Overview

overview

10

Static

static

10

f001d59cbc...57.exe

windows7-x64

10

f001d59cbc...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2024 04:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f001d59cbc1231f77a20758b75686b38371f0147673dbab9d4c1183897841757.exe

  • Size

    337KB

  • MD5

    663a23f1b587b435f4317cd0c5daa02e

  • SHA1

    c73f7e40037e4f369c105ef1f2e9c01b2e8d2f75

  • SHA256

    f001d59cbc1231f77a20758b75686b38371f0147673dbab9d4c1183897841757

  • SHA512

    50fc657ec4760c67485ab05433592710f8050ca3f56ba2e236b0c2fe5815a385afaa4906c84ee1c6303fda6cf8d58eddf23d21afbf3ad69b9aef5b4134190179

  • SSDEEP

    3072:SmxE9z2Cdi3XgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:XxEwX1+fIyG5jZkCwi8r

Score
10/10
berbewnjratbackdoordiscoverypersistencetrojan

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f001d59cbc1231f77a20758b75686b38371f0147673dbab9d4c1183897841757.exe
    "C:\Users\Admin\AppData\Local\Temp\f001d59cbc1231f77a20758b75686b38371f0147673dbab9d4c1183897841757.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3956
    • C:\Windows\SysWOW64\Daconoae.exe
      C:\Windows\system32\Daconoae.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:388
      • C:\Windows\SysWOW64\Dogogcpo.exe
        C:\Windows\system32\Dogogcpo.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4332
        • C:\Windows\SysWOW64\Dddhpjof.exe
          C:\Windows\system32\Dddhpjof.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3892
          • C:\Windows\SysWOW64\Dmllipeg.exe
            C:\Windows\system32\Dmllipeg.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3500
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 396
              6⤵
              • Program crash
              PID:4632
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3500 -ip 3500
    1⤵
      PID:4788

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Daconoae.exe
      Filesize

      337KB

      MD5

      d9c9478423dcf32c78fca010601caa04

      SHA1

      7e569b1dd7ee9600c0c08fa5634b4a18660aa571

      SHA256

      d488c9c4e92f72ece5d56564ba2f499a285180fa97889debf8bae1c3fb15ebbe

      SHA512

      0b5ab1abca017ab153636d4dc9a0e850585e9df2c715c8076ad48da02ffcb1e0d4e16674f577790b9f29c29425de0645854a1325739342eb9217fee1370dbbaa

      Download Submit

    • C:\Windows\SysWOW64\Dddhpjof.exe
      Filesize

      337KB

      MD5

      cfca48f71a5aa69f65449161aacbf2b2

      SHA1

      94e03ab0593bea82ff3c00fc39176d160001e61d

      SHA256

      0f8edea497b4f77e51017a7d3cc4fe74e0c4dff08988806beaf5ff9310110a38

      SHA512

      f8d1c043cbece624247ef8d2c3f50b09bb00c421f10d155f13d239dedea0495860854d23a0cf2d1520afc60bf0fdd8dc72420ceeee4b323888750cb9eb565ddb

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      337KB

      MD5

      0f50121fde2bc6b826dfad2083e6cd0c

      SHA1

      6d11bd65b134b96bcf8a4c743c4133bee3470629

      SHA256

      a3a4928a6a04ac65863fe4416c306c18b22d108e4a140f0946d3ad4e71a637b2

      SHA512

      86bc941da9bf2ba0385fbbd95ebc62f0ad70612a1dc8e1900c62c0d25a136d7f5f251506ff42e38b6905c7d1dea4fb5e4d62c848c01fabfb627ec76600299cdc

      Download Submit

    • C:\Windows\SysWOW64\Dogogcpo.exe
      Filesize

      337KB

      MD5

      ab04cf2f70ff87e1a0451be832919977

      SHA1

      62cb0ccd46c891563347b85ea327eef6190e0fce

      SHA256

      990c7b16092ff166ee5c86117fecb47f67f674e91a2ee5c608ca2666f928e4f0

      SHA512

      56de6748175fa7b19672bd5141c237f189418db76f1ead8420f78b1a203ade3940703c7a0746de5edcb06140e1e8cbeb5e6813bba09f946677cd71c94909303b

      Download Submit

    • memory/388-39-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/388-9-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3500-33-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3500-36-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3892-24-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3892-37-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3956-0-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3956-1-0x0000000000431000-0x0000000000432000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3956-41-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4332-16-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4332-38-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download