Overview

overview

10

Static

static

3

x.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    x.exe

  • Size

    11.6MB

  • Sample

    241004-rz5k6azbkq

  • MD5

    db34e85e25da2e5b3b8ff777bbb68e4c

  • SHA1

    7c0e50f60c6470e0b8b6bedd89e4fe7f85df52cf

  • SHA256

    9382ff9b4e5ed4b170c306526dad14d4b3fc8d2f0e0c3f7febd6fa3e9d797adf

  • SHA512

    35053bb9f51f7f9f166e3f41cedd663e6a7733cb78f9236282177d8b9d986239c26fca5db9a5a95c0cbf05bfdd78769f63dc698a2e05cde52f3dc7197b51170e

  • SSDEEP

    196608:/B7v86gV1rbQQOOl2szsHFUK2r7UyTAdQmR8dA6lM8Qnf2ODjMnGydScSEPVrBO8:tWV9hZ2YsHFUK2JAdQJlsF3MnG3tOVr5

Score
10/10
ardamaxberbewblackmoonfloxifbackdoorbankerevasionexecutionkeyloggerpyinstallerstealertrojanupx

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Targets

    • Target

      x.exe

    • Size

      11.6MB

    • MD5

      db34e85e25da2e5b3b8ff777bbb68e4c

    • SHA1

      7c0e50f60c6470e0b8b6bedd89e4fe7f85df52cf

    • SHA256

      9382ff9b4e5ed4b170c306526dad14d4b3fc8d2f0e0c3f7febd6fa3e9d797adf

    • SHA512

      35053bb9f51f7f9f166e3f41cedd663e6a7733cb78f9236282177d8b9d986239c26fca5db9a5a95c0cbf05bfdd78769f63dc698a2e05cde52f3dc7197b51170e

    • SSDEEP

      196608:/B7v86gV1rbQQOOl2szsHFUK2r7UyTAdQmR8dA6lM8Qnf2ODjMnGydScSEPVrBO8:tWV9hZ2YsHFUK2JAdQJlsF3MnG3tOVr5

    Score
    10/10
    ardamaxberbewblackmoonfloxifbackdoorbankerevasionexecutionkeyloggerstealertrojanupx

    • Ardamax

      A keylogger first seen in 2013.

      keyloggerstealerardamax

    • Ardamax main executable

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Disables service(s)

      evasionexecution

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

      backdoortrojanfloxif

    • Detects Floxif payload

      backdoor

    • Stops running service(s)

      evasionexecution

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks