berbew | NEAS[.]50308f0e9b682e521196652a2b1787d0[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.50308f0e9b682e521196652a2b1787d0.exe
Size

528KB
MD5

50308f0e9b682e521196652a2b1787d0
SHA1

1e430b00b2626743d20272deb832d77f59f8ce8a
SHA256

0bf3076c4a32789dfb015aee5cf660d8fc40dadf06f5a20fcb955563df83893a
SHA512

c4402a5a076659006beae8563e0cc2bd2accef90ec6c790df60932b6685214637ccc7b394034d9a0ef0e5347c926428323a1bccbbe1eb97cf0b7fb23c88ffac3
SSDEEP

12288:rmWhND9yJz+b1FcMLmp2ATTSsdM8lhMmHyHD1AVkYDFIcEpSgicSvvVH:rmUNJyJqb1FcMap2ATT5O8lhMmHyHD1Q

Score

10^/10

persistence dropper trojan berbew

Malware Config

Signatures

Berbew family
berbew

Malware Backdoor - Berbew 1 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
sample	family_berbew

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
NEAS.50308f0e9b682e521196652a2b1787d0.exe

Files

NEAS.50308f0e9b682e521196652a2b1787d0.exe
.exe windows:5 windows x86

173abfa8f7d7adac2a90a2e42625b7d9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

wcsstr
_snwprintf
strstr
_snprintf
_except_handler3
memset
memcpy

shell32

ord680
SHGetFolderPathA

shlwapi

PathAddBackslashA
StrStrIA
PathFileExistsA
PathAppendA

ntdll

RtlAdjustPrivilege
RtlImageNtHeader
RtlCreateUserThread

kernel32

GetSystemTimeAsFileTime
GetModuleFileNameW
SetCurrentDirectoryA
MoveFileA
DeviceIoControl
ExitProcess
GlobalAddAtomA
GlobalFindAtomA
CopyFileA
GetCurrentProcessId
InterlockedDecrement
CreateFileW
GetVersionExA
FreeLibrary
IsDebuggerPresent
GetTickCount
GetVolumeInformationA
GetEnvironmentVariableA
GetModuleFileNameA
CreateFileA
SetFilePointer
MoveFileExA
lstrcpynA
SetEndOfFile
UnlockFile
LockFile
SetFileTime
WriteFile
IsBadWritePtr
ReadFile
GetFileSizeEx
GetLastError
SetFileAttributesA
GetTempFileNameA
GetFileTime
GetTempPathA
DeleteFileA
GetProcAddress
GetModuleHandleA
HeapAlloc
HeapFree
GetProcessHeap
HeapValidate
GetCurrentProcess
Sleep
FlushInstructionCache
VirtualAlloc
VirtualQuery
Process32First
VirtualFree
CreateRemoteThread
OpenProcess
CreateProcessA
Module32First
GetHandleInformation
VirtualAllocEx
LoadLibraryA
Process32Next
CreateToolhelp32Snapshot
Module32Next
CloseHandle
WriteProcessMemory
SwitchToThread
GetSystemWindowsDirectoryA

user32

FindWindowA
CharUpperA
PostMessageA

advapi32

RegCreateKeyExA
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegFlushKey
RegCloseKey
OpenProcessToken
GetTokenInformation
GetUserNameA

ole32

CoUninitialize
CoCreateInstance
CoInitializeSecurity
CoInitializeEx

oleaut32

SysFreeString
SysAllocString
VariantClear
VariantInit

Sections

.text
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 334KB - Virtual size: 348KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

173abfa8f7d7adac2a90a2e42625b7d9

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

shell32

shlwapi

ntdll

kernel32

user32

advapi32

ole32

oleaut32

Sections

.text Size: 11KB - Virtual size: 10KB

.rdata Size: 7KB - Virtual size: 6KB

.data Size: 334KB - Virtual size: 348KB

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 11KB - Virtual size: 10KB

.rdata
Size: 7KB - Virtual size: 6KB

.data
Size: 334KB - Virtual size: 348KB

.reloc
Size: 2KB - Virtual size: 2KB