Overview

overview

10

Static

static

10

7c6898621c...2N.exe

windows7-x64

10

7c6898621c...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042N.exe

  • Size

    337KB

  • MD5

    f66e261f76163fa2f968bb45871f4f10

  • SHA1

    ac9f2de1313582c3e6bbc3c969e4e1289e7fcde7

  • SHA256

    7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042

  • SHA512

    543faa2d60cdd608bdea74222b317618af1e9747be8eec70ea7e548bc4c16393119a8c80cbc4cfd6198be33a208e824ed58fa7c00c13d02f0802bf374d515480

  • SSDEEP

    3072:tjZ8BfB3KgGw1bZ93HMHHgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:BZ8B53KgGw1bZZAH1+fIyG5jZkCwi8r

Score
10/10
berbewnjratbackdoordiscoverypersistencetrojan

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 12 IoCs
  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042N.exe
    "C:\Users\Admin\AppData\Local\Temp\7c6898621cfda5dac67e32621da0e4d578219ae0a3bb3e2894c3c87b1a3ae042N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\SysWOW64\Jedgnjon.exe
      C:\Windows\system32\Jedgnjon.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:324
      • C:\Windows\SysWOW64\Jmplbl32.exe
        C:\Windows\system32\Jmplbl32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1296
        • C:\Windows\SysWOW64\Jfhpkbbj.exe
          C:\Windows\system32\Jfhpkbbj.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Windows\SysWOW64\Jppedg32.exe
            C:\Windows\system32\Jppedg32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2840
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 140
              6⤵
              • Loads dropped DLL
              • Program crash
              PID:2988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Jedgnjon.exe
    Filesize

    337KB

    MD5

    0a559e3609db881b7768f14ea143970c

    SHA1

    8483d496e2fb967b5a2ae5f84f6354ddd1cd6218

    SHA256

    f7951ada86c1e7b6c32e200e49bf5f472ec27c049900f865a51d3e8c80bdd19a

    SHA512

    c133c0df44b8d3724c6ec466d28f9bb45a31e5a0ced2a29eef7fd7a34efac583810fe1a764fd497220f253291c67c13266e9fcd867ceef95d5cac5b5c4dddd04

    Download Submit

  • \Windows\SysWOW64\Jfhpkbbj.exe
    Filesize

    337KB

    MD5

    f5cbb553486b4f9a11f29436fc66f5fd

    SHA1

    04c02fcd54bbc1d87ceb27d4c98de0c744864eb2

    SHA256

    cf4b1308ff40f0b4462da06acd3cd4d26bc31b23d6c1e383e0d346ba6d295b67

    SHA512

    5d96cc26750095130a5ddbe841aecee31c96367c3af80779a3d8ee824d060e09607a5c53b0f82c4320d6a4797a34a49011c1306a5ba460f4d2a9bf8a32161dd2

    Download Submit

  • \Windows\SysWOW64\Jmplbl32.exe
    Filesize

    337KB

    MD5

    c23081126750f8f3a78afe014bacfd49

    SHA1

    510b4d38f3909e008408ec8773ad79aca23cd306

    SHA256

    236a1a7d8632f467fc2c48c8d809c59e3d4ddec12d9fcc4026ba3f16fa041d63

    SHA512

    219f18a5b837f7b81fbcdce697534c6d10b25939269e57faa3ff5282c8eeccc772a12da4bc33fbdf0db3f8de2e8ae73f315b4ac166b3505ba13ad6f9500ffdb4

    Download Submit

  • \Windows\SysWOW64\Jppedg32.exe
    Filesize

    337KB

    MD5

    f388483a2e11abce9cf412601c264177

    SHA1

    5a486046845ad740806ea76dd1bb3a1ece5dd685

    SHA256

    2a5796372f1f43735b4d4ff62ee8c6c880a3b1f66ab691e71f24b2b2466edc59

    SHA512

    5785dce639b68ab082dac4029cf6cf7dc300f892a4b61644862058fc875356c012f70d91366a120236d15ae4044b59fab824016216dacfbc92fcc6583e917988

    Download Submit

  • memory/324-14-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/324-62-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/324-22-0x00000000002D0000-0x0000000000303000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1296-41-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1296-28-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1296-63-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2028-42-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2028-49-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2028-64-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2840-56-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2904-11-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2904-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2904-61-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2904-13-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

    Download