MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CyberGate

Vendor detections: 18

Intelligence 18 IOCs YARA 31 File information Comments

SHA256 hash:	8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
SHA3-384 hash:	1d98d14f6081a2b4fa48b3670aa6c36c06edeeea8861ab0dae862105d99208504fe22076bb3ef29fa3f34c94121c1904
SHA1 hash:	f080ca49f260b8860415f4b596ac4008b160a7b6
MD5 hash:	dbcb2b734803eb3b147f50cbe931b9ff
humanhash:	washington-cola-may-delta
File name:	250428-dsr5lasmt4.bin
Download:	download sample
Signature	CyberGate Create hunting rule
File size:	323'584 bytes
First seen:	2025-04-28 03:23:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2f3c5da38e687ed8e68cd2b55dbd54f6 (2 x PureLogsStealer, 1 x NetWire, 1 x Hermes)
ssdeep	6144:c0tnRaV2mNwAaz2bDfdz+C72+E1zFu2DnjLHlXwhdvrN2:lRICAaqnfdz/6+uzFu+jLHOPzN2
Threatray	86 similar samples on MalwareBazaar
TLSH	T12064020AA1D4E7B2E24E81753595439940B1FC3A1C436217FFE8FD3A7E762C26A90787
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	c4c0d4c0ccb0b0b0 (1 x CyberGate)
Reporter	UNP4CK
Tags:	CyberGate

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

cybergate

ID:

File name:

250428-dsr5lasmt4.bin

Verdict:

Malicious activity

Analysis date:

2025-04-28 03:24:10 UTC

Tags:

cybergate rat auto-reg upx

Link:

https://app.any.run/tasks/8079ad73-9bd9-4f39-91a5-550eabde7e76

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CyberGate

Link:

https://www.capesandbox.com/analysis/4588/

Detection(s):

Win.Trojan.Poison-7869

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=680ef780cc5fb3600cc3b6a1

Tags:

poison emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Restart of the analyzed sample

Creating a file in the Windows subdirectories

Creating a file in the %temp% directory

Launching a process

Searching for synchronization primitives

Enabling the 'hidden' option for recently created files

Creating a file in the %AppData% directory

Creating a process from a recently created file

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

DNS request

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

entropy exploit masquerade overlay packed packed packer_detected rat virtual visual_basic

Link:

https://www.filescan.io/uploads/680ef49b212716475fafae66/reports/952b20d7-b395-4613-b61f-645d71d091ad/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8597e822-d943-41bc-b6e2-e8aa4601b29f

Result

Threat name:

CyberGate

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1675863

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Contains functionality to register a low level keyboard hook

Creates a thread in another existing process (thread injection)

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Files With System Process Name In Unsuspected Locations

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected CyberGate RAT

Yara detected Generic Dropper

Behaviour

Behavior Graph:

Download SVG

Score:

94%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50/

Threat name:

Win32.Worm.Rebhip

Status:

Malicious

First seen:

2011-09-07 05:34:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 36 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rbjugtkc3xaxvywkcjrhkrvz7iblv5w2mz4o3yg4pwzzph4f7via._file

Verdict:

malicious

Label(s):

cybergate

CyberGate

10214ec31eefe2eabd38262e9a404f781949bd09ff3831ffd3a9d9f9c8a277eb

CyberGate

220afdc07395514a4a517473cf3473cf1307ae597cfe924b0d05b0958f68852e

CyberGate

3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33

CyberGate

d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624

CyberGate

error

CyberGate

+ 76 additional samples on MalwareBazaar

Result

Malware family:

cybergate

Score:

10/10

Tags:

family:cybergate botnet:remote discovery persistence stealer trojan upx

Link:

https://tria.ge/reports/250428-dxh3gssnv9/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

UPX packed file

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Drops file in Drivers directory

CyberGate, Rebhip

Cybergate family

Malware Config

C2 Extraction:

baaaaaaad.myftp.biz:90

Verdict:

Malicious

Tags:

Win.Trojan.Poison-7869

YARA:

n/a

Link:

https://app.threat.zone/submission/e02f0f75-7ca2-48da-957f-be38c60de7e6

Unpacked files

SH256 hash:

8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50

MD5 hash:

dbcb2b734803eb3b147f50cbe931b9ff

SHA1 hash:

f080ca49f260b8860415f4b596ac4008b160a7b6

Link:

https://www.unpac.me/results/567f4511-aedf-40d6-8318-c6effac4cc97/

SH256 hash:

478729b6515b2335f97459820dc6440eeced150718f89224e08da713e6736f8c

MD5 hash:

05f0ed936529c831bfd69d20ac2706a6

SHA1 hash:

45ab5b2607d5b75794cf00ef278626a287c4c6f9

Link:

https://www.unpac.me/results/567f4511-aedf-40d6-8318-c6effac4cc97/

SH256 hash:

bca7864e61cb4cbfe1a74d528777e4201098d772d3ba7c220ad07003f38bba8e

MD5 hash:

733c4b9c5978c3aed4c648f0d410a7e2

SHA1 hash:

27725c9c5090a264b7a35bb227af9c6891b18130

Detections:

win_cybergate_auto

win_cybergate_w0

RAT_CyberGate

SUSP_XORed_MSDOS_Stub_Message

INDICATOR_SUSPICIOUS_EXE_SandboxProductID

MALWARE_Win_CyberGate

Link:

https://www.unpac.me/results/567f4511-aedf-40d6-8318-c6effac4cc97/

SH256 hash:

dd25c682416c42f88113126104ab6f33e6b8ebd35792d0fb5cad40a2737f87f7

MD5 hash:

74580843292d27d262fd9002912fa035

SHA1 hash:

a82f7078aefad768e59be1ed5b91209f1c5ee2ea

Detections:

win_cybergate_auto

win_cybergate_w0

Malware_QA_update

Link:

https://www.unpac.me/results/567f4511-aedf-40d6-8318-c6effac4cc97/

Parent samples :

8c0ad323d189a9eac013425b57059204c026454d49a4a35d545e013d9d99b756
f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305
16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
be404ffc5c363f80e7099a43a46c1ccd39f8593c660fd947bd8898ab44dd9731
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5
c9438b713777ed2c8a044560495e0a07e7c7ad74e74e51fa736fa7cad0127ca4
d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624
10214ec31eefe2eabd38262e9a404f781949bd09ff3831ffd3a9d9f9c8a277eb
3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec

SH256 hash:

9c4979eeb3b37c074bb960382a24610344dc0520e42e1283681acc087c0c4e6c

MD5 hash:

1268ff8f3a5a4b63e87d93e26712bf9c

SHA1 hash:

388f0d1faa03328fed1e5ad475704dc8062686eb

Detections:

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Link:

https://www.unpac.me/results/567f4511-aedf-40d6-8318-c6effac4cc97/

Parent samples :

3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec

Malware family:

CyberGate

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8853434d42dd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	Check_Dlls Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxProductID Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox product IDs

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Malware_QA_update_RID2DAD Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	MALWARE_Win_CyberGate Create hunting rule
Author:	ditekSHen
Description:	Detects CyberGate/Spyrat/Rebhip RTA

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RAT_CyberGate Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects CyberGate RAT
Reference:	http://malwareconfig.com/stats/CyberGate

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	test_Malaysia Create hunting rule
Author:	rectifyq
Description:	Detects file containing malaysia string

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	UPX20030XMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_3 Create hunting rule
Author:	Kevin Falcoz
Description:	UPX 3.X

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Trojan_CyberGate_c219a2f3 Create hunting rule
Author:	Elastic Security

Rule name:	win_cybergate_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_cybergate_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/4588/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	msvbvm60.dll ::__vbaSetSystemError msvbvm60.dll ::EVENT_SINK_AddRef msvbvm60.dll ::__vbaFileOpen msvbvm60.dll ::__vbaErrorOverflow
WIN_BASE_API	Uses Win Base API	kernel32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample