MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebfcc36e36933bf6454937c260a1370cd3ece3b67d7abbf66ec9eb4d2892dd79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CyberGate

Vendor detections: 5

Intelligence 5 IOCs YARA 4 File information Comments

SHA256 hash:	ebfcc36e36933bf6454937c260a1370cd3ece3b67d7abbf66ec9eb4d2892dd79
SHA3-384 hash:	878feccdc556b45550208d3bdb624e9da06916a974d536c1eea3b67dc0864804a205373ce72b738944b8fb3f10a11936
SHA1 hash:	f572c64cff47a2280c98b3f9090657bdd5046335
MD5 hash:	ee102636cd3de2a1bfb6ac88543d4156
humanhash:	spring-alaska-cardinal-carbon
File name:	ebfcc36e36933bf6454937c260a1370cd3ece3b67d7abbf66ec9eb4d2892dd79
Download:	download sample
Signature	CyberGate Create hunting rule
File size:	1'028'798 bytes
First seen:	2020-06-16 09:30:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3274eb31a09f62e60543d12bd4fbf1e2 (3 x CoinMiner, 1 x DarkComet, 1 x CyberGate)
ssdeep	24576:NUn1IgJjbBtTXBLTLaXlZmfu68GGUEtsh7N1pbZ1:yIENLoZF68OXpt1
Threatray	989 similar samples on MalwareBazaar
TLSH	B02502A13DC780F1DDE70D308DA5D371A8287C35D6EDD40ABB953ADABA702A08611F5E
Reporter	JAMESWT_WT
Tags:	CyberGate

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

CyberGate

Link:

https://www.capesandbox.com/analysis/10703/

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Spatet

Status:

Malicious

First seen:

2014-04-19 13:47:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5p6mg3rwsm57mrkjg7bgbijxbtj6zy5wpv5lx5tozhvu2kes3v4q._file

Verdict:

malicious

CyberGate

180e63e884c208203b6f222673df84b703a55db642fcbc97183a979fc01381b8

CyberGate

1e7645dc4a6c0905d8d8ab0674ea1e775f6d363f7294ae4d64837b21f93d6959

CyberGate

215efb4d72a987d380f71ce2cea15cb73c3084253026a2c80efd7a3c83ae5f9f

CyberGate

370fce30fb19905514c9e42d8cf687b95552261d2d5d47be8b273eca41cfb66f

CyberGate

95654631036f198ae09278641c978609781eee27cdff60dcfe05ba72b367eee7

CyberGate

d488a34718cf2db560dd4c62ccb5fac527cc192716c2d166a71f98abd384aba6

CyberGate

e131a045dc4874ee4eed8e75af0faeecaf86a80e18f13b9845a8b6f57686beec

CyberGate

e4319ba20af83dd8ba6041fd70c3c27dc2c79c648de642487fc1a217e0549fc8

CyberGate

f06eba869afb58e91c7cabb96fdbe08480ab3a45f01ab2e2ac194c8c222bace0

CyberGate

+ 979 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence evasion trojan

Link:

https://tria.ge/reports/200624-s4mbr1yrzj/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetThreadContext

Adds Run entry to start application

Checks whether UAC is enabled

Loads dropped DLL

UPX packed file

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_cybergate_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_cybergate_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/10703/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample