MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5b21c58591d249570a109f7b7c9cbd91ffa9c4d994cb74ecad00ffd401ac536. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CyberGate

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	b5b21c58591d249570a109f7b7c9cbd91ffa9c4d994cb74ecad00ffd401ac536
SHA3-384 hash:	ab32cb82ca8b6d81b573592fe290eec715827081dd826f2ec19231aba99e783c1486ebf6b5f90a3a4f5e1718842a76b7
SHA1 hash:	60dd57568dbbc02afb316d22ab036bc5ccdc8419
MD5 hash:	d051493ac31c6949ab0b6cf7181d6efa
humanhash:	queen-fifteen-blue-failed
File name:	b5b21c58591d249570a109f7b7c9cbd91ffa9c4d994cb74ecad00ffd401ac536
Download:	download sample
Signature	CyberGate Create hunting rule
File size:	972'800 bytes
First seen:	2020-06-16 09:30:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0ebb3c09b06b1666d307952e824c8697 (15 x RedLineStealer, 13 x LgoogLoader, 7 x NanoCore)
ssdeep	24576:thQsy1eQrYzQXyu6/arYgGErgBluAV+tQf:cj1eQksCKkgGagXuAVAG
Threatray	78 similar samples on MalwareBazaar
TLSH	0F252311A6E19A31D8F27B3001F926A35738FCD05EB4138F964110E64CB66D5EA3CBAF
Reporter	JAMESWT_WT
Tags:	CyberGate

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

CyberGate

Link:

https://www.capesandbox.com/analysis/10705/

Detection(s):

Win.Packed.Razy-6911146-0

Win.Trojan.Generickd-4086

Gathering data

Threat name:

Win32.Trojan.Llac

Status:

Malicious

First seen:

2020-06-15 23:12:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 48 (58.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wwzbywczdusjk4fbbh33psol3ep7vhcntfglotwk2ah72qa2yu3a._file

Verdict:

malicious

CyberGate

8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782

CyberGate

8e5e93b6f3eee7f1a08a0420b25105017d3479769e6bf9d6b2518d3abc6b1a75

CyberGate

addd4ba4b4aa754501d638cbbf3c78bec538ca15a72acb5eadc7babfaecfa350

CyberGate

b479533a51ba629bd5f20a7e9faa3bcccfddc72218b23dfd5a4ab15825204944

CyberGate

c786900907fb436588483d9e7687c3abc6c0d2a72c9dbd17b5bdc1415df4c34f

CyberGate

cadc24d5dea162cd1c2d919e1896c018a8e2ee1b1f888aa8a854c4b4af28be6e

CyberGate

d8f45655685ca97ed8764eb2aabca17f5037a5e5b65a1067cbfa37ba33614b6b

CyberGate

e98090d4d1ad51575355593c7bad1c5481d377ea52c4d726ae5b8ce6b09b4f10

CyberGate

ea05817e0614fd085e2775d01e7197e93bde58cf57789aeb49ed39f6c295973c

CyberGate

+ 68 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/200624-e6x3qt4kva/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Adds Run entry to start application

Loads dropped DLL

Adds Run entry to policy start application

Executes dropped EXE

UPX packed file

Modifies Installed Components in the registry

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	RAT_CyberGate Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects CyberGate RAT
Reference:	http://malwareconfig.com/stats/CyberGate

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_cybergate_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_cybergate_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/10705/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample