d583844782618e08595c37caa482d5dab7868ee706fb741afa88cbd5a175fbc0

General

Target

NEAS.f95e320469226175f329582354c130a0.exe
Size

3.7MB
MD5

f95e320469226175f329582354c130a0
SHA1

4f36b94c084a04091d7a1182453d81ab8c7e8ad4
SHA256

d583844782618e08595c37caa482d5dab7868ee706fb741afa88cbd5a175fbc0
SHA512

58d89e8918b26ff8f8353f829a6123e3e4c384a5635ebd2679b7f6e614c1733c3b046896269f771acd0d462201b583d3eaca5ae27565139e7c185a4af8dfe6de
SSDEEP

98304:X4pYXtWHdmxQlhhQNNiujTiptKSl1g4kfGlsXFAXPYHYhQ:jumxQlhhQNNiujTiptKSl1g4kfGlsXF3

Score

10^/10

Malware Config

Signatures

Malware Backdoor - Berbew 5 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x0008000000012024-4.dat	family_berbew
behavioral1/files/0x0008000000012024-9.dat	family_berbew
behavioral1/files/0x0008000000012024-12.dat	family_berbew
behavioral1/files/0x0008000000012024-13.dat	family_berbew
behavioral1/files/0x0008000000012024-14.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
2888	NEAS.f95e320469226175f329582354c130a0.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	NEAS.f95e320469226175f329582354c130a0.exe

Loads dropped DLL 4 IoCs

pid	Process
2176	NEAS.f95e320469226175f329582354c130a0.exe
2272	WerFault.exe
2272	WerFault.exe
2272	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2272	2888	WerFault.exe	29

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2176	NEAS.f95e320469226175f329582354c130a0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2888	NEAS.f95e320469226175f329582354c130a0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2888	2176	NEAS.f95e320469226175f329582354c130a0.exe	29
PID 2176 wrote to memory of 2888	2176	NEAS.f95e320469226175f329582354c130a0.exe	29
PID 2176 wrote to memory of 2888	2176	NEAS.f95e320469226175f329582354c130a0.exe	29
PID 2176 wrote to memory of 2888	2176	NEAS.f95e320469226175f329582354c130a0.exe	29
PID 2888 wrote to memory of 2272	2888	NEAS.f95e320469226175f329582354c130a0.exe	30
PID 2888 wrote to memory of 2272	2888	NEAS.f95e320469226175f329582354c130a0.exe	30
PID 2888 wrote to memory of 2272	2888	NEAS.f95e320469226175f329582354c130a0.exe	30
PID 2888 wrote to memory of 2272	2888	NEAS.f95e320469226175f329582354c130a0.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.f95e320469226175f329582354c130a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f95e320469226175f329582354c130a0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\NEAS.f95e320469226175f329582354c130a0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.f95e320469226175f329582354c130a0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.f95e320469226175f329582354c130a0.exe

Filesize
3.7MB

MD5
7193fbcb39442da1391d5a32365038f4

SHA1
e1cfb9fecb8ba0457956358936f73188c32c889c

SHA256
3bf0dd0318a5def86d9a9b22f8e3a8d52c5a51a3cc1a84b020077f6cefcbb57c

SHA512
a94b9ef5a48bae539346faf7ecbb1bc3c375e12c38b78a5017a9e48c767d4c6a5a9c76406bf814b0279bd4b0a7c9f068ffabf1deaf88e4a0b556ba8782565ffd

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.f95e320469226175f329582354c130a0.exe

Filesize
3.7MB

MD5
7193fbcb39442da1391d5a32365038f4

SHA1
e1cfb9fecb8ba0457956358936f73188c32c889c

SHA256
3bf0dd0318a5def86d9a9b22f8e3a8d52c5a51a3cc1a84b020077f6cefcbb57c

SHA512
a94b9ef5a48bae539346faf7ecbb1bc3c375e12c38b78a5017a9e48c767d4c6a5a9c76406bf814b0279bd4b0a7c9f068ffabf1deaf88e4a0b556ba8782565ffd

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.f95e320469226175f329582354c130a0.exe

Filesize
3.7MB

MD5
7193fbcb39442da1391d5a32365038f4

SHA1
e1cfb9fecb8ba0457956358936f73188c32c889c

SHA256
3bf0dd0318a5def86d9a9b22f8e3a8d52c5a51a3cc1a84b020077f6cefcbb57c

SHA512
a94b9ef5a48bae539346faf7ecbb1bc3c375e12c38b78a5017a9e48c767d4c6a5a9c76406bf814b0279bd4b0a7c9f068ffabf1deaf88e4a0b556ba8782565ffd

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.f95e320469226175f329582354c130a0.exe

Filesize
3.7MB

MD5
7193fbcb39442da1391d5a32365038f4

SHA1
e1cfb9fecb8ba0457956358936f73188c32c889c

SHA256
3bf0dd0318a5def86d9a9b22f8e3a8d52c5a51a3cc1a84b020077f6cefcbb57c

SHA512
a94b9ef5a48bae539346faf7ecbb1bc3c375e12c38b78a5017a9e48c767d4c6a5a9c76406bf814b0279bd4b0a7c9f068ffabf1deaf88e4a0b556ba8782565ffd

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.f95e320469226175f329582354c130a0.exe

Filesize
3.7MB

MD5
7193fbcb39442da1391d5a32365038f4

SHA1
e1cfb9fecb8ba0457956358936f73188c32c889c

SHA256
3bf0dd0318a5def86d9a9b22f8e3a8d52c5a51a3cc1a84b020077f6cefcbb57c

SHA512
a94b9ef5a48bae539346faf7ecbb1bc3c375e12c38b78a5017a9e48c767d4c6a5a9c76406bf814b0279bd4b0a7c9f068ffabf1deaf88e4a0b556ba8782565ffd

Download Submit
memory/2176-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2176-6-0x0000000002D10000-0x0000000002DF8000-memory.dmp

Filesize
928KB

Download
memory/2176-8-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-11-0x0000000003060000-0x0000000003148000-memory.dmp

Filesize
928KB

Download
memory/2888-10-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-15-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing