berbew | 3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538

General

Target

3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Size

477KB
MD5

078322411e766bf6b3965c0f640b4930
SHA1

318d832e55e3a51f9177e5ac5665dbafea3c5e1a
SHA256

3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538
SHA512

09d2ee79a69b80492f4396011277622a0fe9d925a6c2cd73e86556d26f2f9436874c0c099f1b0b014c2c30e6e167984cff2401a92b4ac6ca3dbc93565e32d639
SSDEEP

6144:nxMDZ0g6on/TNId/1fon/T9P7GSon/TNId/1fon/T2oI0YokOsfY7Uony:xMt0eNIVyeNIVy2oIvPKO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 1 IoCs

pid	Process
2360	Dpapaj32.exe

Loads dropped DLL 5 IoCs

pid	Process
1980	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
1980	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
456	WerFault.exe
456	WerFault.exe
456	WerFault.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
456	2360	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2360	1980	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe	31
PID 1980 wrote to memory of 2360	1980	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe	31
PID 1980 wrote to memory of 2360	1980	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe	31
PID 1980 wrote to memory of 2360	1980	3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe	31
PID 2360 wrote to memory of 456	2360	Dpapaj32.exe	32
PID 2360 wrote to memory of 456	2360	Dpapaj32.exe	32
PID 2360 wrote to memory of 456	2360	Dpapaj32.exe	32
PID 2360 wrote to memory of 456	2360	Dpapaj32.exe	32

C:\Users\Admin\AppData\Local\Temp\3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe
"C:\Users\Admin\AppData\Local\Temp\3bfc624d62372d7504d68cba950175e84bf2b33a5ca4ecde5ce653b02fd5e538N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\Dpapaj32.exe
  C:\Windows\system32\Dpapaj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Dpapaj32.exe

Filesize
477KB

MD5
a65981d95adf7580f63be3009cf331f6

SHA1
65f6f765c5fe2fba8a06595e2690cc1720f03592

SHA256
1ba3863fa2d24c03d356bd195094dc3c4f453b676aea76efb9f86bbb1ef3f8f1

SHA512
84b69a250d92ee6159396260e12f97871eb2cc35336adc65fdf303b2c3cc879a7053d01df44e9112ddb2fd80f2cbba29d839565b5d8ab014db1c940e4bbae8ec

Download Submit
memory/1980-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-12-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1980-11-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1980-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads