berbew | 94bd1fa65b9ee3fe4be830326ebcd918609ee260797391d1af8aa4ac470cce3f | Triage

Sharing

General

Target

DoomRat.exe
Size

12.1MB
Sample

240920-v45nhayflp
MD5

b6f21ecc31778ba2362958d1e5091759
SHA1

613dbf4e682fe14b8617908113fc5c7ba05de16a
SHA256

94bd1fa65b9ee3fe4be830326ebcd918609ee260797391d1af8aa4ac470cce3f
SHA512

d5d842d520fa1a5a768b62e3d4945f7aa49aa3079c78843cc70eb2e87515dc228cd8bda2ecbe70d1cdb8a94630687cefe587ee6dfac93685cd9e17473040ac4d
SSDEEP

393216:HGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:KYQZ2YwUlJn1QtIm28IKzo

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

Targets

- Target
  
  DoomRat.exe
- Size
  
  12.1MB
- MD5
  
  b6f21ecc31778ba2362958d1e5091759
- SHA1
  
  613dbf4e682fe14b8617908113fc5c7ba05de16a
- SHA256
  
  94bd1fa65b9ee3fe4be830326ebcd918609ee260797391d1af8aa4ac470cce3f
- SHA512
  
  d5d842d520fa1a5a768b62e3d4945f7aa49aa3079c78843cc70eb2e87515dc228cd8bda2ecbe70d1cdb8a94630687cefe587ee6dfac93685cd9e17473040ac4d
- SSDEEP
  
  393216:HGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:KYQZ2YwUlJn1QtIm28IKzo
Score

10^/10

berbew backdoor discovery persistence
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstalleradware antivm apt backdoor banker bootkit botnet clipper collection crypter discovery downloader dropper evasion exploit exploiter fakeav ics infostealer keylogger loader maldoc miner overlay persistence ransomware rat rootkit spam spreader spyware stealer trojan wiper worm doom pc fuckerdoomrat

behavioral1

behavioral2

berbewbackdoordiscoverypersistence