berbew

Resubmissions

04-10-2024 16:42

241004-t7yhxsvdpl 7

04-10-2024 13:52

241004-q6ms9a1grh 10

Sharing

Copy URL

Twitter E-mail

General

Target

x.exe
Size

11.6MB
Sample

241004-q6ms9a1grh
MD5

98733c220cfed98220e1e4b8dc2c7e64
SHA1

352eea59919452194cc76127583a9f9316fa96e2
SHA256

d489ae08f26a92bb6ee3d01a8cf6b2ea9f31e07b2388bfce2980a407ef4e86e6
SHA512

82fa1ccaec6cc39f654716d5dceac721dbc22e1fd42a0bc84fcc673123f028cebd255e9d36f237f81595c28ec8bb1a365577d62b347a5ac3d8b0cf84e4a84d20
SSDEEP

196608:Xouv86gV1rbQQOOl2szsHFUK2r7UyTAdQmR8dA6lf8Qnf2ODjMnGydScSEPVrBO8:9WV9hZ2YsHFUK2JAdQJl1F3MnG3tOVr5

Malware Config

Extracted

Family

stealc

Botnet

default5_doz

http://62.204.41.159

Attributes

url_path
/edd20096ecef326d.php

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

Extracted

Family

lumma

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Extracted

Path

C:\directory\CyberGate\RECOVERtntdt.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? It means that on a structural level your files have been transformed. You won't be able to use, read, see or work with them anymore. In other words they are useless, however, there is a possibility to restore them with our help. What exactly happened to your files? *** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key, which you received over the web. *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. What should you do next? There are several options for you to consider: 1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or 2. You can start getting BitCoins right now and get access to your data quite fast. In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/3FF69FFB60987C90 http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/3FF69FFB60987C90 http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/3FF69FFB60987C90 If you can't access your personal homepage or the addresses are not working, complete the following steps: 1. Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en 2. Install TOR Browser 3. Open TOR Browser 4. Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/3FF69FFB60987C90 5. Follow the steps on your screen IMPORTANT INFORMATION Your personal homepages: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/3FF69FFB60987C90 http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/3FF69FFB60987C90 http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/3FF69FFB60987C90 Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/3FF69FFB60987C90 Your personal identification ID: 3FF69FFB60987C90

URLs

http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/3FF69FFB60987C90

http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/3FF69FFB60987C90

http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/3FF69FFB60987C90

http://k7tlx3ghr3m4n2tu.onion/3FF69FFB60987C90

Targets

- Target
  
  x.exe
- Size
  
  11.6MB
- MD5
  
  98733c220cfed98220e1e4b8dc2c7e64
- SHA1
  
  352eea59919452194cc76127583a9f9316fa96e2
- SHA256
  
  d489ae08f26a92bb6ee3d01a8cf6b2ea9f31e07b2388bfce2980a407ef4e86e6
- SHA512
  
  82fa1ccaec6cc39f654716d5dceac721dbc22e1fd42a0bc84fcc673123f028cebd255e9d36f237f81595c28ec8bb1a365577d62b347a5ac3d8b0cf84e4a84d20
- SSDEEP
  
  196608:Xouv86gV1rbQQOOl2szsHFUK2r7UyTAdQmR8dA6lf8Qnf2ODjMnGydScSEPVrBO8:9WV9hZ2YsHFUK2JAdQJl1F3MnG3tOVr5
Score

10^/10

berbew cobaltstrike darkcomet dcrat gh0strat lumma mimikatz mydoom neshta sality stealc urelas xmrig default5_doz backdoor defense_evasion discovery evasion execution impact infostealer miner persistence pyinstaller ransomware rat spyware stealer trojan upx worm
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- Cobalt Strike reflective loader
  Detects the reflective loader used by Cobalt Strike.
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Neshta payload
- Detects MyDoom family
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies visibility of file extensions in Explorer
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- UAC bypass
  evasion trojan
- Urelas
  Urelas is a trojan targeting card games.
  trojan urelas
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- XMRig Miner payload
  miner
- mimikatz is an open source tool to dump credentials on Windows
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1