Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-11-2024 23:17
General
-
Target
60e59a677e31a8da94cc96de674fa276901f066a0e2333c026a1820a9b95a242.exe
-
Size
163KB
-
MD5
c6037e67ba9a4ebf7616e80595bb8734
-
SHA1
6c2eef2edfcb90359d208594a2c1b8ab4529c91c
-
SHA256
60e59a677e31a8da94cc96de674fa276901f066a0e2333c026a1820a9b95a242
-
SHA512
1355bec476626bc54e4c3503058e742b86ede6a484e0070dd383fb06768817505938e0a71d4ad2b234c4edead20d095db45392b89719bcc03a819ce42e3d243c
-
SSDEEP
1536:PRfyJqLVhYMeXHL+V8lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:A8EjHI8ltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Gozi family
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\60e59a677e31a8da94cc96de674fa276901f066a0e2333c026a1820a9b95a242.exe"C:\Users\Admin\AppData\Local\Temp\60e59a677e31a8da94cc96de674fa276901f066a0e2333c026a1820a9b95a242.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eokqkh32.exeC:\Windows\system32\Eokqkh32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eicedn32.exeC:\Windows\system32\Eicedn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eejeiocj.exeC:\Windows\system32\Eejeiocj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ebnfbcbc.exeC:\Windows\system32\Ebnfbcbc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fijkdmhn.exeC:\Windows\system32\Fijkdmhn.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gmafajfi.exeC:\Windows\system32\Gmafajfi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gflhoo32.exeC:\Windows\system32\Gflhoo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Geaepk32.exeC:\Windows\system32\Geaepk32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gpgind32.exeC:\Windows\system32\Gpgind32.exe23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hfaajnfb.exeC:\Windows\system32\Hfaajnfb.exe24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hmkigh32.exeC:\Windows\system32\Hmkigh32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Hbhboolf.exeC:\Windows\system32\Hbhboolf.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe27⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe28⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Hpqldc32.exeC:\Windows\system32\Hpqldc32.exe30⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hiipmhmk.exeC:\Windows\system32\Hiipmhmk.exe31⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe32⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Iliinc32.exeC:\Windows\system32\Iliinc32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Iinjhh32.exeC:\Windows\system32\Iinjhh32.exe34⤵
-
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ipjoja32.exeC:\Windows\system32\Ipjoja32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Iefgbh32.exeC:\Windows\system32\Iefgbh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ilqoobdd.exeC:\Windows\system32\Ilqoobdd.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Impliekg.exeC:\Windows\system32\Impliekg.exe41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Joahqn32.exeC:\Windows\system32\Joahqn32.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jghpbk32.exeC:\Windows\system32\Jghpbk32.exe43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jleijb32.exeC:\Windows\system32\Jleijb32.exe44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jcoaglhk.exeC:\Windows\system32\Jcoaglhk.exe45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Jljbeali.exeC:\Windows\system32\Jljbeali.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jllokajf.exeC:\Windows\system32\Jllokajf.exe51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jedccfqg.exeC:\Windows\system32\Jedccfqg.exe52⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kpjgaoqm.exeC:\Windows\system32\Kpjgaoqm.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Kgdpni32.exeC:\Windows\system32\Kgdpni32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kpmdfonj.exeC:\Windows\system32\Kpmdfonj.exe57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kgflcifg.exeC:\Windows\system32\Kgflcifg.exe58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe59⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Kflide32.exeC:\Windows\system32\Kflide32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kodnmkap.exeC:\Windows\system32\Kodnmkap.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Kfpcoefj.exeC:\Windows\system32\Kfpcoefj.exe64⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Kngkqbgl.exeC:\Windows\system32\Kngkqbgl.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lpfgmnfp.exeC:\Windows\system32\Lpfgmnfp.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Lfbped32.exeC:\Windows\system32\Lfbped32.exe67⤵
-
C:\Windows\SysWOW64\Llmhaold.exeC:\Windows\system32\Llmhaold.exe68⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Lcgpni32.exeC:\Windows\system32\Lcgpni32.exe69⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Llodgnja.exeC:\Windows\system32\Llodgnja.exe70⤵
-
C:\Windows\SysWOW64\Lfgipd32.exeC:\Windows\system32\Lfgipd32.exe71⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Lmaamn32.exeC:\Windows\system32\Lmaamn32.exe72⤵
-
C:\Windows\SysWOW64\Lfjfecno.exeC:\Windows\system32\Lfjfecno.exe73⤵
-
C:\Windows\SysWOW64\Lobjni32.exeC:\Windows\system32\Lobjni32.exe74⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Lflbkcll.exeC:\Windows\system32\Lflbkcll.exe75⤵
-
C:\Windows\SysWOW64\Mqafhl32.exeC:\Windows\system32\Mqafhl32.exe76⤵
-
C:\Windows\SysWOW64\Mfnoqc32.exeC:\Windows\system32\Mfnoqc32.exe77⤵
-
C:\Windows\SysWOW64\Mnegbp32.exeC:\Windows\system32\Mnegbp32.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe79⤵
-
C:\Windows\SysWOW64\Mqfpckhm.exeC:\Windows\system32\Mqfpckhm.exe80⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Mjodla32.exeC:\Windows\system32\Mjodla32.exe81⤵
-
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe82⤵
-
C:\Windows\SysWOW64\Mgbefe32.exeC:\Windows\system32\Mgbefe32.exe83⤵
-
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe84⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Mqkiok32.exeC:\Windows\system32\Mqkiok32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe86⤵
-
C:\Windows\SysWOW64\Mjcngpjh.exeC:\Windows\system32\Mjcngpjh.exe87⤵
-
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe88⤵
-
C:\Windows\SysWOW64\Nqpcjj32.exeC:\Windows\system32\Nqpcjj32.exe89⤵
-
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe91⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe92⤵
-
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe93⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Nfaemp32.exeC:\Windows\system32\Nfaemp32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Nmkmjjaa.exeC:\Windows\system32\Nmkmjjaa.exe95⤵
-
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe96⤵
-
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe97⤵
-
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe98⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ojdgnn32.exeC:\Windows\system32\Ojdgnn32.exe99⤵
-
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe100⤵
-
C:\Windows\SysWOW64\Oaplqh32.exeC:\Windows\system32\Oaplqh32.exe101⤵
-
C:\Windows\SysWOW64\Ogjdmbil.exeC:\Windows\system32\Ogjdmbil.exe102⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ocaebc32.exeC:\Windows\system32\Ocaebc32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Pnfiplog.exeC:\Windows\system32\Pnfiplog.exe104⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Pnifekmd.exeC:\Windows\system32\Pnifekmd.exe105⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Phajna32.exeC:\Windows\system32\Phajna32.exe106⤵
-
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe107⤵
-
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe108⤵
-
C:\Windows\SysWOW64\Pffgom32.exeC:\Windows\system32\Pffgom32.exe109⤵
-
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe110⤵
-
C:\Windows\SysWOW64\Palklf32.exeC:\Windows\system32\Palklf32.exe111⤵
-
C:\Windows\SysWOW64\Pdjgha32.exeC:\Windows\system32\Pdjgha32.exe112⤵
-
C:\Windows\SysWOW64\Ppahmb32.exeC:\Windows\system32\Ppahmb32.exe113⤵
-
C:\Windows\SysWOW64\Qjfmkk32.exeC:\Windows\system32\Qjfmkk32.exe114⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe115⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe116⤵
-
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe117⤵
-
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe118⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Aphnnafb.exeC:\Windows\system32\Aphnnafb.exe119⤵
-
C:\Windows\SysWOW64\Ahofoogd.exeC:\Windows\system32\Ahofoogd.exe120⤵
-
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe121⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-