YARAify Scan Results

Task Information

---

Task ID:	90365c4f-c411-11ee-89b0-42010aa4000b
File name:	400000.cssr.exe
Task parameters:	ClamAV scan:	True
	Unpack:	False
	Share file:	True

ClamAV Results

---

The file matched the following open source and commercial ClamAV rules.

Signature:	ditekSHen.MALWARE.Win.Trojan.CyberGate.UNOFFICIAL Alert Create hunting rule

Signature:	MiscreantPunch.SingleXOR.EXE.188.UNOFFICIAL Alert Create hunting rule

Signature:	SecuriteInfo.com.Win32.GenMalicious-CM.1024.UNOFFICIAL Alert Create hunting rule

Signature:	Win.Packed.Spynet-6841468-0 Alert Create hunting rule

Signature:	Win.Trojan.Agent-36200 Alert Create hunting rule

Signature:	Win.Trojan.Bifrose-7001005-0 Alert Create hunting rule

Signature:	Win.Trojan.Cybergate-5744895-0 Alert Create hunting rule

Signature:	Win.Trojan.Llac-7 Alert Create hunting rule

Signature:	Win.Worm.Explorerhijack-6999913-0 Alert Create hunting rule

Signature:	Win.Worm.Rebhip-9834633-0 Alert Create hunting rule

YARA Results

---

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:	BitcoinAddress Alert Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	Check_Dlls Alert Create hunting rule
TLP:	TLP:WHITE
Repository:

Rule name:	DebuggerCheck__API Alert Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:	TLP:WHITE

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxProductID Alert Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox product IDs
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	maldoc_find_kernel32_base_method_1 Alert Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)
TLP:	TLP:WHITE
Repository:

Rule name:	MALWARE_Win_CyberGate Alert Create hunting rule
Author:	ditekSHen
Description:	Detects CyberGate/Spyrat/Rebhip RTA
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	RAT_CyberGate Alert Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects CyberGate RAT
Reference:	http://malwareconfig.com/stats/CyberGate
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	SUSP_XORed_MSDOS_Stub_Message Alert Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	UPX20030XMarkusOberhumerLaszloMolnarJohnReiser Alert Create hunting rule
Author:	malware-lu
TLP:	TLP:WHITE
Repository:

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Alert Create hunting rule
Author:	malware-lu
TLP:	TLP:WHITE
Repository:

Rule name:	UPXv20MarkusLaszloReiser Alert Create hunting rule
Author:	malware-lu
TLP:	TLP:WHITE
Repository:

Rule name:	vmdetect Alert Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques
TLP:	TLP:WHITE
Repository:

Rule name:	win_cybergate_auto Alert Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator
TLP:	TLP:WHITE
Repository:	Malpedia

Rule name:	win_cybergate_w0 Alert Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
TLP:	TLP:WHITE
Repository:	Malpedia

Rule name:	Windows_Generic_Threat_073909cf Alert Create hunting rule
Author:	Elastic Security
TLP:	TLP:WHITE
Repository:	elastic

Rule name:	Windows_Trojan_CyberGate_517aac7d Alert Create hunting rule
Author:	Elastic Security
TLP:	TLP:WHITE
Repository:	elastic

Rule name:	Windows_Trojan_CyberGate_9996d800 Alert Create hunting rule
Author:	Elastic Security
TLP:	TLP:WHITE
Repository:	elastic

Rule name:	Windows_Trojan_CyberGate_c219a2f3 Alert Create hunting rule
Author:	Elastic Security
TLP:	TLP:WHITE
Repository:	elastic

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

---

The following files could be unpacked from this sample.