MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b363f4b3709b0bd3a60379fac80fd5d3fd67d3da7abe99044d6336e807642211. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cybergate


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b363f4b3709b0bd3a60379fac80fd5d3fd67d3da7abe99044d6336e807642211
SHA3-384 hash: a23eb18416098b5fc472d9dd96639dd8bb08e4d0c5cac07c59cb20bbe81bc2144027e17ef1464549c94a9f811c2042a3
SHA1 hash: 1aaed6ea31a9b8009ab08e4e7467df57c326ea48
MD5 hash: f704d3ad9a00439ebcecba71388b40e9
humanhash: one-uniform-skylark-nuts
File name:AGENT GUIDE DOCUMENT.pdf.exe
Download: download sample
Signature Cybergate
Create hunting rule
File size:431'104 bytes
First seen:2020-06-20 12:56:55 UTC
Last seen:2020-06-20 13:41:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'603 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:0bfkCHnVpWHBbKY700oM5yDVTDz3NtymQoSw:c5nmKY7hcJnNt19Sw
Threatray 101 similar samples on MalwareBazaar
TLSH A994DFA0A16ABF72D8328BF42571B41507BD3F0678A4E61D7D9EB1EE16B27003581E4F
Reporter abuse_ch
Tags:CyberGate exe nVpn RAT


Avatar
abuse_ch
Malspam distributing Cybergate:

HELO: hs2.name.com
Sending IP: 169.59.0.130
From: Ugo Egbuta <uegbuta@startimes.com.ng>
Subject: GUIDE DOCUMENT TO ALL AGENT
Attachment: AGENT GUIDE DOCUMENT.pdf.rar (contains "AGENT GUIDE DOCUMENT.pdf.exe")

Cybergate RAT C2:
johndns.publicvm.com:5190 (79.134.225.69)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CyberGate
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12330/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.54643.8661.24805.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-20 12:58:05 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wnr7jm3qtmf5hjqdph5mqd6v2p6wpu62pk7jsbcnmm3oqb3eeiiq._file
Verdict:
malicious
Similar samples:
0eb12e969ec43debe5949bace35a26eabaa8f854ae3440180b6b74f8654a7b1d
Cybergate
266be67338e5e20e0d9eab7a3dfdc11c65f6ee3d2d572b0a5857921d4b7dbdc7
Cybergate
3a32a74e76e2844a515009139d75ec4ae6d785f5850ddcd3cf6cd1bd99604378
Cybergate
3ba8a562f78af7776675f128f12777144fc3c73a471d8efb1950728179bb72d9
Cybergate
5b3bb026ad01ea693afc1e8c7669fd478258ee335bee9baff31a8edf691b8b4c
Cybergate
ae7bf3a82ad6c39368d217f27e26739d757d5f09e70ba3fa8d65e6e2171d0ab7
Cybergate
d40b7d79822917e150fd3975a74e643c736bf55fb7173df40494f8afab138da0
Cybergate
d6260dfe90cbc3e03a188d9e1128d14b3b17b851fb7f13da97ae67ffc50e35ec
Cybergate
e5293306e26acee08b59796c2a80b2e9e36f4ec027016a908b4beb24f83bd8e7
Cybergate
ebfcc36e36933bf6454937c260a1370cd3ece3b67d7abbf66ec9eb4d2892dd79
Cybergate
+ 91 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200624-q4kb8597ge/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of SetThreadContext
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_blackshades_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Rule name:win_cybergate_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_cybergate_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Cybergate

rar f83b65d22376b82a2f8304dbf3fcb8860a068ac34da291e8f067f17d64662c0c

Cybergate

Executable exe b363f4b3709b0bd3a60379fac80fd5d3fd67d3da7abe99044d6336e807642211

(this sample)

  
Dropped by
MD5 a9ec0595ff347177d5d05631aa7e4153
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f83b65d22376b82a2f8304dbf3fcb8860a068ac34da291e8f067f17d64662c0c
Cape
Cape
https://www.capesandbox.com/analysis/12330/

Comments