berbew

General

Target

virus.exe
Size

12.1MB
Sample

240919-htaddswfrq
MD5

25dd8518d2e82a3499e4debd50a32b8e
SHA1

41e478e694d757bffe72620b3d38ecb4fd9371ff
SHA256

7352c2f8c31df74fb2c70b7ce7d6bb9969bce5fe898c004981309bdea3ebbac2
SHA512

8965b0f8dc8480de97b7064802cefa24690f21b9452c348b478cdb0d1e49658aec9511a4fe502dfb97f919e603ec981cf1fcce7c899d4ca6a16ba40e5551d988
SSDEEP

393216:SGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:NYQZ2YwUlJn1QtIm28IKzo

Score

11^/10

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

- Target
  
  virus.exe
- Size
  
  12.1MB
- MD5
  
  25dd8518d2e82a3499e4debd50a32b8e
- SHA1
  
  41e478e694d757bffe72620b3d38ecb4fd9371ff
- SHA256
  
  7352c2f8c31df74fb2c70b7ce7d6bb9969bce5fe898c004981309bdea3ebbac2
- SHA512
  
  8965b0f8dc8480de97b7064802cefa24690f21b9452c348b478cdb0d1e49658aec9511a4fe502dfb97f919e603ec981cf1fcce7c899d4ca6a16ba40e5551d988
- SSDEEP
  
  393216:SGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:NYQZ2YwUlJn1QtIm28IKzo
Score

10^/10

berbew blackmoon cobaltstrike modiloader mydoom sality backdoor banker discovery evasion execution persistence trojan upx worm
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Cobalt Strike reflective loader
  Detects the reflective loader used by Cobalt Strike.
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Detect Blackmoon payload
- Detects MyDoom family
- Disables service(s)
  evasion execution
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Legitimate hosting services abused for malware hosting/C2
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1