berbew | 1e79944d2217ecc3cb570a6d59af23f409f7f941aa0d57d2a741074aa3ad489b | Triage

Sharing

General

Target

1e79944d2217ecc3cb570a6d59af23f409f7f941aa0d57d2a741074aa3ad489bN
Size

163KB
Sample

241007-lz8d6ayhjl
MD5

f68631174037adcc192dcd59a5f999a0
SHA1

aafe972b381e8481b9b866daa455bc0c661014f2
SHA256

1e79944d2217ecc3cb570a6d59af23f409f7f941aa0d57d2a741074aa3ad489b
SHA512

54c0d7180a8c4413aff9e3953b97a6166b5cde1ca59bff0efec0fb23d5a381d379546b38cc1ba9284d1080cd4c4ca01ebaf5fc5c323f4a0bfdc2bf41ef8af70e
SSDEEP

1536:PUkH+vg3r5REMBH1dujfc1MgPV4r5w1L+FlProNVU4qNVUrk/9QbfBr+7GwKrPAS:XHRAMBH1diNaVTSFltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Targets

- Target
  
  1e79944d2217ecc3cb570a6d59af23f409f7f941aa0d57d2a741074aa3ad489bN
- Size
  
  163KB
- MD5
  
  f68631174037adcc192dcd59a5f999a0
- SHA1
  
  aafe972b381e8481b9b866daa455bc0c661014f2
- SHA256
  
  1e79944d2217ecc3cb570a6d59af23f409f7f941aa0d57d2a741074aa3ad489b
- SHA512
  
  54c0d7180a8c4413aff9e3953b97a6166b5cde1ca59bff0efec0fb23d5a381d379546b38cc1ba9284d1080cd4c4ca01ebaf5fc5c323f4a0bfdc2bf41ef8af70e
- SSDEEP
  
  1536:PUkH+vg3r5REMBH1dujfc1MgPV4r5w1L+FlProNVU4qNVUrk/9QbfBr+7GwKrPAS:XHRAMBH1diNaVTSFltOrWKDBr+yJb
Score

10^/10

berbew backdoor discovery persistence gozi banker isfb trojan
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

berbewbackdoordiscoverypersistence

behavioral2

berbewgozibackdoorbankerdiscoveryisfbpersistencetrojan