Overview

overview

10

Static

static

3

builder.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    builder.exe

  • Size

    13.1MB

  • Sample

    241018-wnp4jssenp

  • MD5

    e12327f56600e978d98c80da4b417027

  • SHA1

    3aaeb0dacf4efaa132d4303d1acc6e30e7d4539a

  • SHA256

    47419707f4ba61486f1671dc98093c1e33d3426125ddae1f3444582315023ecb

  • SHA512

    8cecb4569a0a42901b0600baa63057389c78a7e499716e33bcce80565225ad073ae40ee584e490dba07db4b07a6378897f994d2e543cd76a2a0bb8a2a98c56d7

  • SSDEEP

    393216:uGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:5FQZ2YwUlJn1QtIm28Inpzo

Score
10/10
berbewblackmoonphorphiextrickbotaspackv2backdoorbankerexecutionloaderpyinstallerspywarestealertrojanupxworm

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Targets

    • Target

      builder.exe

    • Size

      13.1MB

    • MD5

      e12327f56600e978d98c80da4b417027

    • SHA1

      3aaeb0dacf4efaa132d4303d1acc6e30e7d4539a

    • SHA256

      47419707f4ba61486f1671dc98093c1e33d3426125ddae1f3444582315023ecb

    • SHA512

      8cecb4569a0a42901b0600baa63057389c78a7e499716e33bcce80565225ad073ae40ee584e490dba07db4b07a6378897f994d2e543cd76a2a0bb8a2a98c56d7

    • SSDEEP

      393216:uGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:5FQZ2YwUlJn1QtIm28Inpzo

    Score
    10/10
    berbewblackmoonphorphiextrickbotaspackv2backdoorbankerexecutionloaderspywarestealertrojanupxworm

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks