General

  • Target

    3c75a352127cf66cb7534899fa1527b6f30f2f33dce70788c0ea10397c4f96f0N

  • Size

    163KB

  • Sample

    241009-zzlr2sthkk

  • MD5

    ad59a5cde7b11bde659bb5650fa3fdd0

  • SHA1

    fb399af1e663f8e82e8bbfdac1812a8770126261

  • SHA256

    3c75a352127cf66cb7534899fa1527b6f30f2f33dce70788c0ea10397c4f96f0

  • SHA512

    04fd73f6b66fe7b4a77430689f9a379b1e3ad1d7d010a52caef1525bba0e84e02c781b1433a56dda70059b95b6a8548a4ebb0a41292c0772704c04d2486d5a1b

  • SSDEEP

    3072:z+cO5ROHhQdV5AFbOg9fKYFf9gOtdviXEcgCPltOrWKDBr+yJb:BeR4hgVgCPLOf

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Targets

    • Target

      3c75a352127cf66cb7534899fa1527b6f30f2f33dce70788c0ea10397c4f96f0N

    • Size

      163KB

    • MD5

      ad59a5cde7b11bde659bb5650fa3fdd0

    • SHA1

      fb399af1e663f8e82e8bbfdac1812a8770126261

    • SHA256

      3c75a352127cf66cb7534899fa1527b6f30f2f33dce70788c0ea10397c4f96f0

    • SHA512

      04fd73f6b66fe7b4a77430689f9a379b1e3ad1d7d010a52caef1525bba0e84e02c781b1433a56dda70059b95b6a8548a4ebb0a41292c0772704c04d2486d5a1b

    • SSDEEP

      3072:z+cO5ROHhQdV5AFbOg9fKYFf9gOtdviXEcgCPltOrWKDBr+yJb:BeR4hgVgCPLOf

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Berbew

      Berbew is a backdoor written in C++.

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks