MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c39988c4fafdf620330e857eae7838a41bd6132200fc677847fa33dcd4f7118a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CyberGate


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c39988c4fafdf620330e857eae7838a41bd6132200fc677847fa33dcd4f7118a
SHA3-384 hash: 7f05b67f809b58501a3b1b269481d9cdf89ec4529c52c57e2cbf039389a3bdba30f937de840a5ea1f6c84f602eefa2f8
SHA1 hash: 8a3eb77c0cdaa99775c6d86c565bc5d41285fa2f
MD5 hash: 0b017b991507d17e26850cba0c378576
humanhash: sink-mirror-carbon-vegan
File name:WINDOW_1.EXE
Download: download sample
Signature CyberGate
Create hunting rule
File size:282'624 bytes
First seen:2020-08-07 10:45:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cba5bd52b3e624400ffe41eb22644b79 (13 x CyberGate, 1 x njrat)
ssdeep 6144:Kk4qmrmCQ4qKTOJ/Zc0UiORf0IviDigv1hX/pIQ:V9f4qW/TRRf0X9
Threatray 24 similar samples on MalwareBazaar
TLSH 5A5423A394ECD5AEE0E208748B7D94E438BA7543A69A7A740F0EC7D9D4390C6F44630F
Reporter JAMESWT_WT
Tags:CyberGate

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CyberGate
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41571/
Detection(s):
Win.Trojan.Agent-36136
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Trojan.Ag-1
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Win.Trojan.Agent-36200
Create hunting rule

SecuriteInfo.com.Win32.GenMalicious-CM.1024.UNOFFICIAL
Create hunting rule

Win.Trojan.Cybergate-5744895-0
Create hunting rule

Win.Packed.Spynet-6841468-0
Create hunting rule

Win.Worm.Explorerhijack-6999913-0
Create hunting rule

Win.Trojan.Bifrose-7001005-0
Create hunting rule

Win.Trojan.Agent-207854
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Launching a process
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Deleting a recently created file
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Replacing files
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Connection attempt
Delayed writing of the file
Enabling autorun
Unauthorized injection to a system process
Result
Threat name:
CyberGate
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/415027
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CyberGate RAT
Yara detected Keylogger Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 259760 Sample: WINDOW_1.EXE Startdate: 07/08/2020 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->37 39 Yara detected CyberGate RAT 2->39 41 4 other signatures 2->41 8 WINDOW_1.EXE 3 4 2->8         started        process3 file4 29 C:\Windows\install\explorer.exe, PE32 8->29 dropped 31 C:\Windows\...\explorer.exe:Zone.Identifier, ASCII 8->31 dropped 49 Creates an undocumented autostart registry key 8->49 51 Contain functionality to detect virtual machines 8->51 53 Contains functionality to inject threads in other processes 8->53 55 8 other signatures 8->55 12 explorer.exe 8->12         started        15 WINDOW_1.EXE 2 5 8->15         started        17 explorer.exe 8->17 injected 19 iexplore.exe 8->19         started        signatures5 process6 signatures7 57 Contains functionality to inject threads in other processes 12->57 21 explorer.exe 12->21         started        59 Drops executables to the windows directory (C:\Windows) and starts them 15->59 24 explorer.exe 8 15->24         started        process8 signatures9 43 Machine Learning detection for dropped file 21->43 45 Contain functionality to detect virtual machines 21->45 47 Contains functionality to inject threads in other processes 21->47 26 WerFault.exe 23 9 24->26         started        process10 file11 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 26->33 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c39988c4fafdf620330e857eae7838a41bd6132200fc677847fa33dcd4f7118a/
Threat name:
Win32.Worm.Rebhip
Create hunting rule
Status:
Malicious
First seen:
2020-08-07 01:23:21 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
47 of 48 (97.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yomyrrh27x3camyoqv7k46byuqn5mezcad6go6ch7iz5zvhxcgfa._file
Verdict:
malicious
Similar samples:
0ea92254716b961c39a0e1b570e2c3702167f620754619d67772b6e90a2588a0
CyberGate
0eb12e969ec43debe5949bace35a26eabaa8f854ae3440180b6b74f8654a7b1d
CyberGate
1d2ef8cd1682b74a09a6a4f5f3caa932eadbcf798ecb183b3cafaade1a38c3b2
CyberGate
3a32a74e76e2844a515009139d75ec4ae6d785f5850ddcd3cf6cd1bd99604378
CyberGate
3eba0dc8845aed9cb930bab85515af193da93dffff8a2def181c92999b7afeb8
CyberGate
a027715146e0ea40c303082ceda4f2a930613208a1175f59c6749cf0bb8f14d0
CyberGate
ae7bf3a82ad6c39368d217f27e26739d757d5f09e70ba3fa8d65e6e2171d0ab7
CyberGate
c5590bb44c587c0140b6f87c74c77d69c2dfdc65f23ffa8b7d064d13b396e962
CyberGate
e5293306e26acee08b59796c2a80b2e9e36f4ec027016a908b4beb24f83bd8e7
CyberGate
ebfcc36e36933bf6454937c260a1370cd3ece3b67d7abbf66ec9eb4d2892dd79
CyberGate
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200807-5yxtn2yefs/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CyberGate
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c39988c4fafdf620330e857eae7838a41bd6132200fc677847fa33dcd4f7118a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:RAT_CyberGate
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects CyberGate RAT
Reference:http://malwareconfig.com/stats/CyberGate
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_cybergate_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_cybergate_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/41571/

Comments