MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d04e3e3ca18e2a313be6ab4ed837e31d4e2587341835267717b7b93a0b8ccdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CyberGate


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d04e3e3ca18e2a313be6ab4ed837e31d4e2587341835267717b7b93a0b8ccdc
SHA3-384 hash: 4cf71694b4f564637a7a1d788962e95090b57de6915a5715e8fb4a646495d458880f1dc602d15968fd7cbe1d9f144146
SHA1 hash: 2d4a132d1db15dd5d11a032527d741df043ea1c6
MD5 hash: 8cb698075d9018280139fb7c3aa79673
humanhash: oxygen-gee-vegan-vegan
File name:SecuriteInfo.com.Trojan.DownLoader5.5241.20690.21644
Download: download sample
Signature CyberGate
Create hunting rule
File size:669'243 bytes
First seen:2023-09-30 17:37:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d03492041b6703ca9bf1935561397b27 (1 x CyberGate)
ssdeep 12288:XezJzog+Dwgbonn2OoKC7aopAx6Y6F6sCrv+V7j1r:upoHBknnrCuWi6xF6sCrv+RjR
Threatray 69 similar samples on MalwareBazaar
TLSH T197E4CFCAD16944F2DC093FFAD81427C39B294A325AB400583EAB7D494F771EAC05DEE6
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:CyberGate exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
CyberGate
Create hunting rule
Link:
https://www.capesandbox.com/analysis/452343/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader5.5241.20690.21644.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Unauthorized injection to a recently created process
Searching for synchronization primitives
Restart of the analyzed sample
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a window
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
buzus greyware overlay poison threat xtreme zbot
Link:
https://www.filescan.io/uploads/65185d030870810f0189ec30/reports/eff3fbf2-eef0-4d06-8157-7e20e3307889/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3d04e3e3ca18e2a313be6ab4ed837e31d4e2587341835267717b7b93a0b8ccdc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cca73eb8-8374-4949-b6d4-4dee3329b39a
Result
Threat name:
CyberGate
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1317313
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CyberGate RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1317313 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 30/09/2023 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 6 other signatures 2->60 9 SecuriteInfo.com.Trojan.DownLoader5.5241.20690.21644.exe 2->9         started        process3 signatures4 70 Found evasive API chain (may stop execution after checking mutex) 9->70 72 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 9->72 74 Contain functionality to detect virtual machines 9->74 76 6 other signatures 9->76 12 SecuriteInfo.com.Trojan.DownLoader5.5241.20690.21644.exe 5 4 9->12         started        16 WerFault.exe 24 16 9->16         started        process5 file6 52 C:\Windows\MSNlive\msnlive.exe, PE32 12->52 dropped 88 Creates an undocumented autostart registry key 12->88 90 Injects code into the Windows Explorer (explorer.exe) 12->90 92 Creates an autostart registry key pointing to binary in C:\Windows 12->92 94 4 other signatures 12->94 18 explorer.exe 20 2 12->18 injected 20 SecuriteInfo.com.Trojan.DownLoader5.5241.20690.21644.exe 2 5 12->20         started        22 explorer.exe 12->22         started        25 iexplore.exe 12->25         started        signatures7 process8 signatures9 27 msnlive.exe 18->27         started        30 msnlive.exe 18->30         started        32 msnlive.exe 18->32         started        34 msnlive.exe 20->34         started        62 Found evasive API chain (may stop execution after checking mutex) 22->62 64 Contains functionality to inject threads in other processes 22->64 66 Contains functionality to inject code into remote processes 22->66 68 Contains functionality to modify clipboard data 22->68 process10 signatures11 78 Drops executables to the windows directory (C:\Windows) and starts them 27->78 80 Injects a PE file into a foreign processes 27->80 36 msnlive.exe 27->36         started        38 WerFault.exe 27->38         started        40 msnlive.exe 30->40         started        42 WerFault.exe 30->42         started        44 msnlive.exe 32->44         started        46 WerFault.exe 32->46         started        82 Antivirus detection for dropped file 34->82 84 Multi AV Scanner detection for dropped file 34->84 86 Machine Learning detection for dropped file 34->86 48 msnlive.exe 34->48         started        50 WerFault.exe 34->50         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d04e3e3ca18e2a313be6ab4ed837e31d4e2587341835267717b7b93a0b8ccdc/
Threat name:
Win32.Trojan.Zeus
Create hunting rule
Status:
Malicious
First seen:
2012-01-16 03:42:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hucohy6kddrkge56nk2o3a36ghkoewdtigbvez3rpn5zhifyztoa._file
Verdict:
malicious
Similar samples:
0eb12e969ec43debe5949bace35a26eabaa8f854ae3440180b6b74f8654a7b1d
CyberGate
3a32a74e76e2844a515009139d75ec4ae6d785f5850ddcd3cf6cd1bd99604378
CyberGate
470cd98a9fc081dee21c80423c60f8d9c62962c745b30e657e4275d465fee5d1
CyberGate
57bf128dd42cbcebac753c89ead426c684b3f524272bad0fedb50d206c9779bc
CyberGate
5b3bb026ad01ea693afc1e8c7669fd478258ee335bee9baff31a8edf691b8b4c
CyberGate
75b81202e7fe10cde5362ecf0575d70896d82e00086325fc98ea25ac6002b581
CyberGate
98abcc6f294bd8549a963bbeccb0e01013dd42cc61a07aa496793aa667630a2b
CyberGate
b9bccbf332c6f942113a67885cedc8e916f1ee5818ce7a5cbe931af88bf43640
CyberGate
ebfcc36e36933bf6454937c260a1370cd3ece3b67d7abbf66ec9eb4d2892dd79
CyberGate
+ 59 additional samples on MalwareBazaar
Result
Malware family:
cybergate
Create hunting rule
Score:
  10/10
Tags:
family:cybergate botnet:16 persistence stealer trojan upx
Link:
https://tria.ge/reports/230930-v7qnrafh59/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Adds policy Run key to start application
Modifies Installed Components in the registry
CyberGate, Rebhip
Malware Config
C2 Extraction:
mandanga.blogdns.com:4321
Unpacked files
SH256 hash:
b8e836fe8db0bb6caf1e56a768b2f14db9049ad7d1abea8e3131b13a35f6e3b1
MD5 hash:
c95d57dea84b464834b2a98adbedb501
SHA1 hash:
1bc12bcf1d9a92df6e129841661eaad14da503de
Link:
https://www.unpac.me/results/1edc2b7c-6cb7-47ec-afe5-b2152b168b17/
SH256 hash:
d80dafaedd1ddadf990a6c7f400a43c9b266b3caee0284caf0440b301cdda7cb
MD5 hash:
4e7294ba5446defd225f747f776224d1
SHA1 hash:
8bb24f7ea94c565d4768f0f097dbcf97cd1f54c6
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/1edc2b7c-6cb7-47ec-afe5-b2152b168b17/
SH256 hash:
a1302d0130262f507e97f45ac30ec84f4c0ce2f9401e5f9ec6c92f4ecf0842e6
MD5 hash:
dc43955583f298e3e1b7c6a63dc0caec
SHA1 hash:
f08f5f933e5e08eee8db490d5ae0e88c144a4343
Link:
https://www.unpac.me/results/1edc2b7c-6cb7-47ec-afe5-b2152b168b17/
SH256 hash:
d29533f9459d11a0f22066a3c5ceaafebf8b4ac1c54bf8a9f5b30e685e67cc39
MD5 hash:
ed4cb5ed8cef246ac4d266d89eee0fdb
SHA1 hash:
5f39e505b60e6e86b52d090a7ea4cc571ba717e6
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/1edc2b7c-6cb7-47ec-afe5-b2152b168b17/
SH256 hash:
3d04e3e3ca18e2a313be6ab4ed837e31d4e2587341835267717b7b93a0b8ccdc
MD5 hash:
8cb698075d9018280139fb7c3aa79673
SHA1 hash:
2d4a132d1db15dd5d11a032527d741df043ea1c6
Link:
https://www.unpac.me/results/1edc2b7c-6cb7-47ec-afe5-b2152b168b17/
Malware family:
CyberGate
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3d04e3e3ca18/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d04e3e3ca18e2a313be6ab4ed837e31d4e2587341835267717b7b93a0b8ccdc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_EXE_in_ISO
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects ISO files that contains an Exe file. Does not need to be malicious
Reference:Internal Research
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/452343/

Comments