MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 470cd98a9fc081dee21c80423c60f8d9c62962c745b30e657e4275d465fee5d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CyberGate


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 470cd98a9fc081dee21c80423c60f8d9c62962c745b30e657e4275d465fee5d1
SHA3-384 hash: aba5be236ddfe519d70e823e0e7aed51297602b6f6fd9b6109cb816cae6ab9803b8ce13f3496d77dac97bb8ac301e2f5
SHA1 hash: 3b89f6c1b4b0de0a8917819e262d921903b6c80e
MD5 hash: b2198e83a02f802a93f1e6e03366eee8
humanhash: blue-failed-sweet-delta
File name:470cd98a9fc081dee21c80423c60f8d9c62962c745b30e657e4275d465fee5d1
Download: download sample
Signature CyberGate
Create hunting rule
File size:1'470'464 bytes
First seen:2021-09-30 07:40:02 UTC
Last seen:2021-09-30 09:03:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dd9f456e539a1b836b522999c0eef5ac (1 x CyberGate)
ssdeep 24576:t6MyeXTLTlGMQzaWMWRIWxhWX4HQIOyJlwdVzlRkaIo5V51sWQ:t6MyeXTgM7+hDQMwdHRlx5V51sW
Threatray 54 similar samples on MalwareBazaar
TLSH T12E65D5AE73C46E7DF986C2BC9014991AD19CEE7062A5D48CEF835BD774C0942E339983
Reporter JAMESWT_WT
Tags:CyberGate exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CyberGate
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193394/
Detection(s):
SecuriteInfo.com.Variant.Bulz.752313.16725.19544.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% directory
Replacing files
Creating a process from a recently created file
DNS request
Delayed writing of the file
Reading critical registry keys
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Unauthorized injection to a system process
Deleting of the original file
Malware family:
Rebhip
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f36ccf09-511c-43ee-aaa6-64f98b0937a9
Result
Threat name:
CyberGate
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862278
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to inject threads in other processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Writes to foreign memory regions
Yara detected CyberGate RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494714 Sample: iSrWjN9Ln6 Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 38 luckhacking201zv.hopto.org 2->38 40 clientconfig.passport.net 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 5 other signatures 2->48 10 iSrWjN9Ln6.exe 2->10         started        signatures3 process4 signatures5 58 Detected unpacking (changes PE section rights) 10->58 60 Contain functionality to detect virtual machines 10->60 62 Contains functionality to inject threads in other processes 10->62 64 3 other signatures 10->64 13 iSrWjN9Ln6.exe 5 7 10->13         started        process6 file7 34 C:\directory\Microsoft\...\Pluguin.exe, PE32 13->34 dropped 36 C:\directory\...\Pluguin.exe:Zone.Identifier, ASCII 13->36 dropped 66 Creates an undocumented autostart registry key 13->66 68 Injects code into the Windows Explorer (explorer.exe) 13->68 70 Writes to foreign memory regions 13->70 72 3 other signatures 13->72 17 explorer.exe 3 13->17 injected 19 explorer.exe 13->19         started        signatures8 process9 process10 21 Pluguin.exe 17->21         started        24 Pluguin.exe 17->24         started        26 Pluguin.exe 17->26         started        signatures11 50 Antivirus detection for dropped file 21->50 52 Detected unpacking (changes PE section rights) 21->52 54 Machine Learning detection for dropped file 21->54 56 4 other signatures 21->56 28 Pluguin.exe 21->28         started        30 Pluguin.exe 24->30         started        32 Pluguin.exe 26->32         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/470cd98a9fc081dee21c80423c60f8d9c62962c745b30e657e4275d465fee5d1/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 11:12:46 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i4gntcu7yca55yq4qbbdyyhy3hdcsywhiwzq4zl6ij25izp64xiq._file
Verdict:
malicious
Similar samples:
0eb12e969ec43debe5949bace35a26eabaa8f854ae3440180b6b74f8654a7b1d
CyberGate
19e71e510a71ff531afb1790500259dd4439fc56ea402c8d4baf205a03b56edc
CyberGate
3a32a74e76e2844a515009139d75ec4ae6d785f5850ddcd3cf6cd1bd99604378
CyberGate
57bf128dd42cbcebac753c89ead426c684b3f524272bad0fedb50d206c9779bc
CyberGate
5b3bb026ad01ea693afc1e8c7669fd478258ee335bee9baff31a8edf691b8b4c
CyberGate
61c2d5a213f1b68ef98f2800f02697650ccf28eb38ec07635f0bffcdf18a803a
CyberGate
75b81202e7fe10cde5362ecf0575d70896d82e00086325fc98ea25ac6002b581
CyberGate
91b137c0a7b65d1d2c443e92327e10f87e17d18aa8218fa7efca92aa91df0267
CyberGate
baaef35c43e34186c7e2ff97f998e41692498a2c60f78eb294bf71ae7fe1e16b
CyberGate
ebfcc36e36933bf6454937c260a1370cd3ece3b67d7abbf66ec9eb4d2892dd79
CyberGate
+ 44 additional samples on MalwareBazaar
Result
Malware family:
cybergate
Create hunting rule
Score:
  10/10
Tags:
family:cybergate botnet:lammer persistence stealer trojan upx
Link:
https://tria.ge/reports/210930-jhkknaghe6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
CyberGate, Rebhip
Malware Config
C2 Extraction:
luckhacking201zv.hopto.org:1177
Unpacked files
SH256 hash:
c41e740dae7213cbfd60487511bdbcea7d56b54308657a2f666e4ddc6d407d7a
MD5 hash:
c2c41e5e807bb1c4020c353f237581f1
SHA1 hash:
7729eb7b614dff9507045d73b08a17ab5059876c
Link:
https://www.unpac.me/results/396ce432-a0d6-44f4-99c4-02814f8f3316/
SH256 hash:
d2bbd15267eb7ebb5e068a45b9329e7e9f43a35995519f64a32d522d653d823a
MD5 hash:
8d05e4c7bfe25bca595a37a6daeae669
SHA1 hash:
10bd823336626c64e8e6ae0fdffac1b843bcf770
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/396ce432-a0d6-44f4-99c4-02814f8f3316/
Parent samples :
470cd98a9fc081dee21c80423c60f8d9c62962c745b30e657e4275d465fee5d1
12aae6d43bd00772839b1fbaad7534ff3130ca6057878ee85c735b9ea47868bb
89d74a11a8625279c4b2fd80c0d600f28ba1a53b98e4f76ff6a171cc1653f318
SH256 hash:
790afcdaee4d8d5f16a78faf27433454e4c646eb0272147972997315b8d8e713
MD5 hash:
4954e62c377a56371c1179c653f55507
SHA1 hash:
b25fdb1ae877e925506461aaa2eff314a8538ae7
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/396ce432-a0d6-44f4-99c4-02814f8f3316/
SH256 hash:
6ca91e5a57f451e2eeefcb0c4a2c9916a123c65bc7d5549f3c5dfaf3e259196b
MD5 hash:
5b7b12e4abcc4a2761db1391479e42cf
SHA1 hash:
b5ca0b39854ceae38e582b37b8492249be4091ff
Link:
https://www.unpac.me/results/396ce432-a0d6-44f4-99c4-02814f8f3316/
SH256 hash:
470cd98a9fc081dee21c80423c60f8d9c62962c745b30e657e4275d465fee5d1
MD5 hash:
b2198e83a02f802a93f1e6e03366eee8
SHA1 hash:
3b89f6c1b4b0de0a8917819e262d921903b6c80e
Link:
https://www.unpac.me/results/396ce432-a0d6-44f4-99c4-02814f8f3316/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/470cd98a9fc081dee21c80423c60f8d9c62962c745b30e657e4275d465fee5d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:win_cybergate_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_cybergate_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193394/

Comments