MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9438b713777ed2c8a044560495e0a07e7c7ad74e74e51fa736fa7cad0127ca4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CyberGate

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	c9438b713777ed2c8a044560495e0a07e7c7ad74e74e51fa736fa7cad0127ca4
SHA3-384 hash:	c19fe2afd58f60c5d19c563522bd0676c4d689584f43572bce7ec4252a31f2ffdf124a2d5c73587647fb29516b3c4c06
SHA1 hash:	8e86ae8468aea60eba22ae9c53723ba178d4900d
MD5 hash:	fdff59f7d9c3b40b6b59b901e7dbe67b
humanhash:	washington-pluto-xray-johnny
File name:	c9438b713777ed2c8a044560495e0a07e7c7ad74e74e51fa736fa7cad0127ca4
Download:	download sample
Signature	CyberGate Create hunting rule
File size:	357'147 bytes
First seen:	2021-09-30 12:16:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:OiAuz5klCI0bAs/ACNq59fN/fixENs+GRnOIBXImbCiqP4vA227KdLjcry:OCz+QXAs/ACNqvfNXix6GRnOIBXImbCG
Threatray	60 similar samples on MalwareBazaar
TLSH	T1B174022E7B8A0373D552077229A741C1BBBCD81F33F76A6ED688012D01A676842F7799
Reporter	JAMESWT_WT
Tags:	CyberGate exe

Intelligence

File Origin

# of uploads :

# of downloads :

163

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/193576/

Detection(s):

Win.Trojan.Msil-308

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the system32 subdirectories

Creating a file in the %temp% directory

Creating a window

Launching a process

Deleting a recently created file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a process with a hidden window

Connection attempt to an infection source

Sending an HTTP GET request to an infection source

Sending a TCP request to an infection source

Replacing files

Connection attempt

Delayed writing of the file

Reading critical registry keys

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Query of malicious DNS domain

Enabling autorun

Unauthorized injection to a system process

Deleting of the original file

Malware family:

Pstinb

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d968873a-f2dc-42e3-8d0e-e18902dc8513

Result

Threat name:

CyberGate

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/861993

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected CyberGate RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c9438b713777ed2c8a044560495e0a07e7c7ad74e74e51fa736fa7cad0127ca4/

Threat name:

ByteCode-MSIL.Dropper.Generic

Status:

Suspicious

First seen:

2021-09-28 14:58:13 UTC

AV detection:

31 of 44 (70.45%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zfbyw4jxo7wszcqeivqesxqka7t4pllu45hfd6ttn6t4vuaspssa._file

Verdict:

malicious

CyberGate

19e71e510a71ff531afb1790500259dd4439fc56ea402c8d4baf205a03b56edc

CyberGate

3ba8a562f78af7776675f128f12777144fc3c73a471d8efb1950728179bb72d9

CyberGate

8c0ad323d189a9eac013425b57059204c026454d49a4a35d545e013d9d99b756

CyberGate

91b137c0a7b65d1d2c443e92327e10f87e17d18aa8218fa7efca92aa91df0267

CyberGate

b363f4b3709b0bd3a60379fac80fd5d3fd67d3da7abe99044d6336e807642211

CyberGate

d40b7d79822917e150fd3975a74e643c736bf55fb7173df40494f8afab138da0

CyberGate

d6260dfe90cbc3e03a188d9e1128d14b3b17b851fb7f13da97ae67ffc50e35ec

CyberGate

f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305

CyberGate

+ 50 additional samples on MalwareBazaar

Result

Malware family:

cybergate

Score:

10/10

Tags:

family:cybergate botnet:remote stealer trojan

Link:

https://tria.ge/reports/210930-pf2daahfc9/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

CyberGate, Rebhip

Malware Config

C2 Extraction:

46.163.71.57:20002

Unpacked files

SH256 hash:

9c4979eeb3b37c074bb960382a24610344dc0520e42e1283681acc087c0c4e6c

MD5 hash:

1268ff8f3a5a4b63e87d93e26712bf9c

SHA1 hash:

388f0d1faa03328fed1e5ad475704dc8062686eb

Link:

https://www.unpac.me/results/0ba73dd8-c457-4a55-8da3-f45cb2c81dbb/

Parent samples :

3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec

SH256 hash:

dd25c682416c42f88113126104ab6f33e6b8ebd35792d0fb5cad40a2737f87f7

MD5 hash:

74580843292d27d262fd9002912fa035

SHA1 hash:

a82f7078aefad768e59be1ed5b91209f1c5ee2ea

Detections:

win_cybergate_w0

win_cybergate_auto

Link:

https://www.unpac.me/results/0ba73dd8-c457-4a55-8da3-f45cb2c81dbb/

Parent samples :

8c0ad323d189a9eac013425b57059204c026454d49a4a35d545e013d9d99b756
f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305
16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
be404ffc5c363f80e7099a43a46c1ccd39f8593c660fd947bd8898ab44dd9731
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5
c9438b713777ed2c8a044560495e0a07e7c7ad74e74e51fa736fa7cad0127ca4
d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624
10214ec31eefe2eabd38262e9a404f781949bd09ff3831ffd3a9d9f9c8a277eb
3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec

SH256 hash:

b379df1b4b914a82a0ea372ab70fa76acf8714b2dc5eb3c85ad681a45e9fcca3

MD5 hash:

e184ee870da5f3df8203d6484f667586

SHA1 hash:

3bfae99fab1f024e879d466d1f3d822b477d31ce

Detections:

win_cybergate_w0

win_cybergate_auto

Link:

https://www.unpac.me/results/0ba73dd8-c457-4a55-8da3-f45cb2c81dbb/

SH256 hash:

c9438b713777ed2c8a044560495e0a07e7c7ad74e74e51fa736fa7cad0127ca4

MD5 hash:

fdff59f7d9c3b40b6b59b901e7dbe67b

SHA1 hash:

8e86ae8468aea60eba22ae9c53723ba178d4900d

Link:

https://www.unpac.me/results/0ba73dd8-c457-4a55-8da3-f45cb2c81dbb/

Malware family:

CyberGate

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/c9438b713777/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/c9438b713777ed2c8a044560495e0a07e7c7ad74e74e51fa736fa7cad0127ca4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/193576/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample