Overview

overview

10

Static

static

10

525bb1426b...cN.exe

windows7-x64

10

525bb1426b...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2024 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    525bb1426b662cf4eb45bc2edc4b14880134eb94f7eab39f2d2bce9a3d1bcedcN.exe

  • Size

    337KB

  • MD5

    f4a9e5007dc614b051801e30b8826060

  • SHA1

    784664fcf26844ff52f333228b61ee22047969f6

  • SHA256

    525bb1426b662cf4eb45bc2edc4b14880134eb94f7eab39f2d2bce9a3d1bcedc

  • SHA512

    6934ac1e7073f707a9346654f48b8b74fc935c0948e75a6b6c5005de3ec30627cfd4c2d31ba8d502748bb0cf327ed1d36e41d8c58659ad89d29532041b269930

  • SSDEEP

    3072:zSrRNo/76aPG5gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:wR6xO51+fIyG5jZkCwi8r

Score
10/10
berbewnjratbackdoordiscoverypersistencetrojan

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 7 IoCs
  • Drops file in System32 directory 21 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 24 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\525bb1426b662cf4eb45bc2edc4b14880134eb94f7eab39f2d2bce9a3d1bcedcN.exe
    "C:\Users\Admin\AppData\Local\Temp\525bb1426b662cf4eb45bc2edc4b14880134eb94f7eab39f2d2bce9a3d1bcedcN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Windows\SysWOW64\Ddakjkqi.exe
      C:\Windows\system32\Ddakjkqi.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Windows\SysWOW64\Dogogcpo.exe
        C:\Windows\system32\Dogogcpo.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Windows\SysWOW64\Daekdooc.exe
          C:\Windows\system32\Daekdooc.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1132
          • C:\Windows\SysWOW64\Dddhpjof.exe
            C:\Windows\system32\Dddhpjof.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1156
            • C:\Windows\SysWOW64\Dhocqigp.exe
              C:\Windows\system32\Dhocqigp.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3568
              • C:\Windows\SysWOW64\Doilmc32.exe
                C:\Windows\system32\Doilmc32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1488
                • C:\Windows\SysWOW64\Dmllipeg.exe
                  C:\Windows\system32\Dmllipeg.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2280
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 396
                    9⤵
                    • Program crash
                    PID:5080
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2280 -ip 2280
    1⤵
      PID:2740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Daekdooc.exe
      Filesize

      337KB

      MD5

      19c88af5c705c507e8b7f34804b4be7c

      SHA1

      ee3ff20659c08588008cc736721d2b7c70d46331

      SHA256

      12f65115798831412294df3baa5dea970a5be4777ca13ab7ff55040cdd0df724

      SHA512

      14a32e5379a343c5a41f42f9e158d10df1405739e42c53c6c9758220b7416a2ca7ffd13a75905598a33b91f43f0718b6bfdf1c0f2b6dc74285e3653636f3a157

      Download Submit

    • C:\Windows\SysWOW64\Ddakjkqi.exe
      Filesize

      337KB

      MD5

      a597adbc4bf3d561ec9e7bcdc78af00e

      SHA1

      9eaa3825459ed0165743dd54cbc12379b81edbb2

      SHA256

      19c34dbe955aca48f1e6f48698d1b111bd9b3016c71f92d56e65d580b5c69353

      SHA512

      e770e805710d18868f7b348f33abde105ba2117e597bf076a523e4b8cea1037c3ae62ab4538fb119c50c867fee50083afa7acade38c4a760d481007ec64c68f3

      Download Submit

    • C:\Windows\SysWOW64\Dddhpjof.exe
      Filesize

      337KB

      MD5

      28ab3f81635a54ad8be16231cc6258df

      SHA1

      51fcaee1234a06e4593bab9b2b342226a1d9975d

      SHA256

      6608f2f237912dfe93896562d7e709ad7656d31b8d1b438c9a5f0a9d8632e613

      SHA512

      5f38f46f6b2aec831842ff8f8fd905d35dfa9261d5d68a2bf1e9642aeb204e88f2f2d52da8c1ee390e7e079d90025dfa63367525ef75645a92c5796df836c033

      Download Submit

    • C:\Windows\SysWOW64\Dhocqigp.exe
      Filesize

      337KB

      MD5

      ac204b3cb96f02b859804cd616693157

      SHA1

      fce4ac325a1b7ddc41ca57c184153d646df64ac0

      SHA256

      99ef4a754f7ccb376012b48469a7c264acb375362f8e71380cb5cbf3c3cdcd02

      SHA512

      803929f5b4efe0f6190deb6bb903641a2e0457208f285b0be5f034e7286a2deb46f9fe94e4814956f94788ce757d98c98a3ee1632d52aad7debeb4d14523cd67

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      337KB

      MD5

      0f50121fde2bc6b826dfad2083e6cd0c

      SHA1

      6d11bd65b134b96bcf8a4c743c4133bee3470629

      SHA256

      a3a4928a6a04ac65863fe4416c306c18b22d108e4a140f0946d3ad4e71a637b2

      SHA512

      86bc941da9bf2ba0385fbbd95ebc62f0ad70612a1dc8e1900c62c0d25a136d7f5f251506ff42e38b6905c7d1dea4fb5e4d62c848c01fabfb627ec76600299cdc

      Download Submit

    • C:\Windows\SysWOW64\Dogogcpo.exe
      Filesize

      337KB

      MD5

      8e4f44b78b03fe4e363517b71b45344b

      SHA1

      b478eaa642db0326f34f0619f0b2f2a220f74c2a

      SHA256

      cb84b8ba62fd241f428ff30738da2fe4235a6976a757ed4fbaac3fb9cc173614

      SHA512

      2466865266dbc2a52fd46a4bc7e1f71135ea9fa4e05652a74fde551b655cb80faeb67e84fb0cf615461c179991352e6fd8b664bc21abb8ddc7738f37a7fa622a

      Download Submit

    • C:\Windows\SysWOW64\Doilmc32.exe
      Filesize

      337KB

      MD5

      7d710d438b8b57f2be704b58c67cb574

      SHA1

      a1f75c09e4bb0d3730132d49bab038f43ff85d26

      SHA256

      d000d029bdc5b72b9cdaca55e2e3159f318a2f1186c539719d7679b17994d52c

      SHA512

      6d332dec437ad3b56ed88275ca572b82242902f4780ffbe1c588c97ff9f1d84a3faa04c68faf152beae8a16cc0b1bb9c953526b31e3cc6d6de4fcd9a2cf943ee

      Download Submit

    • memory/320-66-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/320-9-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1132-36-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1140-17-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1140-63-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1156-37-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1488-53-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2280-57-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3568-45-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4748-0-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4748-1-0x0000000000431000-0x0000000000432000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4748-67-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download