5e9e2b5e0c77a67e686861df67637481c28b008967e6e5fe06e3ba105658bd3e

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.16b36abdb738e30e26cb7e535639df50.exe
Size

2.9MB
MD5

16b36abdb738e30e26cb7e535639df50
SHA1

2e3e3747f058f7735f8de6256a84a08f77911126
SHA256

5e9e2b5e0c77a67e686861df67637481c28b008967e6e5fe06e3ba105658bd3e
SHA512

4a447da7e5a9bc50ab243268c7853a73a6a03ab8104a740d97ad2c1a60a7164094025e00e44d820242af1c19b79c9558ba12a2716c6250aa20a8f0495375cdf3
SSDEEP

49152:KvjM4yETTDQg3SggQERTbExL5ISJSK6naPsD0gKQhYhgQbExL5Imn2hi:Kg4VnQgSQERTQQSJSKPF7WSQQmn2hi

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x000e00000000e647-4.dat	family_berbew
behavioral1/files/0x000e00000000e647-8.dat	family_berbew

Executes dropped EXE 1 IoCs

pid	Process
2308	NEAS.16b36abdb738e30e26cb7e535639df50.exe

Loads dropped DLL 1 IoCs

pid	Process
852	NEAS.16b36abdb738e30e26cb7e535639df50.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
852	NEAS.16b36abdb738e30e26cb7e535639df50.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2308	852	NEAS.16b36abdb738e30e26cb7e535639df50.exe	29
PID 852 wrote to memory of 2308	852	NEAS.16b36abdb738e30e26cb7e535639df50.exe	29
PID 852 wrote to memory of 2308	852	NEAS.16b36abdb738e30e26cb7e535639df50.exe	29
PID 852 wrote to memory of 2308	852	NEAS.16b36abdb738e30e26cb7e535639df50.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.16b36abdb738e30e26cb7e535639df50.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.16b36abdb738e30e26cb7e535639df50.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\NEAS.16b36abdb738e30e26cb7e535639df50.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.16b36abdb738e30e26cb7e535639df50.exe
  2⤵
  - Executes dropped EXE
  PID:2308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.16b36abdb738e30e26cb7e535639df50.exe

Filesize
2.9MB

MD5
f6ae0fe52f5429b2188a3edd514ce59e

SHA1
c6ed75f3c26879127d9d599854f55d718da5968b

SHA256
47ecc996c3936003b8914442d17afc805af91638b6d355ed855950f801d4bab6

SHA512
d14cdec521d13a0458fa436b72235ced827ba51915afff230c3bc6596300fab9799625d37928b2f25f9c8bc216b8a80d108f5b69e6fc3e5063fe0d94b61fc278

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.16b36abdb738e30e26cb7e535639df50.exe

Filesize
2.9MB

MD5
f6ae0fe52f5429b2188a3edd514ce59e

SHA1
c6ed75f3c26879127d9d599854f55d718da5968b

SHA256
47ecc996c3936003b8914442d17afc805af91638b6d355ed855950f801d4bab6

SHA512
d14cdec521d13a0458fa436b72235ced827ba51915afff230c3bc6596300fab9799625d37928b2f25f9c8bc216b8a80d108f5b69e6fc3e5063fe0d94b61fc278

Download Submit
memory/852-0-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/852-7-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2308-9-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download