berbew | c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d

General

Target

c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
Size

255KB
MD5

9e989a0a54365f45d499a583f92f0c89
SHA1

d97c9b46620508ce3011f1e22f6190d4a7b20595
SHA256

c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d
SHA512

640863cf9df2c8dd3056263b316a183354a42f0e1cb8b70b0fb6fe37e19c6e3ac8d3b1f0040d0c38bc8fd10f6662f83b8f5df8c0b278c8385596669717b2dff9
SSDEEP

6144:B0KY+vnrXeWFnTf2xUS6UJjwszeXmDZUH8aiGaEP:DrXeWFWj6YjzZUH8awEP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lkjmfjmi.exec2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exeLemdncoa.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkjmfjmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lemdncoa.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Executes dropped EXE 3 IoCs

Processes:

Lemdncoa.exeLkjmfjmi.exeLepaccmo.exe

pid process

2728 Lemdncoa.exe
2164 Lkjmfjmi.exe
2820 Lepaccmo.exe

pid	process
2728	Lemdncoa.exe
2164	Lkjmfjmi.exe
2820	Lepaccmo.exe

Loads dropped DLL 10 IoCs

Processes:

c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exeLemdncoa.exeLkjmfjmi.exeWerFault.exe

pid	process
2412	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
2412	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
2728	Lemdncoa.exe
2728	Lemdncoa.exe
2164	Lkjmfjmi.exe
2164	Lkjmfjmi.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe

Drops file in System32 directory 9 IoCs

Processes:

c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exeLemdncoa.exeLkjmfjmi.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Lemdncoa.exe	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
File created	C:\Windows\SysWOW64\Lioglifg.dll	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
File created	C:\Windows\SysWOW64\Lkjmfjmi.exe	Lemdncoa.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lkjmfjmi.exe
File opened for modification	C:\Windows\SysWOW64\Lemdncoa.exe	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
File opened for modification	C:\Windows\SysWOW64\Lkjmfjmi.exe	Lemdncoa.exe
File created	C:\Windows\SysWOW64\Iekhhnol.dll	Lemdncoa.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lkjmfjmi.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

2748 2820 WerFault.exe

pid	pid_target	process
2748	2820	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exeLemdncoa.exeLkjmfjmi.exeLepaccmo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lemdncoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkjmfjmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe

Modifies registry class 12 IoCs

Processes:

Lkjmfjmi.exec2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exeLemdncoa.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkjmfjmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lioglifg.dll"	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekhhnol.dll"	Lemdncoa.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exeLemdncoa.exeLkjmfjmi.exeLepaccmo.exe

description	pid	process	target process
PID 2412 wrote to memory of 2728	2412	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe	Lemdncoa.exe
PID 2412 wrote to memory of 2728	2412	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe	Lemdncoa.exe
PID 2412 wrote to memory of 2728	2412	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe	Lemdncoa.exe
PID 2412 wrote to memory of 2728	2412	c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe	Lemdncoa.exe
PID 2728 wrote to memory of 2164	2728	Lemdncoa.exe	Lkjmfjmi.exe
PID 2728 wrote to memory of 2164	2728	Lemdncoa.exe	Lkjmfjmi.exe
PID 2728 wrote to memory of 2164	2728	Lemdncoa.exe	Lkjmfjmi.exe
PID 2728 wrote to memory of 2164	2728	Lemdncoa.exe	Lkjmfjmi.exe
PID 2164 wrote to memory of 2820	2164	Lkjmfjmi.exe	Lepaccmo.exe
PID 2164 wrote to memory of 2820	2164	Lkjmfjmi.exe	Lepaccmo.exe
PID 2164 wrote to memory of 2820	2164	Lkjmfjmi.exe	Lepaccmo.exe
PID 2164 wrote to memory of 2820	2164	Lkjmfjmi.exe	Lepaccmo.exe
PID 2820 wrote to memory of 2748	2820	Lepaccmo.exe	WerFault.exe
PID 2820 wrote to memory of 2748	2820	Lepaccmo.exe	WerFault.exe
PID 2820 wrote to memory of 2748	2820	Lepaccmo.exe	WerFault.exe
PID 2820 wrote to memory of 2748	2820	Lepaccmo.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe
"C:\Users\Admin\AppData\Local\Temp\c2d713ffe01d040a0cf2c9959bfc8ad0dbdb8c03cadf1771d46e11a4707ff85d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\Lemdncoa.exe
  C:\Windows\system32\Lemdncoa.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\Lkjmfjmi.exe
    C:\Windows\system32\Lkjmfjmi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\Lepaccmo.exe
      C:\Windows\system32\Lepaccmo.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lemdncoa.exe

Filesize
255KB

MD5
4cdd875a1472e49bbe6c8b9cfa7ecb3d

SHA1
50d93d1811180f236c06b9aee733b6b3a7370fe3

SHA256
caad93b4627526da10da7f06058160f83560a7215be77e66fc65e72d58604a92

SHA512
71b9166f7afc4338d74b4423a2c5da4892363f2ff852a0cb9ebb2bbc348404a7db5ee2f334a2fecd9d525c1764c828e71d1656e3df9509cf2de37fc0abf20110

Download Submit
C:\Windows\SysWOW64\Lkjmfjmi.exe

Filesize
255KB

MD5
8d47fcd18794847e2415fb140d4e98cc

SHA1
43948ffda06fb4af618d1fe4cf1b7963aeb7eb8f

SHA256
73b27cd7b98a15f4964e09c0a767c59687dec03000831dc84ff89ae4764465e2

SHA512
a659bc41d420fbcca20053c9a79f17b34fe0025b4eef3c90af6a4ce8e38cb671e7ba4d94c39d0c7b8dfec8850916ae1792a084d3c963cf6a30888d1d8c07da03

Download Submit
\Windows\SysWOW64\Lepaccmo.exe

Filesize
255KB

MD5
9521f34bb1d8a7b3b0fd9e038621ed05

SHA1
c9bd1199ba3c283efeab37925f8c96b5cd5e304b

SHA256
d5e96410def276dd931286ca5624ebe430745670ece16e90ad6acf531c11fe4f

SHA512
4d3c3800f96a5662f12fabc55194e36cd149a5976dfc5aba3549b157117b5efdf612801f917ba5a4aafb0b3d59025609b132c73c40d77d40717fd5f7a8b8e106

Download Submit
memory/2164-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2164-35-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2412-12-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2412-11-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2412-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2412-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-27-0x0000000001F80000-0x0000000001FC4000-memory.dmp

Filesize
272KB

Download
memory/2728-22-0x0000000001F80000-0x0000000001FC4000-memory.dmp

Filesize
272KB

Download
memory/2728-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2820-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2820-42-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads