berbew

General

Target

69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591
Size

10.2MB
Sample

240919-hqn3dawcqf
MD5

cb15c5a967ef9f97520336419ba91964
SHA1

7fc921d591e357108c64da40f8646841517cbc91
SHA256

69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591
SHA512

f692a0f845a2be87ae06b8bce8553c9b8061f9e9e2a9a60bca5ff603f11d4a09edf16c3023a717878ca4d528e586c192aa669f5cb7f21a4e301fe23382b16a62
SSDEEP

196608:zJxxbGXkwODPzMsVerPYVnN/SMFm0ICteEroXxRzlxZV3Gu5D4S26cSEqCS3JUl5:jxZgPYVnNSMhInEroX714S2IlpUlNWax

Score

10^/10

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

Targets

- Target
  
  69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591
- Size
  
  10.2MB
- MD5
  
  cb15c5a967ef9f97520336419ba91964
- SHA1
  
  7fc921d591e357108c64da40f8646841517cbc91
- SHA256
  
  69ea9eb202c6d0c1577cc202864fb1d1a8981291efeab3ad1d32a5379dc84591
- SHA512
  
  f692a0f845a2be87ae06b8bce8553c9b8061f9e9e2a9a60bca5ff603f11d4a09edf16c3023a717878ca4d528e586c192aa669f5cb7f21a4e301fe23382b16a62
- SSDEEP
  
  196608:zJxxbGXkwODPzMsVerPYVnN/SMFm0ICteEroXxRzlxZV3Gu5D4S26cSEqCS3JUl5:jxZgPYVnNSMhInEroX714S2IlpUlNWax
Score

10^/10

berbew cobaltstrike mydoom quasar aspackv2 backdoor discovery evasion execution macro persistence pyinstaller ransomware spyware trojan upx worm xlm
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- Cobalt Strike reflective loader
  Detects the reflective loader used by Cobalt Strike.
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Detects MyDoom family
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- UAC bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables cmd.exe use via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2