berbew

General

Target

fa17bf64d800d3af2abbd959a45ece4d0e4c6c7831b9e148f41bca3aab424491
Size

12.1MB
Sample

240918-ybm5jazeql
MD5

61aa26439a0e4cbd13d4f531e58eac20
SHA1

d685cd48ce1e81ae574a3467628341140354573e
SHA256

fa17bf64d800d3af2abbd959a45ece4d0e4c6c7831b9e148f41bca3aab424491
SHA512

d7eaf0e99464987490ee1d97bcc532b18673054aacc706a74f180a47be0faf29065491d3d61818ad0fc49cbce3b6a8fb2ec77b55e682ef7b5b3caaab3dd30506
SSDEEP

393216:zGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:mYQZ2YwUlJn1QtIm28IKzo

Score

10^/10

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

emotet

Botnet

Epoch3

C2

60.125.114.64:443

91.121.200.35:8080

159.203.16.11:8080

188.226.165.170:8080

36.91.44.183:80

5.12.246.155:80

172.193.79.237:80

190.180.65.104:80

46.32.229.152:8080

58.27.215.3:8080

75.127.14.170:8080

198.20.228.9:8080

37.205.9.252:7080

120.51.34.254:80

41.185.29.128:8080

172.105.78.244:8080

175.103.38.146:80

190.164.135.81:80

183.91.3.63:80

109.13.179.195:80

rsa_pubkey.plain

Extracted

Family

cobaltstrike

C2

http://192.168.180.12:7810/vN3f

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)

Targets

- Target
  
  fa17bf64d800d3af2abbd959a45ece4d0e4c6c7831b9e148f41bca3aab424491
- Size
  
  12.1MB
- MD5
  
  61aa26439a0e4cbd13d4f531e58eac20
- SHA1
  
  d685cd48ce1e81ae574a3467628341140354573e
- SHA256
  
  fa17bf64d800d3af2abbd959a45ece4d0e4c6c7831b9e148f41bca3aab424491
- SHA512
  
  d7eaf0e99464987490ee1d97bcc532b18673054aacc706a74f180a47be0faf29065491d3d61818ad0fc49cbce3b6a8fb2ec77b55e682ef7b5b3caaab3dd30506
- SSDEEP
  
  393216:zGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:mYQZ2YwUlJn1QtIm28IKzo
Score

10^/10

berbew blackmoon cobaltstrike emotet mydoom neshta epoch3 backdoor banker defense_evasion discovery evasion execution persistence spyware trojan upx worm
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Detect Blackmoon payload
- Detect Neshta payload
- Detects MyDoom family
- Disables service(s)
  evasion execution
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Emotet payload
  Detects Emotet payload in memory.
  trojan banker
- Modifies Windows Firewall
  evasion
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
behavioral1 behavioral2