Overview

overview

10

Static

static

3

6335442ffa...fN.exe

windows7-x64

10

6335442ffa...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 13:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6335442ffad41468574d80340b384a2452d94fc0b8d2d207a6a8a672bec6948fN.exe

  • Size

    89KB

  • MD5

    bfb425f1b26992ccb6ae077894377ce0

  • SHA1

    0ec585bbd0df1e01a20e994e431e8d5e42fc6247

  • SHA256

    6335442ffad41468574d80340b384a2452d94fc0b8d2d207a6a8a672bec6948f

  • SHA512

    aa0fbd246e47f81a13a85db189425d1627a100180459051d60b3e1b2cacd7d4a3c780d47eac9dca2816c97ea79c0a5fddb8dad2ae27e6977181b665ad96615e1

  • SSDEEP

    1536:kw+3p0/jQ3nlstlYv/vAdj4RTl5QZGbmsCIK282c8CPGCECa9bC7e3iaqWpOBMD:P+3pejQGlP2FliZGbmhD28Qxnd9GMHqI

Score
10/10
berbewbackdoordiscoverypersistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 14 IoCs
  • Drops file in System32 directory 15 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 18 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6335442ffad41468574d80340b384a2452d94fc0b8d2d207a6a8a672bec6948fN.exe
    "C:\Users\Admin\AppData\Local\Temp\6335442ffad41468574d80340b384a2452d94fc0b8d2d207a6a8a672bec6948fN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Windows\SysWOW64\Ejabqi32.exe
      C:\Windows\system32\Ejabqi32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\Eclcon32.exe
        C:\Windows\system32\Eclcon32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\SysWOW64\Eiilge32.exe
          C:\Windows\system32\Eiilge32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2172
          • C:\Windows\SysWOW64\Eebibf32.exe
            C:\Windows\system32\Eebibf32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2684
            • C:\Windows\SysWOW64\Flnndp32.exe
              C:\Windows\system32\Flnndp32.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2148
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 140
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\Eclcon32.exe
    Filesize

    89KB

    MD5

    6d392e6ee415a66e13729e66f73998be

    SHA1

    2d0c54981b9ca525dba3bd6b8d52bedce5df04eb

    SHA256

    c99a5f2d1e2a06e2bb99b6dfa76673957468225fad5f730b9e580ed46d4e8b74

    SHA512

    104b61ea0847076aac4bdde30e5e0b767e9019fac6a7591be51a7661d27a4342aff45f4ee43eed84c97e844990868959c835bf51fa325a17fa6e1c9ebab32d91

    Download Submit

  • \Windows\SysWOW64\Eebibf32.exe
    Filesize

    89KB

    MD5

    fb4cbc58884d1f5f0c4cc752f4971175

    SHA1

    9f060c643e7c20d70f12fba9c55b048e6e20ffec

    SHA256

    4e47dec47fbfca2f419d771027d5c30f3e8115df99d30aa57ff695e376561dd8

    SHA512

    999bf0b259eec6bfe6972c2dc2ddd12ea34a642f08df9b8197af112f4294cabf9f689a69f2d0c56ea6775e593a86b95adfb830444e54370f530fe97a2a0256d2

    Download Submit

  • \Windows\SysWOW64\Eiilge32.exe
    Filesize

    89KB

    MD5

    a609b380151f929c7d802fc103cdef75

    SHA1

    c889a994dc27e5d2042a013eb2c3342c7f5c4323

    SHA256

    4a8fe537838e4ec3743380fc5bf2c7263fe6ac3ab82c62559edbb78decaa9682

    SHA512

    48bb6150a2c6d74093227551225612933fdb082ff9b6591374cbfa07ceb567e2e5bc55f475737426b993b1f816b4761faa9abb51be365f715ed8f28b9286a732

    Download Submit

  • \Windows\SysWOW64\Ejabqi32.exe
    Filesize

    89KB

    MD5

    bd700fafd35dc51ce605c270fb59416d

    SHA1

    ba1d003b78a92d1e37e197a251b79b750c330670

    SHA256

    eba7c7655129cbb5f124a0318da4ea2f7a6875d2a2867f7441550bac2ce5878c

    SHA512

    3d28ec0c71c33e77e3399ab32ddfd560adb313062850d92a1e5dcc837e2e9217c299bb5d961ad718ddb3e6e4525d37bbd6bd8ab7816f605eccc9a60194a6a0dc

    Download Submit

  • \Windows\SysWOW64\Flnndp32.exe
    Filesize

    89KB

    MD5

    db56dc94fac0673b46ed8162bca4285b

    SHA1

    7df718b3ab072d44ba053b446b00c079c26819aa

    SHA256

    a6fe0a4d480b1ac076b70b7786124abdc15f711e3c1f3ab50e887b834702eb1f

    SHA512

    a8bd99f72efbbffcba138b0b1baf0608e77538cabb8c24e247dc29d65faca567b231754be770f606115f694e9f8a1659a178ee7d8abd3b671101458a0f0195d7

    Download Submit

  • memory/2112-73-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2112-34-0x0000000000220000-0x000000000025E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2112-40-0x0000000000220000-0x000000000025E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2148-68-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2148-78-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2172-75-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2172-49-0x0000000000220000-0x000000000025E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2684-77-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2684-62-0x00000000002C0000-0x00000000002FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2820-14-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2820-26-0x0000000000220000-0x000000000025E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2820-74-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2880-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2880-12-0x0000000000220000-0x000000000025E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2880-76-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2880-11-0x0000000000220000-0x000000000025E000-memory.dmp

    Filesize

    248KB

    Download