MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89d74a11a8625279c4b2fd80c0d600f28ba1a53b98e4f76ff6a171cc1653f318. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cybergate

Vendor detections: 18

Intelligence 18 IOCs 2 YARA 2 File information Comments

SHA256 hash:	89d74a11a8625279c4b2fd80c0d600f28ba1a53b98e4f76ff6a171cc1653f318
SHA3-384 hash:	e4f40e9e3fcc940abedd8b6f37b43ba4b3dd10e4a0bf6c93fcbe72fd09134eadf67f0942688b21ed3b0058ad014d059f
SHA1 hash:	960ffb47b34faf2af089fd4209945ea6d8beaec1
MD5 hash:	df0d23a80b679cd0af6d6855c811804b
humanhash:	two-violet-friend-fillet
File name:	df0d23a80b679cd0af6d6855c811804b.exe
Download:	download sample
Signature	Cybergate Create hunting rule
File size:	630'846 bytes
First seen:	2025-05-01 07:21:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f197be991955ba1b86b50dce7b038189 (1 x Cybergate)
ssdeep	12288:D04a1NxLMcrn6bJUNY048tfcYTOV9zqRLRROIXYPNUcTFp4:PifMcrIGNUK96DOVRRzYPNv5p4
Threatray	101 similar samples on MalwareBazaar
TLSH	T1ACD41252E67F75BDF8AD06309BEB4BFB28952C612324A2532FE1DB0F75B5C012636106
TrID	81.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 6.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	e0e1e4aeb8aea020 (29 x CoinMiner, 2 x Gh0stRAT, 1 x njrat)
Reporter	abuse_ch
Tags:	CyberGate exe

abuse_ch

Cybergate C2:
147.185.221.26:61767

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
147.185.221.26:61767	https://threatfox.abuse.ch/ioc/1514433/
147.185.221.27:2036	https://threatfox.abuse.ch/ioc/1514434/

Intelligence

File Origin

# of uploads :

# of downloads :

362

Origin country :

Vendor Threat Intelligence

Malware family:

cybergate

ID:

File name:

df0d23a80b679cd0af6d6855c811804b.exe

Verdict:

Malicious activity

Analysis date:

2025-05-01 10:40:42 UTC

Tags:

cybergate rat auto-reg upx

Link:

https://app.any.run/tasks/2a3357dd-fb1f-4033-b534-a8ad3b466f09

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CyberGate

Link:

https://www.capesandbox.com/analysis/5505/

Detection(s):

Win.Trojan.Llac-6913181-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68132492c8b2e86d0ac5b704

Tags:

cybergate virus sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Creating a file in the %temp% directory

Launching a process

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay overlay packed packed packer_detected visual_basic

Link:

https://www.filescan.io/uploads/6813212046fe05453cabb6aa/reports/8361597f-5502-4b97-9a65-741db55b90c8/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/89d74a11a8625279c4b2fd80c0d600f28ba1a53b98e4f76ff6a171cc1653f318

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e33dc52d-bef0-4387-a268-3cb11eb6c01d

Result

Threat name:

CyberGate

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1678965

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Internet Explorer form passwords

Creates a thread in another existing process (thread injection)

Creates an undocumented autostart registry key

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected CyberGate RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/89d74a11a8625279c4b2fd80c0d600f28ba1a53b98e4f76ff6a171cc1653f318

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/89d74a11a8625279c4b2fd80c0d600f28ba1a53b98e4f76ff6a171cc1653f318/

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2025-04-17 01:43:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 36 (61.11%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rhluuenimjjhtrfs7wambvqa6kf2djj3tdspo37wufy4yfst6mma._file

Verdict:

malicious

Label(s):

cybergate

Cybergate

3d04e3e3ca18e2a313be6ab4ed837e31d4e2587341835267717b7b93a0b8ccdc

Cybergate

470cd98a9fc081dee21c80423c60f8d9c62962c745b30e657e4275d465fee5d1

Cybergate

5b3bb026ad01ea693afc1e8c7669fd478258ee335bee9baff31a8edf691b8b4c

Cybergate

5c5a76538892b9420e56a8c5f6f7dc8210a46ddbfc85d1f8f0e5bb90f15dc3e0

Cybergate

738496124b1b2800e8e069e7131f995d1693728e27676c4550bd393f4cb96619

Cybergate

9e424c1f93f1964a2b158bbd626ccf9e2722618710c3d80049c733430fc33045

Cybergate

b9bccbf332c6f942113a67885cedc8e916f1ee5818ce7a5cbe931af88bf43640

Cybergate

+ 91 additional samples on MalwareBazaar

Result

Malware family:

cybergate

Score:

10/10

Tags:

family:cybergate botnet:dracula discovery persistence stealer trojan upx

Link:

https://tria.ge/reports/250501-h7b45sgn9y/

Behaviour

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

UPX packed file

Adds Run key to start application

Enumerates connected drives

Checks computer location settings

Executes dropped EXE

Boot or Logon Autostart Execution: Active Setup

CyberGate, Rebhip

Cybergate family

Malware Config

C2 Extraction:

terms-pieces.gl.at.ply.gg:61767
satelite1995.sytes.net:2000
dracula4000.duckdns.org:4000

Verdict:

Malicious

Tags:

Win.Trojan.Llac-6913181-0

YARA:

n/a

Link:

https://app.threat.zone/submission/00624f0c-c149-4492-88b6-b01af3eea5fb

Unpacked files

SH256 hash:

89d74a11a8625279c4b2fd80c0d600f28ba1a53b98e4f76ff6a171cc1653f318

MD5 hash:

df0d23a80b679cd0af6d6855c811804b

SHA1 hash:

960ffb47b34faf2af089fd4209945ea6d8beaec1

Link:

https://www.unpac.me/results/6d56c699-0c51-42da-8b44-3dd60cea9d7e/

SH256 hash:

b268a76c956ded80f8947ac007d244fad570af889d642ee1f05210b48a1ca948

MD5 hash:

b883de45e75bb1631cc8a777668f7dc5

SHA1 hash:

f8cba24d3b79b6d02123819dfb24b53acb8a0c68

Link:

https://www.unpac.me/results/6d56c699-0c51-42da-8b44-3dd60cea9d7e/

SH256 hash:

cde6d6ecfc837a4100f7257f1db8f4b125c9b7d110187ea727b293aa0432a1a8

MD5 hash:

1d5fa335d7bd2fc0efe97280525f302f

SHA1 hash:

30469fcef6ca41c8842f3aef4858c7909a3b7772

Detections:

win_cybergate_auto

win_cybergate_w0

RAT_CyberGate

SUSP_XORed_MSDOS_Stub_Message

INDICATOR_SUSPICIOUS_EXE_SandboxProductID

MALWARE_Win_CyberGate

Link:

https://www.unpac.me/results/6d56c699-0c51-42da-8b44-3dd60cea9d7e/

SH256 hash:

d2bbd15267eb7ebb5e068a45b9329e7e9f43a35995519f64a32d522d653d823a

MD5 hash:

8d05e4c7bfe25bca595a37a6daeae669

SHA1 hash:

10bd823336626c64e8e6ae0fdffac1b843bcf770

Detections:

win_cybergate_auto

win_cybergate_w0

Malware_QA_update

Link:

https://www.unpac.me/results/6d56c699-0c51-42da-8b44-3dd60cea9d7e/

Parent samples :

470cd98a9fc081dee21c80423c60f8d9c62962c745b30e657e4275d465fee5d1
12aae6d43bd00772839b1fbaad7534ff3130ca6057878ee85c735b9ea47868bb
89d74a11a8625279c4b2fd80c0d600f28ba1a53b98e4f76ff6a171cc1653f318

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/89d74a11a8625279c4b2fd80c0d600f28ba1a53b98e4f76ff6a171cc1653f318

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/5505/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaSetSystemError MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaFileOpen MSVBVM60.DLL::__vbaErrorOverflow

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample