MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CyberGate


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305
SHA3-384 hash: 9eea2fd4c3ab3bf35b7b31ac0f056c3d57042763156f9d8291c34be019f15e3349350bce103d1c9112084977eff4b8f4
SHA1 hash: fb4f4e4b0eaff109dec0d9252c8c48bec5fa21e6
MD5 hash: 115d0d214d2c65e15c6e51c52c136b33
humanhash: grey-nineteen-social-edward
File name:f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305
Download: download sample
Signature CyberGate
Create hunting rule
File size:321'536 bytes
First seen:2021-02-28 07:06:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 79748f063183d44f13cedb94bf077556 (1 x CyberGate)
ssdeep 6144:AL5/iXLaBC7htCmGXmg7h2Y24tUkT7tZNVKoPAVVhZsYDZa5Y3:ALAZhtCmGT4XI37HhAvhZsY9B
Threatray 22 similar samples on MalwareBazaar
TLSH 896412526BFDA616E2823F324773A3E11D1BFD114F22649A60413A768D33DC2CEA3935
Reporter JAMESWT_WT
Tags:CyberGate

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305
Verdict:
Malicious activity
Analysis date:
2021-02-28 09:25:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/878daf54-582e-4ab8-b4dd-e224977b45f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CyberGate
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119764/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Replacing files
DNS request
Delayed writing of the file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CyberGate
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621214
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to steal Internet Explorer form passwords
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Potential malicious icon found
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected CyberGate RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359599 Sample: Poou77MwtP Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 49 Potential malicious icon found 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 6 other signatures 2->55 9 Poou77MwtP.exe 2->9         started        process3 signatures4 57 Detected unpacking (changes PE section rights) 9->57 59 Detected unpacking (overwrites its own PE header) 9->59 61 Contains functionality to inject threads in other processes 9->61 63 2 other signatures 9->63 12 Poou77MwtP.exe 3 5 9->12         started        process5 file6 35 C:\Windows\SysWOW64\install\Winupdate.exe, PE32 12->35 dropped 37 C:\Windows\...\Winupdate.exe:Zone.Identifier, ASCII 12->37 dropped 71 Creates an undocumented autostart registry key 12->71 73 Writes to foreign memory regions 12->73 75 Allocates memory in foreign processes 12->75 77 Injects a PE file into a foreign processes 12->77 16 Winupdate.exe 12->16         started        19 Poou77MwtP.exe 3 4 12->19         started        21 iexplore.exe 12->21         started        signatures7 process8 signatures9 41 Antivirus detection for dropped file 16->41 43 Multi AV Scanner detection for dropped file 16->43 45 Detected unpacking (changes PE section rights) 16->45 47 6 other signatures 16->47 23 Winupdate.exe 8 16->23         started        25 Winupdate.exe 19->25         started        process10 signatures11 28 WerFault.exe 23 9 23->28         started        65 Drops executables to the windows directory (C:\Windows) and starts them 25->65 67 Sample uses process hollowing technique 25->67 69 Injects a PE file into a foreign processes 25->69 31 svchost.exe 1 25->31         started        33 Winupdate.exe 25->33         started        process12 file13 39 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 28->39 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305/
Threat name:
Win32.Packed.Napolar
Create hunting rule
Status:
Malicious
First seen:
2012-01-16 13:55:00 UTC
AV detection:
17 of 25 (68.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6giz5n67qedupq7ll63ostu5m6mb3h2wajrpeetawxf6qx4vamcq._file
Verdict:
malicious
Similar samples:
3ba8a562f78af7776675f128f12777144fc3c73a471d8efb1950728179bb72d9
CyberGate
3eba0dc8845aed9cb930bab85515af193da93dffff8a2def181c92999b7afeb8
CyberGate
5b3bb026ad01ea693afc1e8c7669fd478258ee335bee9baff31a8edf691b8b4c
CyberGate
8c0ad323d189a9eac013425b57059204c026454d49a4a35d545e013d9d99b756
CyberGate
ae7bf3a82ad6c39368d217f27e26739d757d5f09e70ba3fa8d65e6e2171d0ab7
CyberGate
b363f4b3709b0bd3a60379fac80fd5d3fd67d3da7abe99044d6336e807642211
CyberGate
b64c40843b011d715c431b761680e8565383ac702f5ed80492fb30bd6aa33929
CyberGate
d40b7d79822917e150fd3975a74e643c736bf55fb7173df40494f8afab138da0
CyberGate
d6260dfe90cbc3e03a188d9e1128d14b3b17b851fb7f13da97ae67ffc50e35ec
CyberGate
e5293306e26acee08b59796c2a80b2e9e36f4ec027016a908b4beb24f83bd8e7
CyberGate
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210228-74x3ty8b7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Unpacked files
SH256 hash:
9c4979eeb3b37c074bb960382a24610344dc0520e42e1283681acc087c0c4e6c
MD5 hash:
1268ff8f3a5a4b63e87d93e26712bf9c
SHA1 hash:
388f0d1faa03328fed1e5ad475704dc8062686eb
Link:
https://www.unpac.me/results/047abf46-c60b-428a-80c5-424b9211486f/
Parent samples :
3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec
SH256 hash:
dd25c682416c42f88113126104ab6f33e6b8ebd35792d0fb5cad40a2737f87f7
MD5 hash:
74580843292d27d262fd9002912fa035
SHA1 hash:
a82f7078aefad768e59be1ed5b91209f1c5ee2ea
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/047abf46-c60b-428a-80c5-424b9211486f/
Parent samples :
8c0ad323d189a9eac013425b57059204c026454d49a4a35d545e013d9d99b756
f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305
16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
be404ffc5c363f80e7099a43a46c1ccd39f8593c660fd947bd8898ab44dd9731
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5
c9438b713777ed2c8a044560495e0a07e7c7ad74e74e51fa736fa7cad0127ca4
d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624
10214ec31eefe2eabd38262e9a404f781949bd09ff3831ffd3a9d9f9c8a277eb
3a201be90785dfd13998a866d6fa8a34c36b19c2a8b4edc784cd99760697ce33
8853434d42ddc17ae2ca12627546b9fa02baf6da6678ede0dc7db3979f85fd50
1026aebee8871b8d77864082815791dfb28c28c0c234fb12b068c9aeae13feec
SH256 hash:
b82882a3baf2742625e2ad256c60d1d68ff2b63d2acad40a62f960a182c86743
MD5 hash:
8f91e25ac187596aff5865fc4379fcd4
SHA1 hash:
175e8813c4b8e5b5374fae926beb71b7359a4eac
Detections:
win_cybergate_w0
Create hunting rule
win_cybergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/047abf46-c60b-428a-80c5-424b9211486f/
SH256 hash:
f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305
MD5 hash:
115d0d214d2c65e15c6e51c52c136b33
SHA1 hash:
fb4f4e4b0eaff109dec0d9252c8c48bec5fa21e6
Link:
https://www.unpac.me/results/047abf46-c60b-428a-80c5-424b9211486f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Napolar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1919eb7df810747c3eb5fb6e94e9d67981d9f560262f21260b5cbe85f950305

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_CyberGate
Create hunting rule
Author:ditekSHen
Description:Detects CyberGate/Spyrat/Rebhip RTA
Rule name:RAT_CyberGate
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects CyberGate RAT
Reference:http://malwareconfig.com/stats/CyberGate
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:upx_packed
Create hunting rule
Description:UPX packed file
Rule name:VMware_detection_bin_mem
Create hunting rule
Author:James_inthe_box
Description:VMWare detection
Rule name:win_cybergate_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_cybergate_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119764/

Comments