berbew | 640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6 | Triage

Sharing

General

Target

640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6
Size

163KB
Sample

240929-12ks7ssepm
MD5

fff21188df38bcfa7ba086276686f3c0
SHA1

b457fead8fc70b141b5e9ddfabdd5af31575d8d6
SHA256

640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6
SHA512

4aa786c382e77f50a78ee883eab93e0ec13f2416974b7d6cc23dca33bbd4cf4997816cb6f109aad8fe4e7c571a00e3b31d82c624ba300420f3c6caf58eea8676
SSDEEP

1536:PapKLqx3N0vbZH6Th/W20/jyPelProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:ypKL9voTh/WL/uPeltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Targets

- Target
  
  640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6
- Size
  
  163KB
- MD5
  
  fff21188df38bcfa7ba086276686f3c0
- SHA1
  
  b457fead8fc70b141b5e9ddfabdd5af31575d8d6
- SHA256
  
  640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6
- SHA512
  
  4aa786c382e77f50a78ee883eab93e0ec13f2416974b7d6cc23dca33bbd4cf4997816cb6f109aad8fe4e7c571a00e3b31d82c624ba300420f3c6caf58eea8676
- SSDEEP
  
  1536:PapKLqx3N0vbZH6Th/W20/jyPelProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:ypKL9voTh/WL/uPeltOrWKDBr+yJb
Score

10^/10

berbew backdoor discovery persistence gozi banker isfb trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

berbewbackdoordiscoverypersistence

behavioral2

berbewgozibackdoorbankerdiscoveryisfbpersistencetrojan