MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88ab0fb7aab828733d7fad8dd72ba73c7188803ed85c19d01a267ad7809cba44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cybergate


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88ab0fb7aab828733d7fad8dd72ba73c7188803ed85c19d01a267ad7809cba44
SHA3-384 hash: 9534d41afe160f79e9625f2c9b01e7efaf7beeaa3f6748bfe8cdfa8f576b16599c8a6c948ba850542146b68014f92f8a
SHA1 hash: 0de17fc90bbae1b1a1db740939dd222b44f433ca
MD5 hash: 9fb3ef5f9d35773451f983671b2240f0
humanhash: spring-angel-artist-kitten
File name:88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe
Download: download sample
Signature Cybergate
Create hunting rule
File size:1'314'816 bytes
First seen:2021-07-12 23:47:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ad7e5fe861f7a6db8673ee65611f001 (1 x Cybergate)
ssdeep 24576:OAi0rldx5Xe8AdYv/3Cnyng2phFX5ldxABgwlbTiZhDb7:Op0ldrXe8UYv/3CnynjFX5ld0bWxb
Threatray 28 similar samples on MalwareBazaar
TLSH T15655BF2EB3C0DA11D11548B1C866CEB05E19AC3559578E5BE3807F9B7EF3CC3A512A2B
Reporter abuse_ch
Tags:CyberGate exe


Avatar
abuse_ch
Cybergate C2:
216.244.221.110:2006

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
216.244.221.110:2006 https://threatfox.abuse.ch/ioc/159913/

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 23:49:52 UTC
Tags:
trojan rebhip spyrat cybergate
Link:
https://app.any.run/tasks/6f43a193-8140-486b-a287-51b2335707bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Spynet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171196/
Detection(s):
Win.Malware.Llac-6887206-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Rebhip
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad8b27f1-da03-40d2-9845-0c03c743eadb
Result
Threat name:
CyberGate
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815210
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses dynamic DNS services
Yara detected CyberGate RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447621 Sample: 88AB0FB7AAB828733D7FAD8DD72... Startdate: 13/07/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 15 other signatures 2->50 8 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 2->8         started        11 ms.exe 2->11         started        13 ms.exe 2->13         started        15 ms.exe 2->15         started        process3 signatures4 54 Detected unpacking (changes PE section rights) 8->54 56 Tries to evade analysis by execution special instruction which cause usermode exception 8->56 17 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 8 10 8->17         started        22 ms.exe 11->22         started        24 ms.exe 13->24         started        26 ms.exe 15->26         started        process5 dnsIp6 38 JOSE4.NO-IP.ORG 216.244.221.110, 2006, 49764 SIONSAAR Argentina 17->38 40 pinguela.dnsd.me 162.210.196.173, 2003 LEASEWEB-USA-WDCUS United States 17->40 42 2 other IPs or domains 17->42 32 C:\Program Files (x86)\systemroot\ms.exe, PE32 17->32 dropped 34 C:\Users\...\userv1.18.0 - Trial version.vbs, ASCII 17->34 dropped 36 C:\...\ms.exe:Zone.Identifier, ASCII 17->36 dropped 52 Creates an undocumented autostart registry key 17->52 28 cscript.exe 2 17->28         started        file7 signatures8 process9 process10 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88ab0fb7aab828733d7fad8dd72ba73c7188803ed85c19d01a267ad7809cba44/
Threat name:
Win32.Trojan.Llac
Create hunting rule
Status:
Malicious
First seen:
2019-03-10 19:17:54 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcvq7n5kxauhgpl7vwg5ok5hhryyrab63bobtua2ez5npae4xjca._file
Verdict:
malicious
Similar samples:
2edc1d26a755fce3c36d97ee664473a24c09f653c38792118db34196cd638d06
Cybergate
3ba8a562f78af7776675f128f12777144fc3c73a471d8efb1950728179bb72d9
Cybergate
8c0ad323d189a9eac013425b57059204c026454d49a4a35d545e013d9d99b756
Cybergate
91b137c0a7b65d1d2c443e92327e10f87e17d18aa8218fa7efca92aa91df0267
Cybergate
9e0c6888bb6e17c927b7b52656b067562b7ef4607ca3963c8e13637235432c45
Cybergate
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5
Cybergate
b543eff3487cfe5e18d6a4dcd26f21ea04ce8e689d01d72fdbf2f422e451d20b
Cybergate
d40b7d79822917e150fd3975a74e643c736bf55fb7173df40494f8afab138da0
Cybergate
d6260dfe90cbc3e03a188d9e1128d14b3b17b851fb7f13da97ae67ffc50e35ec
Cybergate
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210712-cjfgdw9xpa/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Adds policy Run key to start application
Modifies Installed Components in the registry
UPX packed file
Unpacked files
SH256 hash:
8782c39fb62a4189ea3b964d5f8a5fb29b4b2667b1ba4ba672f3ca9d89ca1007
MD5 hash:
01e7125299e6998236ad3fd7e4d67b26
SHA1 hash:
8fd495404443e05408f75eeeadd08b68241953b0
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/d49b0eac-5ac8-46d5-b80b-bc70fbd54366/
SH256 hash:
628b59cc6f7fd9814b74bd53ee7ea921adfca5943c3b7f9301cf3887fba014c1
MD5 hash:
6cb1ac2a1ef05dc3840fe602430d7788
SHA1 hash:
30132489fc8e918510fb15e092de36b3f313722a
Link:
https://www.unpac.me/results/d49b0eac-5ac8-46d5-b80b-bc70fbd54366/
SH256 hash:
2f1486de3dd1ce9599ca6fec1f3902ec6a4c98d8a41d5dcc24b661332d030110
MD5 hash:
a85e2cb8ce14295a559bc6e3cbc18c01
SHA1 hash:
366b42f9eb7f273d0373f3037465668d0522326e
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/d49b0eac-5ac8-46d5-b80b-bc70fbd54366/
SH256 hash:
88ab0fb7aab828733d7fad8dd72ba73c7188803ed85c19d01a267ad7809cba44
MD5 hash:
9fb3ef5f9d35773451f983671b2240f0
SHA1 hash:
0de17fc90bbae1b1a1db740939dd222b44f433ca
Link:
https://www.unpac.me/results/d49b0eac-5ac8-46d5-b80b-bc70fbd54366/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88ab0fb7aab828733d7fad8dd72ba73c7188803ed85c19d01a267ad7809cba44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:win_cybergate_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_cybergate_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171196/

Comments