Analysis
-
max time kernel
71s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
20-11-2024 01:18
General
-
Target
1c55f981b1181307735b9691ed202c0fc132c50296db3f4d46a27fbc6ceb852f.exe
-
Size
163KB
-
MD5
ffb75652432f5b13412bd3281504e6f3
-
SHA1
fb55c4df661ae04787f236d8d4c1bab8e26b7bbd
-
SHA256
1c55f981b1181307735b9691ed202c0fc132c50296db3f4d46a27fbc6ceb852f
-
SHA512
8a4e684916dd8438edf28f72a6dbda327b75c2e3801ba460d377575ecced14ee2688e24fd5be024093d736e6b49a55952533db20d453feba24a417f82d0cf12d
-
SSDEEP
1536:PN/47nidENgNaG7ldAY5rIi/MC6UwdlT17CBlProNVU4qNVUrk/9QbfBr+7GwKrE:lnwaaokY5xMC6UECBltOrWKDBr+yJbA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c55f981b1181307735b9691ed202c0fc132c50296db3f4d46a27fbc6ceb852f.exe"C:\Users\Admin\AppData\Local\Temp\1c55f981b1181307735b9691ed202c0fc132c50296db3f4d46a27fbc6ceb852f.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lglmefcg.exeC:\Windows\system32\Lglmefcg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Nddcimag.exeC:\Windows\system32\Nddcimag.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Obcffefa.exeC:\Windows\system32\Obcffefa.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Qaofgc32.exeC:\Windows\system32\Qaofgc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\Ajjgei32.exeC:\Windows\system32\Ajjgei32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Apkihofl.exeC:\Windows\system32\Apkihofl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Amoibc32.exeC:\Windows\system32\Amoibc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Blipno32.exeC:\Windows\system32\Blipno32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Boleejag.exeC:\Windows\system32\Boleejag.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cnhhge32.exeC:\Windows\system32\Cnhhge32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Cpiaipmh.exeC:\Windows\system32\Cpiaipmh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Dbadagln.exeC:\Windows\system32\Dbadagln.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Enmnahnm.exeC:\Windows\system32\Enmnahnm.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Epcddopf.exeC:\Windows\system32\Epcddopf.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe36⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Fbfjkj32.exeC:\Windows\system32\Fbfjkj32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe40⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Gdcfoq32.exeC:\Windows\system32\Gdcfoq32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe42⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hmfmkjdf.exeC:\Windows\system32\Hmfmkjdf.exe47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hgoadp32.exeC:\Windows\system32\Hgoadp32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe51⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ijfqfj32.exeC:\Windows\system32\Ijfqfj32.exe55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Iocioq32.exeC:\Windows\system32\Iocioq32.exe56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ihlnhffh.exeC:\Windows\system32\Ihlnhffh.exe57⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ilifndlo.exeC:\Windows\system32\Ilifndlo.exe59⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Inmpklpj.exeC:\Windows\system32\Inmpklpj.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Jjijkmbi.exeC:\Windows\system32\Jjijkmbi.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe67⤵
-
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe68⤵
-
C:\Windows\SysWOW64\Jfagemej.exeC:\Windows\system32\Jfagemej.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Jojloc32.exeC:\Windows\system32\Jojloc32.exe70⤵
-
C:\Windows\SysWOW64\Jibpghbk.exeC:\Windows\system32\Jibpghbk.exe71⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Kffqqm32.exeC:\Windows\system32\Kffqqm32.exe72⤵
-
C:\Windows\SysWOW64\Kpoejbhe.exeC:\Windows\system32\Kpoejbhe.exe73⤵
-
C:\Windows\SysWOW64\Kigibh32.exeC:\Windows\system32\Kigibh32.exe74⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Kndbko32.exeC:\Windows\system32\Kndbko32.exe75⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Kcajceke.exeC:\Windows\system32\Kcajceke.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Kaekljjo.exeC:\Windows\system32\Kaekljjo.exe77⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe78⤵
-
C:\Windows\SysWOW64\Kmklak32.exeC:\Windows\system32\Kmklak32.exe79⤵
-
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe80⤵
-
C:\Windows\SysWOW64\Lmnhgjmp.exeC:\Windows\system32\Lmnhgjmp.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Mebpakbq.exeC:\Windows\system32\Mebpakbq.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Mokdja32.exeC:\Windows\system32\Mokdja32.exe83⤵
-
C:\Windows\SysWOW64\Mdgmbhgh.exeC:\Windows\system32\Mdgmbhgh.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Mpqjmh32.exeC:\Windows\system32\Mpqjmh32.exe85⤵
-
C:\Windows\SysWOW64\Mkfojakp.exeC:\Windows\system32\Mkfojakp.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Mdoccg32.exeC:\Windows\system32\Mdoccg32.exe87⤵
-
C:\Windows\SysWOW64\Nepokogo.exeC:\Windows\system32\Nepokogo.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Npechhgd.exeC:\Windows\system32\Npechhgd.exe89⤵
-
C:\Windows\SysWOW64\Ngoleb32.exeC:\Windows\system32\Ngoleb32.exe90⤵
-
C:\Windows\SysWOW64\Nhqhmj32.exeC:\Windows\system32\Nhqhmj32.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Nokqidll.exeC:\Windows\system32\Nokqidll.exe92⤵
-
C:\Windows\SysWOW64\Nhcebj32.exeC:\Windows\system32\Nhcebj32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Negeln32.exeC:\Windows\system32\Negeln32.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Nlanhh32.exeC:\Windows\system32\Nlanhh32.exe95⤵
-
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe96⤵
-
C:\Windows\SysWOW64\Nkfkidmk.exeC:\Windows\system32\Nkfkidmk.exe97⤵
-
C:\Windows\SysWOW64\Odnobj32.exeC:\Windows\system32\Odnobj32.exe98⤵
-
C:\Windows\SysWOW64\Ongckp32.exeC:\Windows\system32\Ongckp32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Odqlhjbi.exeC:\Windows\system32\Odqlhjbi.exe100⤵
-
C:\Windows\SysWOW64\Okkddd32.exeC:\Windows\system32\Okkddd32.exe101⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ogaeieoj.exeC:\Windows\system32\Ogaeieoj.exe102⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ogdaod32.exeC:\Windows\system32\Ogdaod32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ohengmcf.exeC:\Windows\system32\Ohengmcf.exe104⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ockbdebl.exeC:\Windows\system32\Ockbdebl.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Pbpoebgc.exeC:\Windows\system32\Pbpoebgc.exe106⤵
-
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe107⤵
-
C:\Windows\SysWOW64\Pbdipa32.exeC:\Windows\system32\Pbdipa32.exe108⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Pchbmigj.exeC:\Windows\system32\Pchbmigj.exe109⤵
-
C:\Windows\SysWOW64\Pmqffonj.exeC:\Windows\system32\Pmqffonj.exe110⤵
-
C:\Windows\SysWOW64\Qcmkhi32.exeC:\Windows\system32\Qcmkhi32.exe111⤵
-
C:\Windows\SysWOW64\Abbhje32.exeC:\Windows\system32\Abbhje32.exe112⤵
-
C:\Windows\SysWOW64\Apfici32.exeC:\Windows\system32\Apfici32.exe113⤵
-
C:\Windows\SysWOW64\Almihjlj.exeC:\Windows\system32\Almihjlj.exe114⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Abgaeddg.exeC:\Windows\system32\Abgaeddg.exe115⤵
-
C:\Windows\SysWOW64\Anmbje32.exeC:\Windows\system32\Anmbje32.exe116⤵
-
C:\Windows\SysWOW64\Ajdcofop.exeC:\Windows\system32\Ajdcofop.exe117⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Ahhchk32.exeC:\Windows\system32\Ahhchk32.exe118⤵
-
C:\Windows\SysWOW64\Bobleeef.exeC:\Windows\system32\Bobleeef.exe119⤵
-
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe120⤵
-
C:\Windows\SysWOW64\Bfpmog32.exeC:\Windows\system32\Bfpmog32.exe121⤵
- Drops file in System32 directory
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-