berbew

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00370.7z
Size

10.2MB
Sample

241105-16xnkasmem
MD5

51604e584ac02ba7cbc1e0b988f52ff3
SHA1

441570eb9cec860cfc71bff92458981757476aa8
SHA256

25092371bd630f24a8de44508fa5f2d45145eff4c3b069bdc91eabc34063153e
SHA512

a1cd0e949fcae04ca9ef215cd957181634b609272ebe3e99e6299e6572ca7fb2644aedbf9cb812c153fb27bd7302739a86ec8f723d244db5184040cfdbb97a44
SSDEEP

196608:ti28AfEg2eqkWvCGjcBBGIs2/f/WlXu479C+NsP5f7J+iGuaLNXgPPSxU+:uA8teqvDYBhnC7c+NsP5A0PYU+

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

187.162.62.135:80

181.231.72.200:80

45.55.83.204:8080

104.236.217.164:8080

128.199.78.227:8080

46.101.123.139:8080

185.94.252.27:443

181.171.118.19:80

46.21.105.59:8080

105.224.171.102:80

86.6.188.121:80

190.246.146.101:80

200.80.198.34:80

200.58.171.51:80

109.104.79.48:8080

89.134.144.41:8080

159.65.241.220:8080

186.23.146.42:80

203.25.159.3:8080

190.1.37.125:443

rsa_pubkey.plain

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

218.54.30.235

Extracted

Path

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\#DECRYPT_MY_FILES#.html

Ransom Note

<html> <title>S A T U R N</title> <center> <body> <h1>S A T U R N</h1> <h4>Your documents, photos, databases, and other important files have been encrypted!</h4> <br /> To Decrypt your files follow these instructions: <br /> <div> <h4>1. Download and Install Tor Browser from <a href=https://www.torproject.org/>https://www.torproject.org/</a></h4> <br /> <h4>2. Run the browser</h4> <br /> <h4>3. In the Tor Browser, open website:</h3> <div style="background-color: #d9d9d9; margin-left: 20px; margin-right: 20px; padding-bottom: 8px; padding-left: 8px; padding-right: 8px; padding-top: 8px;"> </a><b>http://su34pwhpcafeiztt.onion</b><br/> </div> <h4>4. Follow the instructions at this website</h4> </div> </body> </center> </html> <style> html { background-color: white; font-family: Helvetica, sans-serif; } div { background-color: #f2f2f2; width: 80: %; padding: 25px; margin: 25px; overflow:hidden; } </style>

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Extracted

Family

darkcomet

Botnet

Travian

google.serveftp.com:1515

Mutex

DC_MUTEX-542ZEJN

Attributes

gencode
jrjmU8cZXsP2
install
false
offline_keylogger
true
password
H91B4UD
persistence
false

Extracted

Path

C:\Users\357002-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 357002. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F78B3F7D6B6DB3E2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/F78B3F7D6B6DB3E2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: nrL0ucxgd9T2vE1sr6X+aDXJcaBH+O6Qg7JOK/KN68/UrYgXDmeg4CvZhI3ubSDK gPvrYFgCAdi5Bnvs0eJeSuV76RY/lfwlJbJcWg6DE+5pRIlVDZwW+wgnOYwzl0B8 fS83aBmBg/rXj25X4An+IERqxdpIxa3+7821qOkUzr5436/4SQS3FEzilmyVopSS mmMaV/Su+IB7U10z/m22uZwMpG+NepuIQizLLsw/I/Ikf9FsgrS0XGGBzlJeOnTb H9PAW6SBGTuUIPH/1IEKucWCx9t2uu0gfClCc1rFG0YhsI3VjQxTLw3srqz92rX/ iq0hnJrcMRuhgjO4Z/iJP6ise25x3hmOsR9QsjoFMPd1DO0MERTH7tXF4rljO1Fu +35FFR5i+WhoeUUqBgmGvbWWcUh7FFPVwavnfP3VHD/67q0Jy/QE6zhQeROO0zIy kJO+aX9SQVNzRs+Z/qsYflycvb/yg9HrCiY86fKQRPqlq95viyejJxpmpXT2AXI5 CLx/V/bZ4G8sHYw0Y1/vU6ywFgPMfkv12YpzVIG0vbmd+aTEwnGL1JrH/1EMfFxB C4k0F+pdhShpfEwgKkO7Kg9NtnfOENXT0hR4IIi6CIVx05MDmnEI6OyqLjBnCpTV o4Rf/kY1SeeedCOpXIG+lK+cjUs4cTEKF9NBpFHS8eiQS9JOoBNN/Cj8hEvDfEeX UFYwV1u5e7Y5Y8UaFkPre5DQGOMlgIEii9tQtXxqDLiM/6as9wN5gGKTTWGvag3O 75EeyatnQQYUa4Amf8OUH0eD45rYPbzCP55iTIGK9VIYWBS2AfXXFc+kOK3Gk59H dRJjYchOOe/tPApcVh93KW09eVWzArxZebYghkx+PdkMPH1JqYwer/zZ8Y+M/IXH LSyuJQ1JUZXhby0Treni4moUbdtn3DsAoOcknY+kjxGtkBXcydTlP5LWMVgPP+IL NfFgElveZmrD8pex5rAF89zVW6RpJOPQs24AJZIgB1O1opXUfY19qv6ShRwpv2l2 0XoOXnTTU6nez1LCUTHfPFZxd4l0iPoIVJo+KfLZTs8t9HWS7qoWcv3ryQZNKMyV YDGnm4Cr7D56zKFg53DKXDmOwLDzknZug4igSqqEWfTnerwH5yaTySqTnK+FmRwS EfLt5VqVAZdBZlf8hwQyv6lt1oP1fA+5XuiKQmhv2gufh41Of6NkTG8fB7CYEuKA UZKNprrwJz3/WgABHxw= Extension name: 357002 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F78B3F7D6B6DB3E2

http://decryptor.top/F78B3F7D6B6DB3E2

Targets

- Target
  
  RNSM00370.7z
- Size
  
  10.2MB
- MD5
  
  51604e584ac02ba7cbc1e0b988f52ff3
- SHA1
  
  441570eb9cec860cfc71bff92458981757476aa8
- SHA256
  
  25092371bd630f24a8de44508fa5f2d45145eff4c3b069bdc91eabc34063153e
- SHA512
  
  a1cd0e949fcae04ca9ef215cd957181634b609272ebe3e99e6299e6572ca7fb2644aedbf9cb812c153fb27bd7302739a86ec8f723d244db5184040cfdbb97a44
- SSDEEP
  
  196608:ti28AfEg2eqkWvCGjcBBGIs2/f/WlXu479C+NsP5f7J+iGuaLNXgPPSxU+:uA8teqvDYBhnC7c+NsP5A0PYU+
Score

10^/10

berbew darkcomet emotet gandcrab sality sodinokibi urelas epoch1 travian adware backdoor banker defense_evasion discovery evasion execution impact persistence ransomware rat stealer trojan upx
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- Berbew family
  berbew
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies visibility of file extensions in Explorer
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- Sality family
  sality
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- UAC bypass
  evasion trojan
- Urelas
  Urelas is a trojan targeting card games.
  trojan urelas
- Urelas family
  urelas
- Windows security bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Contacts a large (1416) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Disables RegEdit via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Modifies WinLogon
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1