MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3eba0dc8845aed9cb930bab85515af193da93dffff8a2def181c92999b7afeb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CyberGate


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3eba0dc8845aed9cb930bab85515af193da93dffff8a2def181c92999b7afeb8
SHA3-384 hash: 7afdb32b8f26334d090bc6626ce5fa37b3e4424a7c73f5226cf13b5add1057b83585932b8f54e122af4437dcc133f3a3
SHA1 hash: d58d44e82ede215fc27ab9c52f945f8ad94434c6
MD5 hash: 3c404348ced8ba4af25c3dad86a0dc9c
humanhash: video-louisiana-triple-oscar
File name:3eba0dc8845aed9cb930bab85515af193da93dffff8a2def181c92999b7afeb8
Download: download sample
Signature CyberGate
Create hunting rule
File size:796'160 bytes
First seen:2020-08-07 07:13:45 UTC
Last seen:2020-08-07 10:45:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 70 x LummaStealer, 61 x Rhadamanthys)
ssdeep 12288:Oisy90PH1Ju9qhsAsijOb4rKBpQhv0P3UFIVJV73iORMU0ceLJZEu:OHyUVJurAsi6MrK/gv0PAIdiOfDKZj
Threatray 160 similar samples on MalwareBazaar
TLSH F305124937E42192E4F65B7198F142439936BCA29B3482BF1694D67E0F33AC4E636F13
Reporter JAMESWT_WT
Tags:CyberGate

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41540/
Detection(s):
Win.Malware.Autoit-6992337-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Running batch commands
Reading critical registry keys
Creating a window
Sending a UDP request
Creating a file in the Windows subdirectories
Launching a process
Launching the default Windows debugger (dwwin.exe)
Deleting a recently created file
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Replacing files
Connection attempt
Delayed writing of the file
Creating a file in the mass storage device
Stealing user critical data
Unauthorized injection to a recently created process
Encrypting user's files
Enabling autorun
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
50 / 100
Link:
https://www.joesandbox.com/analysis/414840
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Drops script or batch files to the startup folder
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Writes many files with high entropy
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 259682 Sample: QRd8Mq3175 Startdate: 07/08/2020 Architecture: WINDOWS Score: 50 79 Machine Learning detection for dropped file 2->79 81 Binary contains a suspicious time stamp 2->81 9 QRd8Mq3175.exe 1 21 2->9         started        12 rundll32.exe 2->12         started        process3 file4 53 C:\Users\user\AppData\Local\...\desktop.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\Local\...\WINDOW~1.EXE, PE32 9->55 dropped 57 C:\Users\user\AppData\Local\Temp\...\M.exe, PE32 9->57 dropped 59 16 other files (13 malicious) 9->59 dropped 14 setup.exe 3 9->14         started        16 WINDOW~1.EXE 3 3 9->16         started        process5 file6 20 cmd.exe 1 3 14->20         started        47 C:\Windows\install\explorer.exe, PE32 16->47 dropped 49 C:\Users\user\AppData\...\XX--XX--XX.txt, data 16->49 dropped 71 Creates an undocumented autostart registry key 16->71 73 Machine Learning detection for dropped file 16->73 75 Injects code into the Windows Explorer (explorer.exe) 16->75 77 5 other signatures 16->77 24 explorer.exe 16->24 injected signatures7 process8 file9 51 C:\Users\user\AppData\Roaming\...\cmd.bat, ASCII 20->51 dropped 83 Drops script or batch files to the startup folder 20->83 26 C.exe 236 20->26         started        30 desktop.exe 20->30         started        32 A.exe 3 20->32         started        34 12 other processes 20->34 signatures10 process11 dnsIp12 61 C:\Users\user\...\XX--XX--XX.txt.crypt, data 26->61 dropped 63 C:\Users\user\...\SettingsCache.txt.crypt, data 26->63 dropped 65 C:\...\AppCache132412944947135859.txt.crypt, data 26->65 dropped 67 43 other malicious files 26->67 dropped 85 Detected unpacking (overwrites its own PE header) 26->85 87 Machine Learning detection for dropped file 26->87 89 May encrypt documents and pictures (Ransomware) 26->89 91 Writes many files with high entropy 26->91 93 Modifies existing user documents (likely ransomware behavior) 30->93 37 notepad.exe 32->37         started        69 192.168.2.1 unknown unknown 34->69 39 notepad.exe 34->39         started        41 notepad.exe 34->41         started        43 notepad.exe 34->43         started        45 8 other processes 34->45 file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3eba0dc8845aed9cb930bab85515af193da93dffff8a2def181c92999b7afeb8/
Threat name:
Win64.Ransomware.Pocrimcrypt
Create hunting rule
Status:
Malicious
First seen:
2020-08-07 00:55:00 UTC
File Type:
PE+ (Exe)
Extracted files:
103
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h25a3seellwzzojqxk4fkfnpde62spp776fc33yydsjjtg32724a._file
Verdict:
malicious
Similar samples:
0ea92254716b961c39a0e1b570e2c3702167f620754619d67772b6e90a2588a0
CyberGate
0eb12e969ec43debe5949bace35a26eabaa8f854ae3440180b6b74f8654a7b1d
CyberGate
1d2ef8cd1682b74a09a6a4f5f3caa932eadbcf798ecb183b3cafaade1a38c3b2
CyberGate
3a32a74e76e2844a515009139d75ec4ae6d785f5850ddcd3cf6cd1bd99604378
CyberGate
a027715146e0ea40c303082ceda4f2a930613208a1175f59c6749cf0bb8f14d0
CyberGate
ae7bf3a82ad6c39368d217f27e26739d757d5f09e70ba3fa8d65e6e2171d0ab7
CyberGate
c39988c4fafdf620330e857eae7838a41bd6132200fc677847fa33dcd4f7118a
CyberGate
c5590bb44c587c0140b6f87c74c77d69c2dfdc65f23ffa8b7d064d13b396e962
CyberGate
e5293306e26acee08b59796c2a80b2e9e36f4ec027016a908b4beb24f83bd8e7
CyberGate
ebfcc36e36933bf6454937c260a1370cd3ece3b67d7abbf66ec9eb4d2892dd79
CyberGate
+ 150 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware upx persistence
Link:
https://tria.ge/reports/200807-8bjxfser7s/
Behaviour
Suspicious use of FindShellTrayWindow
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Drops file in Windows directory
Adds Run key to start application
Modifies Installed Components in the registry
Adds policy Run key to start application
Executes dropped EXE
UPX packed file
ServiceHost packer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3eba0dc8845aed9cb930bab85515af193da93dffff8a2def181c92999b7afeb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:RAT_CyberGate
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects CyberGate RAT
Reference:http://malwareconfig.com/stats/CyberGate
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_cybergate_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_cybergate_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/41540/

Comments