MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c5e6f26ffcdaec3ec1b9e687430e51a6f6460d0572d36e826ef8f511b611b5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cybergate


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c5e6f26ffcdaec3ec1b9e687430e51a6f6460d0572d36e826ef8f511b611b5c
SHA3-384 hash: c9a9b70252c22448309d18af848978741e669f85f1d6ee242da9572ac4a3c08425bea6c73a482751fe1f3db0e2bfcf40
SHA1 hash: f646167178fcf6bb8046a99304493ca5e33bfb6b
MD5 hash: 52e5920bd87fbf8e60fd63937213d23f
humanhash: shade-robert-carbon-colorado
File name:52E5920BD87FBF8E60FD63937213D23F.exe
Download: download sample
Signature Cybergate
Create hunting rule
File size:6'847'351 bytes
First seen:2021-06-08 07:06:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 98304:b3OyvwY0J3JyLZWDaw965gn41R5G1X4KnLAMKQnCICcTSRMwB1J5iJmV:b3EXyVUCE4rCzcMJEcmRMwB1J0JmV
Threatray 555 similar samples on MalwareBazaar
TLSH 42663382E6D6C8B2F06209355939D334316B7D305E7D8E2FD7D83D699A706C2A034AB7
Reporter abuse_ch
Tags:CyberGate exe


Avatar
abuse_ch
Cybergate C2:
23.105.131.235:6666

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.105.131.235:6666 https://threatfox.abuse.ch/ioc/66878/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
52E5920BD87FBF8E60FD63937213D23F.exe
Verdict:
Malicious activity
Analysis date:
2021-06-08 07:51:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/77ef051f-eef7-4dec-b239-f4efc2958e41

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CyberGate
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165179/
Detection(s):
Win.Dropper.Bladabindi-6813690-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Sending a UDP request
Creating a file in the Program Files subdirectories
Launching a process
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file
Loading a driver
Deleting a recently created file
DNS request
Connecting to a cryptocurrency mining pool
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% directory
Replacing files
Launching the default Windows debugger (dwwin.exe)
Connection attempt
Moving a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Enabling autorun
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CyberGate Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798648
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to inject threads in other processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected Stratum mining protocol
DNS related to crypt mining pools
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CyberGate RAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 431048 Sample: E91sLsvV8S.exe Startdate: 08/06/2021 Architecture: WINDOWS Score: 100 122 Found malware configuration 2->122 124 Malicious sample detected (through community Yara rule) 2->124 126 Antivirus detection for dropped file 2->126 128 17 other signatures 2->128 10 E91sLsvV8S.exe 11 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 2->16         started        18 2 other processes 2->18 process3 dnsIp4 102 C:\Users\user\AppData\...\CrashHandler64.exe, PE32 10->102 dropped 104 C:\Users\user\AppData\...\CrashHandler32.exe, PE32 10->104 dropped 106 C:\Users\user\AppData\...\AtaniLauncher.exe, PE32 10->106 dropped 108 C:\Users\user\AppData\...\AtaniHandler.exe, PE32+ 10->108 dropped 20 AtaniHandler.exe 7 10->20         started        24 CrashHandler64.exe 9 10->24         started        26 CrashHandler32.exe 8 10->26         started        28 AtaniLauncher.exe 17 8 10->28         started        120 127.0.0.1 unknown unknown 13->120 file5 process6 dnsIp7 90 C:\Users\user\AppData\...\sihost32.exe, PE32+ 20->90 dropped 92 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 20->92 dropped 130 Antivirus detection for dropped file 20->130 132 Multi AV Scanner detection for dropped file 20->132 134 Machine Learning detection for dropped file 20->134 144 2 other signatures 20->144 31 sihost32.exe 20->31         started        34 svchost.exe 20->34         started        36 cmd.exe 20->36         started        38 cmd.exe 20->38         started        40 CrashHandler64.exe 6 24->40         started        136 Contain functionality to detect virtual machines 26->136 138 Contains functionality to inject threads in other processes 26->138 140 Contains functionality to steal Internet Explorer form passwords 26->140 44 CrashHandler32.exe 26->44         started        116 sefrum.tech 172.67.203.170, 443, 49730 CLOUDFLARENETUS United States 28->116 118 192.168.2.1 unknown unknown 28->118 94 C:\Users\user\AppData\...behaviorgraphunaDotNetRT.dll, PE32 28->94 dropped 142 Tries to detect virtualization through RDTSC time measurements 28->142 file8 signatures9 process10 dnsIp11 152 Multi AV Scanner detection for dropped file 31->152 154 Machine Learning detection for dropped file 31->154 156 Adds a directory exclusion to Windows Defender 31->156 46 cmd.exe 31->46         started        58 5 other processes 31->58 158 Antivirus detection for dropped file 34->158 160 Uses schtasks.exe or at.exe to add and modify task schedules 36->160 60 2 other processes 36->60 62 2 other processes 38->62 114 45.144.225.135, 49729, 80 DEDIPATH-LLCUS Netherlands 40->114 96 C:\ProgramData\LKBNMTFJgl\csrss, PE32 40->96 dropped 98 C:\ProgramData\LKBNMTFJgl\r.vbs, data 40->98 dropped 162 Writes to foreign memory regions 40->162 164 Allocates memory in foreign processes 40->164 166 Modifies the context of a thread in another process (thread injection) 40->166 172 2 other signatures 40->172 49 notepad.exe 40->49         started        52 cmd.exe 40->52         started        54 cmd.exe 40->54         started        64 2 other processes 40->64 100 C:\Program Files (x86)\Winlogui\csrss.exe, PE32 44->100 dropped 168 Creates an undocumented autostart registry key 44->168 170 Injects code into the Windows Explorer (explorer.exe) 44->170 56 explorer.exe 44->56 injected file12 signatures13 process14 dnsIp15 146 Adds a directory exclusion to Windows Defender 46->146 66 conhost.exe 46->66         started        68 powershell.exe 46->68         started        110 144.217.14.109, 14444, 49731 OVHFR Canada 49->110 112 xmr-us-east1.nanopool.org 49->112 148 System process connects to network (likely due to code injection or exploit) 49->148 70 conhost.exe 52->70         started        72 wscript.exe 52->72         started        80 2 other processes 54->80 74 csrss.exe 56->74         started        76 csrss.exe 56->76         started        78 csrss.exe 56->78         started        82 2 other processes 64->82 signatures16 150 Detected Stratum mining protocol 110->150 process17 process18 84 csrss.exe 74->84         started        86 csrss.exe 76->86         started        88 csrss.exe 78->88         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c5e6f26ffcdaec3ec1b9e687430e51a6f6460d0572d36e826ef8f511b611b5c/
Threat name:
Win32.Coinminer.BitCoinMiner
Create hunting rule
Status:
Malicious
First seen:
2021-06-01 13:36:00 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  4/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrpg6jx7zwxmh3a3tzuhimhfdjxwiygqk4wtn2bg56hvcg3bdnoa._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10
Cybergate
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27
Cybergate
70da4cb906561579f992801bfce2c3f1daf01833b292a9bd04545b7e0ee49fbd
Cybergate
713984a9d714e58c92b1338df4c54b55da27753d18c09d6a45427fd85c145454
Cybergate
a465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200
Cybergate
cd91b0fbaabf19d178f3a221c517418378913af82ca88856a07cbf0df506f117
Cybergate
d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55
Cybergate
e7d6efa5783c7c9a417518ee96f0ddbb919ab711669cbf68ef6caa27dac966d5
Cybergate
fda270ad50aed906730605ca93ecaa3e24792dd070bb443f94d2d6c23124ad61
Cybergate
feb12de92aa1536ba75f69b41bf74cc3bd8438df7eb0f0705ebbd1de73994624
Cybergate
+ 545 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:cybergate family:xmrig agilenet miner persistence stealer trojan upx
Link:
https://tria.ge/reports/210608-k6ms9vxpza/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Adds policy Run key to start application
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
XMRig Miner Payload
CyberGate Payload
CyberGate, Rebhip
xmrig
Unpacked files
SH256 hash:
9844b1d0904c4bbe9ad17fb325a9beadf8d731dea8b92100419aee92cedc6fdd
MD5 hash:
4db6eac9f1cd0fb3bfce3dafdccb9e00
SHA1 hash:
b646e7824bea0e253ee957311296e605dfa5af28
Link:
https://www.unpac.me/results/dab09d77-9b6f-4e03-bc6e-dae22ab9e4bb/
SH256 hash:
33b2fe17e16625f80fac614fa795763bb11247ead939e5997b4f818d7736ae5d
MD5 hash:
50cc95afbc40935ac75e406c022167a2
SHA1 hash:
2066a163afbc534f22d46a90b838ff5508420274
Link:
https://www.unpac.me/results/dab09d77-9b6f-4e03-bc6e-dae22ab9e4bb/
SH256 hash:
1b6c2c297382bffd613070f889f1b006d25d9de48dfa24054bce8dabeb4c88c5
MD5 hash:
b0e389d9115141921b72c35b92efa947
SHA1 hash:
ebfb9dded6aa5c80b7b33c6517792b6faf372e44
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/dab09d77-9b6f-4e03-bc6e-dae22ab9e4bb/
SH256 hash:
f45992d5769523b5380d45fe1a40f2c921eabf98b695d2c2b272bcde12cab75e
MD5 hash:
c952383a9e62b399001ebbb03468d786
SHA1 hash:
1e45c19599479a6673c137ed59386b56696b4949
Link:
https://www.unpac.me/results/dab09d77-9b6f-4e03-bc6e-dae22ab9e4bb/
SH256 hash:
225225845fc67d204cb5066a608bc7ce306c98d2d4bc708d14c6cca56597587c
MD5 hash:
fe5a01a71310fd38033776931444d688
SHA1 hash:
fa8d40644fa0a8d6fb3f67bc88c38c1cbfcd9d91
Link:
https://www.unpac.me/results/dab09d77-9b6f-4e03-bc6e-dae22ab9e4bb/
SH256 hash:
6bfe27d5219252f3d5c92951519b4d63e78aaeb8edf6b3594739aa8a4923fb07
MD5 hash:
c18ef5eb295fc30a77ec4bac3078e3e9
SHA1 hash:
b76731aba8de20f37b0dc8821f8c2cfde3b53225
Link:
https://www.unpac.me/results/dab09d77-9b6f-4e03-bc6e-dae22ab9e4bb/
SH256 hash:
5abf967e9eb2e4fa0f555a951b15d6a4b77b4cb0cac776938e866f5872aef91b
MD5 hash:
9811cb1dff353c076dbfca3cfca9d550
SHA1 hash:
991a2d95a15c55f53ce0d8b1582e342ea39482e4
Link:
https://www.unpac.me/results/dab09d77-9b6f-4e03-bc6e-dae22ab9e4bb/
SH256 hash:
727ebf22c39866080f51253fba48983e6aeb260791a20574aa8805c1ecd36281
MD5 hash:
296e8190b357a89148609d00dbee3306
SHA1 hash:
560f8bb2c4b951cde5367d6588fdf9626b086468
Link:
https://www.unpac.me/results/dab09d77-9b6f-4e03-bc6e-dae22ab9e4bb/
SH256 hash:
b5c07ca7ce075dd12969e927ef4eadb329817b083983a40d58ee074e114e379e
MD5 hash:
49d7f6ef68b1783565c377fd39b3ecdb
SHA1 hash:
b08465a579e7207f7032b1f24e44643f9ea85dac
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/dab09d77-9b6f-4e03-bc6e-dae22ab9e4bb/
SH256 hash:
8ce5c29a6190cb5943538848f88bed51069bf6bccdaf101f980aeba5c122e005
MD5 hash:
e8137f40d1d92b8ea80a8f4efbc2a32b
SHA1 hash:
73032c6c5d808610f96d4a6112ca0745b5ce57c4
Link:
https://www.unpac.me/results/dab09d77-9b6f-4e03-bc6e-dae22ab9e4bb/
SH256 hash:
298767f09159680390bc746b6764786e735d4edebe1f270a65af02747d1e73dd
MD5 hash:
82f3d2e926281164c037f0c0f7bdfd37
SHA1 hash:
36f5175e73de6e8c70f707fd9e312ebb443d231d
Link:
https://www.unpac.me/results/dab09d77-9b6f-4e03-bc6e-dae22ab9e4bb/
SH256 hash:
8c5e6f26ffcdaec3ec1b9e687430e51a6f6460d0572d36e826ef8f511b611b5c
MD5 hash:
52e5920bd87fbf8e60fd63937213d23f
SHA1 hash:
f646167178fcf6bb8046a99304493ca5e33bfb6b
Link:
https://www.unpac.me/results/dab09d77-9b6f-4e03-bc6e-dae22ab9e4bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c5e6f26ffcdaec3ec1b9e687430e51a6f6460d0572d36e826ef8f511b611b5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Agile.NET / CliSecure
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_CyberGate
Create hunting rule
Author:ditekSHen
Description:Detects CyberGate/Spyrat/Rebhip RTA
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:RAT_CyberGate
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects CyberGate RAT
Reference:http://malwareconfig.com/stats/CyberGate
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:VMware_detection_bin_mem
Create hunting rule
Author:James_inthe_box
Description:VMWare detection
Rule name:win_cybergate_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_cybergate_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165179/

Comments