berbew | 406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316

General

Target

406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
Size

63KB
MD5

6e59036f41f09992e68fa4bf77ce5260
SHA1

fb5d86465b231c7a93fac5d4e8da8b97d5711a43
SHA256

406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316
SHA512

f20e29b4999a8294b4941d7af7cf897ca215a6ac384ed17457ca59a282e786cc8ea0a254a4eb6a26f9caee9234c8f3a3b0abdab25b89b5eb615c1dff70159a23
SSDEEP

768:f/9BgP+88cOrN6AgvrGDHji10NWooRYU6bRRhX+G4PMA9Ze/1H50NXdnhW7vXOh9:f/Qu1DHji6Wo5rb3pF4PMA9+2H4DX6fl

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 2 IoCs

pid	Process
2704	Cilibi32.exe
2948	Cacacg32.exe

Loads dropped DLL 8 IoCs

pid	Process
2792	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
2792	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
2704	Cilibi32.exe
2704	Cilibi32.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cilibi32.exe	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cilibi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	2948	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2704	2792	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe	30
PID 2792 wrote to memory of 2704	2792	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe	30
PID 2792 wrote to memory of 2704	2792	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe	30
PID 2792 wrote to memory of 2704	2792	406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe	30
PID 2704 wrote to memory of 2948	2704	Cilibi32.exe	31
PID 2704 wrote to memory of 2948	2704	Cilibi32.exe	31
PID 2704 wrote to memory of 2948	2704	Cilibi32.exe	31
PID 2704 wrote to memory of 2948	2704	Cilibi32.exe	31
PID 2948 wrote to memory of 2752	2948	Cacacg32.exe	32
PID 2948 wrote to memory of 2752	2948	Cacacg32.exe	32
PID 2948 wrote to memory of 2752	2948	Cacacg32.exe	32
PID 2948 wrote to memory of 2752	2948	Cacacg32.exe	32

C:\Users\Admin\AppData\Local\Temp\406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe
"C:\Users\Admin\AppData\Local\Temp\406f213018ad88a8495b0cc1e507e3ec74edb8766c9997626a06181596c24316N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\Cilibi32.exe
  C:\Windows\system32\Cilibi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\Cacacg32.exe
    C:\Windows\system32\Cacacg32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cacacg32.exe

Filesize
63KB

MD5
2fb9b408c810814778c10d33ccc0ee37

SHA1
652529de0d56908473d25b7735aa2f8860b79a65

SHA256
fc0d19576a102cfcc3a3c584ebf627bb7b1c971eb03df59ec730a69de4fa40fd

SHA512
ba9e0f2b895bd017d0ad5e26fa3994c0ca731f768dd7c9e33f36e710ac984df919a5fe33acd425d14aefb771cfe2ae8a381dbbf81039efa3e034965b140c7a2a

Download Submit
\Windows\SysWOW64\Cilibi32.exe

Filesize
63KB

MD5
04ed713b1767f5cb525c3bccd4783fdb

SHA1
b0c0b63f117bbdf052d717294fb233e1767ae09f

SHA256
92bfe84a010064139e971c43153beda45a3cb9e4137fa5e8abc33c29f605b2b0

SHA512
488c1008479dfceb12df2b756e8532a2f8a829653c79fd6a27665991d2d4050953f0f55dd3a2286adc282840151a97f4734dca56a3dadf5d0f1b0938f98f1e71

Download Submit
memory/2704-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-14-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2792-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2792-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads