MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cybergate

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 10 File information Comments 1

SHA256 hash:	b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5
SHA3-384 hash:	d2d5f1e5fa43a9f1f8d8c9517a1774467890e63d5a8ceff13698e983e294db3d65f9acf1b4375b520966a23f7eb7dba4
SHA1 hash:	a5720fac0e88fd0c5c717ea5bb9f451f1ef7aa43
MD5 hash:	f7533c6cdcaf5f39b1656e6d93644639
humanhash:	foxtrot-vermont-foxtrot-alaska
File name:	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Download:	download sample
Signature	Cybergate Create hunting rule
File size:	403'625 bytes
First seen:	2021-05-07 14:36:38 UTC
Last seen:	2021-05-07 16:17:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	20ef06b55514d8973dd69f4a1c7655c2 (1 x Cybergate)
ssdeep	12288:gGyl86V+Lm6EZDw1ngbLWRVLIJRQ5QvuJ:gNXCtg2u4
TLSH	6D840138A6E2497BC003D53E9CC284833C64B58789538D55D68FB366A8275B0AFFDB74
Reporter	abuse_ch
Tags:	CyberGate exe

abuse_ch

Cybergate C2:
86.18.99.199:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
86.18.99.199:81	https://threatfox.abuse.ch/ioc/31683/

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.15081.26978.11878.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a file in the Windows subdirectories

Creating a file in the %temp% directory

Deleting a recently created file

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Replacing files

Creating a process from a recently created file

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

DNS request

Connecting to a non-recommended domain

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Delayed writing of the file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

CyberGate

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/719571

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Contains functionality to register a low level keyboard hook

Creates an undocumented autostart registry key

Drops executables to the windows directory (C:\Windows) and starts them

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected CyberGate RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5/

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2021-05-04 23:56:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 47 (65.96%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wi6zcdyimq7qy6pqqkl2vulimnhg6wsvklvunh2lpyf44kyfnc2q._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence upx

Link:

https://tria.ge/reports/210507-y6ksexzp7j/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Suspicious use of SetThreadContext

Loads dropped DLL

Adds policy Run key to start application

Executes dropped EXE

UPX packed file

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

dd25c682416c42f88113126104ab6f33e6b8ebd35792d0fb5cad40a2737f87f7

MD5 hash:

74580843292d27d262fd9002912fa035

SHA1 hash:

a82f7078aefad768e59be1ed5b91209f1c5ee2ea

Detections:

win_cybergate_w0

win_cybergate_auto

Link:

https://www.unpac.me/results/52356501-936d-4329-8f7d-4d778631c5e8/

Parent samples :

8c0ad323d189a9eac013425b57059204c026454d49a4a35d545e013d9d99b756
f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305
16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
be404ffc5c363f80e7099a43a46c1ccd39f8593c660fd947bd8898ab44dd9731
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5
c9438b713777ed2c8a044560495e0a07e7c7ad74e74e51fa736fa7cad0127ca4
d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624
10214ec31eefe2eabd38262e9a404f781949bd09ff3831ffd3a9d9f9c8a277eb
3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec

SH256 hash:

9c4979eeb3b37c074bb960382a24610344dc0520e42e1283681acc087c0c4e6c

MD5 hash:

1268ff8f3a5a4b63e87d93e26712bf9c

SHA1 hash:

388f0d1faa03328fed1e5ad475704dc8062686eb

Link:

https://www.unpac.me/results/52356501-936d-4329-8f7d-4d778631c5e8/

Parent samples :

3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec

SH256 hash:

57a5a6c5536d3fdee166a89a073ea538b59ac5e859d9cdb64d6ebb8b506f6973

MD5 hash:

d2f8f274e3d66fafcce2c58e85bb744a

SHA1 hash:

ec5b39424f0250dd554d9e2fbc86da051a04286b

Detections:

win_cybergate_w0

win_cybergate_auto

Link:

https://www.unpac.me/results/52356501-936d-4329-8f7d-4d778631c5e8/

SH256 hash:

de08e8b6bd9f1b48f7667726174fac1aa5b70460a8d7fb77db36f370a4e57e6b

MD5 hash:

1e5c6d57441787f005535988a78822d3

SHA1 hash:

ff43dc96c854ce1fc7944a978e5fbabab2f8cd1f

Link:

https://www.unpac.me/results/52356501-936d-4329-8f7d-4d778631c5e8/

SH256 hash:

b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5

MD5 hash:

f7533c6cdcaf5f39b1656e6d93644639

SHA1 hash:

a5720fac0e88fd0c5c717ea5bb9f451f1ef7aa43

Link:

https://www.unpac.me/results/52356501-936d-4329-8f7d-4d778631c5e8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.74

Link:

https://yomi.yoroi.company/submissions/b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxProductID Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox product IDs

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	MALWARE_Win_CyberGate Create hunting rule
Author:	ditekSHen
Description:	Detects CyberGate/Spyrat/Rebhip RTA

Rule name:	RAT_CyberGate Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects CyberGate RAT
Reference:	http://malwareconfig.com/stats/CyberGate

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	VMware_detection_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	VMWare detection

Rule name:	win_cybergate_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_cybergate_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-07 15:02:34 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [C0019] Data Micro-objective::Check String
2) [C0026.001] Data Micro-objective::Base64::Encode Data