Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-11-2024 02:32
General
-
Target
ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe
-
Size
96KB
-
MD5
d1f9b3cd8ef3223d59b651b7654ae5c0
-
SHA1
0b9d6d19e1d1dc1b64179b8d7a7ee2fcdc981b61
-
SHA256
ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e
-
SHA512
9f65e249f796522ca26ef5d8c17baae8ba20a7527c81c02ef0d319bd8f97e8334b94b8f2f9869c31446a236ee64348cb3888d2b0f8a6cf02c893c78b2082489e
-
SSDEEP
1536:x8M+kpVNZ0/AxsPAv2+aDafDQzVm2LO7RZObZUUWaegPYA:xckpVNCXufEpOClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe"C:\Users\Admin\AppData\Local\Temp\ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gajnlb32.exeC:\Windows\system32\Gajnlb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ghdfhm32.exeC:\Windows\system32\Ghdfhm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gonnegbj.exeC:\Windows\system32\Gonnegbj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hfhfba32.exeC:\Windows\system32\Hfhfba32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hgiciipe.exeC:\Windows\system32\Hgiciipe.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hnckfc32.exeC:\Windows\system32\Hnckfc32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hkglpgfk.exeC:\Windows\system32\Hkglpgfk.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hbadla32.exeC:\Windows\system32\Hbadla32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hhklilde.exeC:\Windows\system32\Hhklilde.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hkihegdi.exeC:\Windows\system32\Hkihegdi.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hbcqba32.exeC:\Windows\system32\Hbcqba32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hnjagb32.exeC:\Windows\system32\Hnjagb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hfaihp32.exeC:\Windows\system32\Hfaihp32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hknapf32.exeC:\Windows\system32\Hknapf32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hbhjmqgp.exeC:\Windows\system32\Hbhjmqgp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Igebegeg.exeC:\Windows\system32\Igebegeg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ibjgbp32.exeC:\Windows\system32\Ibjgbp32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Iidoojlj.exeC:\Windows\system32\Iidoojlj.exe23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Inaggaka.exeC:\Windows\system32\Inaggaka.exe24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe25⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ioadadbd.exeC:\Windows\system32\Ioadadbd.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ibopnpah.exeC:\Windows\system32\Ibopnpah.exe27⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Iglhffop.exeC:\Windows\system32\Iglhffop.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Infabq32.exeC:\Windows\system32\Infabq32.exe29⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Iepiokni.exeC:\Windows\system32\Iepiokni.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ignekfmm.exeC:\Windows\system32\Ignekfmm.exe31⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Jbdiio32.exeC:\Windows\system32\Jbdiio32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Jklnadcc.exeC:\Windows\system32\Jklnadcc.exe33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jipnkibm.exeC:\Windows\system32\Jipnkibm.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jgcofe32.exeC:\Windows\system32\Jgcofe32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jnmgcpqd.exeC:\Windows\system32\Jnmgcpqd.exe36⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Jibkqh32.exeC:\Windows\system32\Jibkqh32.exe37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jeileifo.exeC:\Windows\system32\Jeileifo.exe38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jghhaeeb.exeC:\Windows\system32\Jghhaeeb.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jnapno32.exeC:\Windows\system32\Jnapno32.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jfihplma.exeC:\Windows\system32\Jfihplma.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jigdlhle.exeC:\Windows\system32\Jigdlhle.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Jleahcki.exeC:\Windows\system32\Jleahcki.exe43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kbpidm32.exeC:\Windows\system32\Kbpidm32.exe44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kfkeelko.exeC:\Windows\system32\Kfkeelko.exe45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kglamd32.exeC:\Windows\system32\Kglamd32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Kpcina32.exeC:\Windows\system32\Kpcina32.exe47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kbbfjm32.exeC:\Windows\system32\Kbbfjm32.exe48⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Kepbfh32.exeC:\Windows\system32\Kepbfh32.exe49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kljjcb32.exeC:\Windows\system32\Kljjcb32.exe50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kbdbpmop.exeC:\Windows\system32\Kbdbpmop.exe51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kinklg32.exeC:\Windows\system32\Kinklg32.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kphcianj.exeC:\Windows\system32\Kphcianj.exe53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kbgoelmm.exeC:\Windows\system32\Kbgoelmm.exe54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kiqgbf32.exeC:\Windows\system32\Kiqgbf32.exe55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Klocnbcn.exeC:\Windows\system32\Klocnbcn.exe56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kfdhkkcd.exeC:\Windows\system32\Kfdhkkcd.exe58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Klapcaak.exeC:\Windows\system32\Klapcaak.exe59⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lbkhpl32.exeC:\Windows\system32\Lbkhpl32.exe60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lieamfpe.exeC:\Windows\system32\Lieamfpe.exe61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Llcmia32.exeC:\Windows\system32\Llcmia32.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lbnefkfe.exeC:\Windows\system32\Lbnefkfe.exe63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lihnbe32.exeC:\Windows\system32\Lihnbe32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Llfjoa32.exeC:\Windows\system32\Llfjoa32.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lndfkl32.exeC:\Windows\system32\Lndfkl32.exe66⤵
-
C:\Windows\SysWOW64\Lflnlj32.exeC:\Windows\system32\Lflnlj32.exe67⤵
-
C:\Windows\SysWOW64\Llhfdq32.exeC:\Windows\system32\Llhfdq32.exe68⤵
-
C:\Windows\SysWOW64\Lpfojo32.exeC:\Windows\system32\Lpfojo32.exe69⤵
-
C:\Windows\SysWOW64\Lfpggiif.exeC:\Windows\system32\Lfpggiif.exe70⤵
-
C:\Windows\SysWOW64\Lechbf32.exeC:\Windows\system32\Lechbf32.exe71⤵
-
C:\Windows\SysWOW64\Mpilpo32.exeC:\Windows\system32\Mpilpo32.exe72⤵
-
C:\Windows\SysWOW64\Mbghljok.exeC:\Windows\system32\Mbghljok.exe73⤵
-
C:\Windows\SysWOW64\Meedheno.exeC:\Windows\system32\Meedheno.exe74⤵
-
C:\Windows\SysWOW64\Miapid32.exeC:\Windows\system32\Miapid32.exe75⤵
-
C:\Windows\SysWOW64\Mpkhenmd.exeC:\Windows\system32\Mpkhenmd.exe76⤵
-
C:\Windows\SysWOW64\Mbieajlh.exeC:\Windows\system32\Mbieajlh.exe77⤵
-
C:\Windows\SysWOW64\Mehanell.exeC:\Windows\system32\Mehanell.exe78⤵
-
C:\Windows\SysWOW64\Mhfmjqkp.exeC:\Windows\system32\Mhfmjqkp.exe79⤵
-
C:\Windows\SysWOW64\Mpmeknkb.exeC:\Windows\system32\Mpmeknkb.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Mblagi32.exeC:\Windows\system32\Mblagi32.exe81⤵
-
C:\Windows\SysWOW64\Mejnce32.exeC:\Windows\system32\Mejnce32.exe82⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Mhhjop32.exeC:\Windows\system32\Mhhjop32.exe83⤵
-
C:\Windows\SysWOW64\Mobbljpj.exeC:\Windows\system32\Mobbljpj.exe84⤵
-
C:\Windows\SysWOW64\Mbnnmi32.exeC:\Windows\system32\Mbnnmi32.exe85⤵
-
C:\Windows\SysWOW64\Mihficpp.exeC:\Windows\system32\Mihficpp.exe86⤵
-
C:\Windows\SysWOW64\Mlfbeooc.exeC:\Windows\system32\Mlfbeooc.exe87⤵
-
C:\Windows\SysWOW64\Moeoajng.exeC:\Windows\system32\Moeoajng.exe88⤵
-
C:\Windows\SysWOW64\Meognded.exeC:\Windows\system32\Meognded.exe89⤵
-
C:\Windows\SysWOW64\Mhmcjpdg.exeC:\Windows\system32\Mhmcjpdg.exe90⤵
-
C:\Windows\SysWOW64\Nliokn32.exeC:\Windows\system32\Nliokn32.exe91⤵
-
C:\Windows\SysWOW64\Noglgj32.exeC:\Windows\system32\Noglgj32.exe92⤵
-
C:\Windows\SysWOW64\Neadddca.exeC:\Windows\system32\Neadddca.exe93⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Nhpppobe.exeC:\Windows\system32\Nhpppobe.exe94⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Npghamcg.exeC:\Windows\system32\Npghamcg.exe95⤵
-
C:\Windows\SysWOW64\Nbedmhbk.exeC:\Windows\system32\Nbedmhbk.exe96⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Necqicao.exeC:\Windows\system32\Necqicao.exe97⤵
-
C:\Windows\SysWOW64\Nlmifnik.exeC:\Windows\system32\Nlmifnik.exe98⤵
-
C:\Windows\SysWOW64\Nolebiho.exeC:\Windows\system32\Nolebiho.exe99⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Nhdiko32.exeC:\Windows\system32\Nhdiko32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Npkall32.exeC:\Windows\system32\Npkall32.exe101⤵
-
C:\Windows\SysWOW64\Ncjnhg32.exeC:\Windows\system32\Ncjnhg32.exe102⤵
-
C:\Windows\SysWOW64\Nehjdc32.exeC:\Windows\system32\Nehjdc32.exe103⤵
-
C:\Windows\SysWOW64\Nlbbam32.exeC:\Windows\system32\Nlbbam32.exe104⤵
-
C:\Windows\SysWOW64\Noqomh32.exeC:\Windows\system32\Noqomh32.exe105⤵
-
C:\Windows\SysWOW64\Ncljnglc.exeC:\Windows\system32\Ncljnglc.exe106⤵
-
C:\Windows\SysWOW64\Nifbka32.exeC:\Windows\system32\Nifbka32.exe107⤵
-
C:\Windows\SysWOW64\Ocogcgjp.exeC:\Windows\system32\Ocogcgjp.exe108⤵
-
C:\Windows\SysWOW64\Oemcpbid.exeC:\Windows\system32\Oemcpbid.exe109⤵
-
C:\Windows\SysWOW64\Oihopa32.exeC:\Windows\system32\Oihopa32.exe110⤵
-
C:\Windows\SysWOW64\Ooehhhpd.exeC:\Windows\system32\Ooehhhpd.exe111⤵
-
C:\Windows\SysWOW64\Oeopeb32.exeC:\Windows\system32\Oeopeb32.exe112⤵
-
C:\Windows\SysWOW64\Ohnlam32.exeC:\Windows\system32\Ohnlam32.exe113⤵
-
C:\Windows\SysWOW64\Oogdngna.exeC:\Windows\system32\Oogdngna.exe114⤵
-
C:\Windows\SysWOW64\Occqof32.exeC:\Windows\system32\Occqof32.exe115⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Oimikpng.exeC:\Windows\system32\Oimikpng.exe116⤵
-
C:\Windows\SysWOW64\Olleglmk.exeC:\Windows\system32\Olleglmk.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Ocemdfdh.exeC:\Windows\system32\Ocemdfdh.exe118⤵
-
C:\Windows\SysWOW64\Ohbflmbp.exeC:\Windows\system32\Ohbflmbp.exe119⤵
-
C:\Windows\SysWOW64\Opinnjcb.exeC:\Windows\system32\Opinnjcb.exe120⤵
-
C:\Windows\SysWOW64\Ogcfjd32.exeC:\Windows\system32\Ogcfjd32.exe121⤵
- Drops file in System32 directory
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-