Threat Database Backdoors Backdoor.Cyberat

Backdoor.Cyberat

By Domesticus in Backdoors

Threat Scorecard

Threat Level: 50 % (Medium)
Infected Computers: 1
First Seen: September 27, 2013
Last Seen: May 10, 2022
OS(es) Affected: Windows

Backdoor.Cyberat is a backdoor Trojan that steals information and opens a back door on the compromised PC. Once run, Backdoor.Cyberat creates the potentially malevolent files. Backdoor.Cyberat then creates the registry entry so that it can load automatically whenever the computer user starts Windows. Backdoor.Cyberat then creates other registry entries. Backdoor.Cyberat connects to the specific remote location. Backdoor.Cyberat may then carry out damaging activities such as enable a cybercriminal to view and modify the attributes of files and to view and edit registry entries on the attacked PC, capture audio and video using the webcam, show messages on the targeted computer, download and run other malware infections, run commands, grab and control clipboard data and information on installed applications and Windows services, collect information from the affected computer such as the OS, installed firewall or anti-virus software, CPU, RAM, and location, collect network statistics and create connections, list running processes, log keystrokes, open a website with the default web browser, open and close the optical drive.

File System Details

Backdoor.Cyberat creates the following file(s):
# File Name Detections
1. %SystemDrive%/[RANDOM CHARACTERS]/[RANDOM CHARACTERS].exe N/A
2. %Temp%/[RANDOM CHARACTERS].exe N/A
3. %Temp%/[CURRENT USER NAME]7 N/A
4. %Temp%/f.txt N/A
5. %Temp%/ns.txt N/A
6. %Temp%/[CURRENT USER NAME]8 N/A

Registry Details

Backdoor.Cyberat creates the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\TEST\"FirstExecution" = "[DAY/MONTH/YEAR] -- [HOURS:MINUTES]"
HKEY_CURRENT_USER\Software\TEST\"NewGroup" = ""
HKEY_CURRENT_USER\Software\TEST\"NewIdentification" = "TEST"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"[RANDOM CHARACTERS]"= "%Temp%/[RANDOM CHARACTERS].exe"

URLs

Tip: We recommend blocking the domain names as well as the IP addresses associated with them.
The following URL's were found:

[http://]199.175.52.228/Panel/imag[REMOVED]

Trending

Most Viewed

Loading...