MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cybergate


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624
SHA3-384 hash: 6bdd861b2672bd1f3fe1294bcdc6786cf4df3a2f0a5d7eb24b0cc6dca64e8a090a4a7ab4030094be655ebfc851976a9a
SHA1 hash: ff4d6b8a60d05baf0e56bee729b5da6bb2ccf55f
MD5 hash: 2fa08190c3a0040e0baab5e8034b6249
humanhash: fruit-mirror-quiet-bluebird
File name:D92A606BEDFA843A95A54253D544ECD03C944CCE85DA4.exe
Download: download sample
Signature Cybergate
Create hunting rule
File size:1'249'026 bytes
First seen:2023-01-06 21:00:35 UTC
Last seen:2023-01-06 22:39:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d3bf8a7746a8d1ee8f6e5960c3f69378 (247 x Formbook, 75 x AgentTesla, 64 x SnakeKeylogger)
ssdeep 24576:ORmJkcoQricOIQxiZY1ia6owXH0LJHnrWam:bJZoQrbTFZY1ia6/1
Threatray 548 similar samples on MalwareBazaar
TLSH T19245D092F59A80F2C9523BF09D39B7C79B385A320335819B37D93D154E72492862EF63
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a6a2e3e3e3a3a200 (5 x RedLineStealer, 4 x RemoteManipulator, 2 x Formbook)
Reporter abuse_ch
Tags:CyberGate exe


Avatar
abuse_ch
Cybergate C2:
193.34.110.30:81

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
rebhip
Create hunting rule
ID:
1
File name:
D92A606BEDFA843A95A54253D544ECD03C944CCE85DA4.exe
Verdict:
Malicious activity
Analysis date:
2023-01-06 21:01:57 UTC
Tags:
trojan rebhip spyrat cybergate
Link:
https://app.any.run/tasks/bb0b34aa-a2f7-4c0f-a7e7-f71012ea25a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CyberGate
Create hunting rule
Link:
https://www.capesandbox.com/analysis/350281/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.5294714.6217.4809.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Searching for synchronization primitives
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
DNS request
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit greyware keylogger overlay shell32.dll
Link:
https://www.filescan.io/uploads/63b88c10b9b1c173752095e7/reports/fbb11733-b0f7-44f7-b967-04631738d60e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Rebhip
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/62cb3213-815b-4386-a7bf-10a6afab8be7
Result
Threat name:
CyberGate
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1146732
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CyberGate RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624/
Threat name:
Win32.Trojan.Llac
Create hunting rule
Status:
Malicious
First seen:
2023-01-06 00:59:00 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
21 of 41 (51.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3evga27n7kcdvfnfijj5krhm2a6jitgoqxneda2itky2o7ftgysa._file
Verdict:
malicious
Similar samples:
09634fa83a4d22d87988b44205c1b69c1b49d88a2f31a272eba025bfef2712fb
Cybergate
37e5285ef075235abeed2a5bfbf0398cd49945e77842a8e45fba2e4dcf0c819e
Cybergate
4439e07d3d7b5745b52b33edc89c085fbb6b4b24f615aea951a713b2ae7ed20d
Cybergate
9678ca06068b705da310aa2f76713d2d59905b12b67097364160857cd1f90c58
Cybergate
b3f2810e4ba5c3341498d99807e2f200459eb2bd4d365b3ee52a20e9e12606c1
Cybergate
cdc97952b1dcf484c5ea7e924883776f60a3e354c3028d4e3ca88112c497c56a
Cybergate
+ 538 additional samples on MalwareBazaar
Result
Malware family:
cybergate
Create hunting rule
Score:
  10/10
Tags:
family:cybergate botnet:remote persistence stealer trojan upx
Link:
https://tria.ge/reports/230106-ztv4jafd31/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
CyberGate, Rebhip
Malware Config
C2 Extraction:
193.34.110.30:81
myenternet.bounceme.net:81
Unpacked files
SH256 hash:
f1c673d55d2610a171c3583a8b7ddd6178d50efb99d1b5b761e9f722a0923864
MD5 hash:
0cb0a71b1b11a073a40da096554f92d8
SHA1 hash:
a1e69432666b182ec9dd1ec0dd1b730ef5c55b50
Link:
https://www.unpac.me/results/9eab59ec-9d2b-4366-809a-181d9c04e10b/
SH256 hash:
9c4979eeb3b37c074bb960382a24610344dc0520e42e1283681acc087c0c4e6c
MD5 hash:
1268ff8f3a5a4b63e87d93e26712bf9c
SHA1 hash:
388f0d1faa03328fed1e5ad475704dc8062686eb
Link:
https://www.unpac.me/results/9eab59ec-9d2b-4366-809a-181d9c04e10b/
Parent samples :
3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec
SH256 hash:
9a5f2f621e9edebe7a01fcc8eb00609c29fbe106fc5c4c0863dec3ebca3f2268
MD5 hash:
49c4ea6b0832e9de31785aa8064490c9
SHA1 hash:
1b84172fe6dfde51534b65149ed9c0ec5f7fa064
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/9eab59ec-9d2b-4366-809a-181d9c04e10b/
SH256 hash:
dd25c682416c42f88113126104ab6f33e6b8ebd35792d0fb5cad40a2737f87f7
MD5 hash:
74580843292d27d262fd9002912fa035
SHA1 hash:
a82f7078aefad768e59be1ed5b91209f1c5ee2ea
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/9eab59ec-9d2b-4366-809a-181d9c04e10b/
Parent samples :
8c0ad323d189a9eac013425b57059204c026454d49a4a35d545e013d9d99b756
f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305
16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
be404ffc5c363f80e7099a43a46c1ccd39f8593c660fd947bd8898ab44dd9731
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5
c9438b713777ed2c8a044560495e0a07e7c7ad74e74e51fa736fa7cad0127ca4
d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624
10214ec31eefe2eabd38262e9a404f781949bd09ff3831ffd3a9d9f9c8a277eb
3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec
SH256 hash:
691802b4b4d812b52e75b5866b7500efa563e57728489ce5118c5a7b715366ad
MD5 hash:
cb983a2d5c6c4aac6538e3dba078d333
SHA1 hash:
f079b70b0e1bb15e62e22b252135ac65d89d153a
Link:
https://www.unpac.me/results/9eab59ec-9d2b-4366-809a-181d9c04e10b/
SH256 hash:
d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624
MD5 hash:
2fa08190c3a0040e0baab5e8034b6249
SHA1 hash:
ff4d6b8a60d05baf0e56bee729b5da6bb2ccf55f
Link:
https://www.unpac.me/results/9eab59ec-9d2b-4366-809a-181d9c04e10b/
Malware family:
CyberGate
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d92a606bedfa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CyberGate
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:win_cybergate_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_cybergate_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/350281/

Comments