MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4acdef5bab397d24a91955f07803c10089bf24d570159f779284408f3a2d1141. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CyberGate


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4acdef5bab397d24a91955f07803c10089bf24d570159f779284408f3a2d1141
SHA3-384 hash: 8974cef84c4ffe17c4f8cb0a3949d159168d71699bbd2ee6db9e050e12570ca27c741ea07ce42af85f8895d5bb32886e
SHA1 hash: 52fd2d372bc658b40d87ea78d8eb3844128d022f
MD5 hash: 82abb3648ac3b46ce91801ae3d7bb2bc
humanhash: wisconsin-pip-florida-north
File name:82abb3648ac3b46ce91801ae3d7bb2bc.exe
Download: download sample
Signature CyberGate
Create hunting rule
File size:664'115 bytes
First seen:2022-09-07 09:28:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 12288:nTcFngzqfSbTPw9/A813WS8UgjCSxAO9nax5+4LFJswwwUkVDTOQe:TcVkKSbTI948dWS81VaD5+KJswwwUkV6
Threatray 22 similar samples on MalwareBazaar
TLSH T184E4126236EA84F6D15221708644FF7550B5DF544B381EFB33C0FD1FBB3A982A12A299
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8e333b33331b67a6 (1 x CyberGate)
Reporter abuse_ch
Tags:CyberGate exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FME (1).exe
Verdict:
Suspicious activity
Analysis date:
2022-05-28 11:11:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b0f8721e-fad8-4ab9-8db0-07577e93257e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308392/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Searching for the window
Enabling the 'hidden' option for files in the %temp% directory
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36901/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/631864edd06d9bc4c7a72ac7/reports/1a20b952-fe5c-45cb-92e9-22eb128c9477/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/79c483cc-a42a-4458-b71b-603f187d22a0
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
37 / 100
Link:
https://www.joesandbox.com/analysis/1066211
Signature
Sample or dropped binary is a compiled AutoHotkey binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 698745 Sample: 9ISNeRdj1B.exe Startdate: 07/09/2022 Architecture: WINDOWS Score: 37 7 9ISNeRdj1B.exe 3 2->7         started        file3 21 C:\Users\user\AppData\Local\Temp\...\FME.exe, PE32+ 7->21 dropped 10 FME.exe 18 7->10         started        process4 dnsIp5 27 raw.githubusercontent.com 185.199.108.133, 443, 49706 FASTLYUS Netherlands 10->27 23 C:\Users\user\AppData\Roaming\FMEV2\FME.exe, PE32+ 10->23 dropped 25 C:\Users\user\AppData\...\7zS01A5A97E.exe, MS-DOS 10->25 dropped 31 Sample or dropped binary is a compiled AutoHotkey binary 10->31 15 7zS01A5A97E.exe 15 10->15         started        file6 signatures7 process8 signatures9 33 Sample or dropped binary is a compiled AutoHotkey binary 15->33 18 FME.exe 15->18         started        process10 signatures11 29 Sample or dropped binary is a compiled AutoHotkey binary 18->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4acdef5bab397d24a91955f07803c10089bf24d570159f779284408f3a2d1141/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jlg66w5lhf6sjkizkxyhqa6bace36jgvoakz654sqrai6orncfaq._file
Verdict:
unknown
Similar samples:
0aa0c65b1c37512536706d22a19af44e4ba91f8406bee0b1cdf691a050e8e7f0
CyberGate
30a1ae69eb70083e1fe40c28becf7de5ec557705aae764af211f70f87ae5a403
CyberGate
3deec916d94fabdc65168ebd8b5f072a702781064d13b10700d9a52998a669a3
CyberGate
5ea670d23777834e3558c073f19e5abcb1d21f63b088af73216006accf7280a5
CyberGate
98f61a34d1b53907d24096b09b5530b80ca42ce9dd4c50eafcc6fab3f45a0119
CyberGate
99b234ed5fcab5f1e2ebbc0a26fd5e94a3efa69fadb275065592ea7cba636e16
CyberGate
bee7cc8d1343eb8931f1fdff823f7957396074edaa62a47a7382693e21858979
CyberGate
d9cc1e3e650b0782f8aa818b7704274cfbc66a966c1515b30d40bf090c761223
CyberGate
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220907-lfx43sggdp/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
NTFS ADS
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
4acdef5bab397d24a91955f07803c10089bf24d570159f779284408f3a2d1141
MD5 hash:
82abb3648ac3b46ce91801ae3d7bb2bc
SHA1 hash:
52fd2d372bc658b40d87ea78d8eb3844128d022f
Link:
https://www.unpac.me/results/23ff368c-072d-4bfe-a0d7-e64b3f8691d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/4acdef5bab397d24a91955f07803c10089bf24d570159f779284408f3a2d1141

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:win_cybergate_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CyberGate

Executable exe 4acdef5bab397d24a91955f07803c10089bf24d570159f779284408f3a2d1141

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2295891/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/308392/

Comments