cybergate_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_cybergate_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/419650/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample