MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91bc85370c947069df36f260342528436d3da40093b5aff0e8c16a29ba77c63e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CyberGate


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91bc85370c947069df36f260342528436d3da40093b5aff0e8c16a29ba77c63e
SHA3-384 hash: 825a59f495dfdd0f740faec80554b1edd8ee685617161c2e891f72f0de521e4b7ecc61fb70f89e030fc260ff3d00948e
SHA1 hash: ea1c634db8376bc37cfe7eaebcd620057af5c6e7
MD5 hash: 5de8fcc5408f522cac746daa30c994a3
humanhash: california-alabama-mississippi-hotel
File name:91bc85370c947069df36f260342528436d3da40093b5aff0e8c16a29ba77c63e
Download: download sample
Signature CyberGate
Create hunting rule
File size:800'092 bytes
First seen:2021-02-28 07:21:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2707c7e06ac7f3e315f11c46d7b06c5a (1 x CyberGate)
ssdeep 12288:iEdn0YCMKzcEP6E1irCz9z2CGuU2Ee8UyWh2FDIEMbx4YSzxtFhre4gUkh9xLE:tF0YuzcdqzHDwzW2RqNSlhKvphE
Threatray 23 similar samples on MalwareBazaar
TLSH 020512111153E869E8BB06BA54AFC2A9E000EF314F84D59B73C83D1F567A27A7F1650F
Reporter JAMESWT_WT
Tags:CyberGate

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
91bc85370c947069df36f260342528436d3da40093b5aff0e8c16a29ba77c63e
Verdict:
Malicious activity
Analysis date:
2021-02-28 08:35:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c90ccd15-4ab0-44bb-b054-c1b4224a74be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CyberGate
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119922/
Detection(s):
Win.Trojan.Generickdz-33
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% directory
Replacing files
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching the process to interact with network services
Enabling autorun
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CyberGate
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/620907
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to steal Internet Explorer form passwords
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disables security and backup related services
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CyberGate RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359445 Sample: 57j1imFbUx Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for dropped file 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 9 other signatures 2->60 11 57j1imFbUx.exe 2 7 2->11         started        process3 file4 50 C:\Users\user\AppData\Roaming\...\help.exe, PE32 11->50 dropped 52 C:\Users\user\...\help.exe:Zone.Identifier, ASCII 11->52 dropped 62 Detected unpacking (changes PE section rights) 11->62 64 Tries to detect sandboxes / dynamic malware analysis system (file name check) 11->64 66 Contain functionality to detect virtual machines 11->66 68 8 other signatures 11->68 15 iexplore.exe 5 3 11->15         started        18 57j1imFbUx.exe 2 11->18         started        20 cmd.exe 1 11->20         started        signatures5 process6 signatures7 78 Creates an undocumented autostart registry key 15->78 80 Creates multiple autostart registry keys 15->80 82 Injects code into the Windows Explorer (explorer.exe) 15->82 84 Creates an autostart registry key pointing to binary in C:\Windows 15->84 22 explorer.exe 1 15->22 injected 86 Writes to foreign memory regions 18->86 88 Allocates memory in foreign processes 18->88 24 net.exe 1 20->24         started        26 conhost.exe 20->26         started        process8 process9 28 help.exe 22->28         started        31 net1.exe 1 24->31         started        signatures10 70 Antivirus detection for dropped file 28->70 72 Multi AV Scanner detection for dropped file 28->72 74 Detected unpacking (changes PE section rights) 28->74 76 10 other signatures 28->76 33 help.exe 2 28->33         started        36 cmd.exe 1 28->36         started        38 iexplore.exe 1 28->38         started        process11 file12 46 C:\Windows\SysWOW64\install\v deo, PE32 33->46 dropped 48 C:\Windows\SysWOW64\...\v deo:Zone.Identifier, ASCII 33->48 dropped 40 net.exe 1 36->40         started        42 conhost.exe 36->42         started        process13 process14 44 net1.exe 1 40->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91bc85370c947069df36f260342528436d3da40093b5aff0e8c16a29ba77c63e/
Threat name:
Win32.Trojan.Zeus
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 15:58:21 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sg6iknymsrygtxzw6jqdijjiinwt3jaaso2274hiyfvctotxyy7a._file
Verdict:
malicious
Similar samples:
0eb12e969ec43debe5949bace35a26eabaa8f854ae3440180b6b74f8654a7b1d
CyberGate
266be67338e5e20e0d9eab7a3dfdc11c65f6ee3d2d572b0a5857921d4b7dbdc7
CyberGate
3a32a74e76e2844a515009139d75ec4ae6d785f5850ddcd3cf6cd1bd99604378
CyberGate
3eba0dc8845aed9cb930bab85515af193da93dffff8a2def181c92999b7afeb8
CyberGate
509c3a17103d1656c3f7a02b2d10180c2e7d926ca7e2fe42fd2130fe7b264a26
CyberGate
ae7bf3a82ad6c39368d217f27e26739d757d5f09e70ba3fa8d65e6e2171d0ab7
CyberGate
b64c40843b011d715c431b761680e8565383ac702f5ed80492fb30bd6aa33929
CyberGate
c5590bb44c587c0140b6f87c74c77d69c2dfdc65f23ffa8b7d064d13b396e962
CyberGate
e5293306e26acee08b59796c2a80b2e9e36f4ec027016a908b4beb24f83bd8e7
CyberGate
ebfcc36e36933bf6454937c260a1370cd3ece3b67d7abbf66ec9eb4d2892dd79
CyberGate
+ 13 additional samples on MalwareBazaar
Result
Malware family:
cybergate
Create hunting rule
Score:
  10/10
Tags:
family:cybergate persistence stealer trojan
Link:
https://tria.ge/reports/210228-b1y7gm6xqe/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Program crash
Adds policy Run key to start application
Modifies Installed Components in the registry
CyberGate Payload
CyberGate, Rebhip
Unpacked files
SH256 hash:
40b0d42bab938079853d69fd337ce0155e2686e62ba40b35e1b215508ef6f60a
MD5 hash:
0df3c85dded7f3daaf3c754d48d9733b
SHA1 hash:
bc7b488f2a8618aa0e590771821227d83c18a850
Link:
https://www.unpac.me/results/b8084273-d544-4464-8269-77cd3372a9b8/
SH256 hash:
8b192b842aca6f559e860c23b5614ccef33177dad86d8518450bf6fcd53a6ed4
MD5 hash:
9c64436c2e49887f84a8a522ff160781
SHA1 hash:
f6e9006f9b8602d3ee7405dea010afd25b5a68b4
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/b8084273-d544-4464-8269-77cd3372a9b8/
SH256 hash:
a1dfc741070bf1c4e7b483a43058406e4e8ae6a6944ca619bce0c77f807ae6e5
MD5 hash:
230a94a368bc21b5c99ff3c76ba1180e
SHA1 hash:
3a8c380cc18ef175f6e6a3f6088e62a72120f239
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/b8084273-d544-4464-8269-77cd3372a9b8/
Parent samples :
91bc85370c947069df36f260342528436d3da40093b5aff0e8c16a29ba77c63e
398857988bdafa42d6f0cc4c7696531232f208c1f2311835facfcf03a859bea4
09634fa83a4d22d87988b44205c1b69c1b49d88a2f31a272eba025bfef2712fb
SH256 hash:
91bc85370c947069df36f260342528436d3da40093b5aff0e8c16a29ba77c63e
MD5 hash:
5de8fcc5408f522cac746daa30c994a3
SHA1 hash:
ea1c634db8376bc37cfe7eaebcd620057af5c6e7
Link:
https://www.unpac.me/results/b8084273-d544-4464-8269-77cd3372a9b8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91bc85370c947069df36f260342528436d3da40093b5aff0e8c16a29ba77c63e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:win_cybergate_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_cybergate_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119922/

Comments