General
-
Target
7502a56e6ccb479478fffebccc393b25
-
Size
745KB
-
Sample
240125-vb6ebsbhaq
-
MD5
7502a56e6ccb479478fffebccc393b25
-
SHA1
590ae6354a7032151c34374e9d840529c1127be6
-
SHA256
28d89d3ff77afd3b3b895bde76eb31e9c8eb0b31b0086be1b6e42b9d47a06573
-
SHA512
ca109fcfa7f0db9d0bc66bc6ef5c49fbab8a864044832f341de382b9a7b3f9c5d353214c6f67d4b17f3487c5631ce4eb723241080f7bd160e55f89902fb4e566
-
SSDEEP
12288:S8/0K9CwahiCBRP948cfSI/jzM5itPr9YNa/ySwbZkJYE6qN0TkPIF16PrVy7j+w:S8/1C79Bd9LcfHQ8tGQhkZkeqN0ik6zg
Static task
static1
Behavioral task
behavioral1
Sample
nt6 yukleyici.exe
Resource
win7-20231215-en
Malware Config
Extracted
cybergate
2.6
kurbanlar
masteryodax.hopto.org:81
dangerlevel.zapto.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
winrarr
-
install_file
winra.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
ÞU ANDA KULLANMAKTA OLDUÐUNUZ XP ARTIK YASAL OLMUÞTUR.MASAÜSTÜNDEKÝ BÝLGÝSAYARIM ÝKONUNA SAÐ TIKLAYIP ÖZELLÝKLERE GÝRDÝÐÝNÝZDE 30 GÜNLÜK SÜRE KISMININ YOK OLDUÐUNU GÖREBÝLÝRSÝNÝZ.BÝZÝ KULLANDIÐINIZ VE MÝCROSOFTA PARA KAZANDIRMADIÐINIZ ÝÇÝN TEÞEKKÜRLER
-
message_box_title
LEGAL WÝNDOWS XP ARTIK GÜNCELDÝR
-
password
abcd1234
-
regkey_hkcu
HKCU
Extracted
latentbot
dangerlevel.zapto.org
Targets
-
-
Target
nt6 yukleyici.exe
-
Size
798KB
-
MD5
772ce69525c66971108aa830e22b121e
-
SHA1
51edeb4c73512adb45d9bbf3af91c915c739ed7d
-
SHA256
7bd8509f843d3c8ca7ac1c5ca424e1e6c24338a21c4f16320bd28c3a88b32e0d
-
SHA512
bd68617e4a0328cd62521299eb10196bbc72727b289da811ac7a30f699bfbdaebd2021589a4a6be347e44d933325cfcd54ec710c63d720410d36ffab54820a6e
-
SSDEEP
12288:lLoyy90pfcQXCq8KWNpQhvYhNEvYDXUL13tFieXmsv1xtbJNSoUl0AZj:1yiCq8+Ez7MNtwuvvBJNSl
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-