berbew | fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395

General

Target

fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
Size

84KB
MD5

e552e83cc99fca4404233ce5ddd4c143
SHA1

a87253db6281b898f43a41e0978b3d7c31f2a7a1
SHA256

fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395
SHA512

ae6752d4301ee6e212ffe81cba57fe936ca8b871fd3db1397cd86a7b1a63aa9938e751cbe8d497fdcebb5aad4d1ed9750dfe3518d77bee996cd6562546340418
SSDEEP

1536:b/5ms1dxOseE4qcKt9pP8TfLoCDPz/r3jv8jETXSREXHfVPfMVwNKT1iqWUPGc4J:b95O2t9pETfLXDPz/r3jvCETCREXdXNp

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjbba32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nobpmb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oihdjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oihdjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjbba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nifgekbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nobpmb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 5 IoCs

pid	Process
1692	Ncjbba32.exe
2984	Nifgekbm.exe
568	Nobpmb32.exe
636	Oihdjk32.exe
2760	Opblgehg.exe

Loads dropped DLL 14 IoCs

pid	Process
2548	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
2548	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
1692	Ncjbba32.exe
1692	Ncjbba32.exe
2984	Nifgekbm.exe
2984	Nifgekbm.exe
568	Nobpmb32.exe
568	Nobpmb32.exe
636	Oihdjk32.exe
636	Oihdjk32.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oihdjk32.exe	Nobpmb32.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Oihdjk32.exe
File created	C:\Windows\SysWOW64\Nifgekbm.exe	Ncjbba32.exe
File opened for modification	C:\Windows\SysWOW64\Nifgekbm.exe	Ncjbba32.exe
File created	C:\Windows\SysWOW64\Jhjalgho.dll	Ncjbba32.exe
File created	C:\Windows\SysWOW64\Nobpmb32.exe	Nifgekbm.exe
File created	C:\Windows\SysWOW64\Oihdjk32.exe	Nobpmb32.exe
File created	C:\Windows\SysWOW64\Moanhnka.dll	Nobpmb32.exe
File created	C:\Windows\SysWOW64\Ihggkhle.dll	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
File created	C:\Windows\SysWOW64\Qieiiaad.dll	Nifgekbm.exe
File opened for modification	C:\Windows\SysWOW64\Nobpmb32.exe	Nifgekbm.exe
File opened for modification	C:\Windows\SysWOW64\Ncjbba32.exe	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Oihdjk32.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Oihdjk32.exe
File created	C:\Windows\SysWOW64\Ncjbba32.exe	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2844	2760	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjbba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nifgekbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nobpmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oihdjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjalgho.dll"	Ncjbba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Oihdjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihggkhle.dll"	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qieiiaad.dll"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moanhnka.dll"	Nobpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oihdjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncjbba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nobpmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oihdjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncjbba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nobpmb32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1692	2548	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe	30
PID 2548 wrote to memory of 1692	2548	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe	30
PID 2548 wrote to memory of 1692	2548	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe	30
PID 2548 wrote to memory of 1692	2548	fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe	30
PID 1692 wrote to memory of 2984	1692	Ncjbba32.exe	31
PID 1692 wrote to memory of 2984	1692	Ncjbba32.exe	31
PID 1692 wrote to memory of 2984	1692	Ncjbba32.exe	31
PID 1692 wrote to memory of 2984	1692	Ncjbba32.exe	31
PID 2984 wrote to memory of 568	2984	Nifgekbm.exe	32
PID 2984 wrote to memory of 568	2984	Nifgekbm.exe	32
PID 2984 wrote to memory of 568	2984	Nifgekbm.exe	32
PID 2984 wrote to memory of 568	2984	Nifgekbm.exe	32
PID 568 wrote to memory of 636	568	Nobpmb32.exe	33
PID 568 wrote to memory of 636	568	Nobpmb32.exe	33
PID 568 wrote to memory of 636	568	Nobpmb32.exe	33
PID 568 wrote to memory of 636	568	Nobpmb32.exe	33
PID 636 wrote to memory of 2760	636	Oihdjk32.exe	34
PID 636 wrote to memory of 2760	636	Oihdjk32.exe	34
PID 636 wrote to memory of 2760	636	Oihdjk32.exe	34
PID 636 wrote to memory of 2760	636	Oihdjk32.exe	34
PID 2760 wrote to memory of 2844	2760	Opblgehg.exe	35
PID 2760 wrote to memory of 2844	2760	Opblgehg.exe	35
PID 2760 wrote to memory of 2844	2760	Opblgehg.exe	35
PID 2760 wrote to memory of 2844	2760	Opblgehg.exe	35

C:\Users\Admin\AppData\Local\Temp\fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe
"C:\Users\Admin\AppData\Local\Temp\fac721a1b0c0cc31e966620ca6aee6a4132d4b9e48499971f6b9e3c116043395.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\Ncjbba32.exe
  C:\Windows\system32\Ncjbba32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\Nifgekbm.exe
    C:\Windows\system32\Nifgekbm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\Nobpmb32.exe
      C:\Windows\system32\Nobpmb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Windows\SysWOW64\Oihdjk32.exe
        
        C:\Windows\system32\Oihdjk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
      - C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 140
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nobpmb32.exe

Filesize
84KB

MD5
4bee030084c6aa9ce7fa46b9a8406088

SHA1
dc2a715cb75093e2cef00c6dda96ec3ba3f021f9

SHA256
56cc36eb90cd0a6233256ed29edcb6eb08981191708dccc921b9a01a0b16193b

SHA512
b13ac6b70c79a10c5ac090e6bb19cb928e911dd0a4b90ba8c93352bc18d344f1de4d33327d6f9d329d33262536da2e5c21d4f466e35e080507c29e90e7dd8852

Download Submit
C:\Windows\SysWOW64\Oihdjk32.exe

Filesize
84KB

MD5
e52e6b34fecaa8c9143206390eb041ff

SHA1
74a4f4b3426dc6f0aa4bd99a41afa4d0bb151dac

SHA256
a22102243524ac137ed38fff47482cf3ad84694fe0da77bcc6ee6292a59c7a32

SHA512
968039bf473dce83481b3d91b10855f3f7ae729829d005c5a96ef741661fcaf9d8e0e7adb27b17a550472151d4339f4d2151883c7d1a330e92d7d393cae5ac47

Download Submit
\Windows\SysWOW64\Ncjbba32.exe

Filesize
84KB

MD5
d0e6b989602799240221927835e809d9

SHA1
c1e13adcb48e5de9358bf411177f8dd3610e5969

SHA256
3c6103db64554bebf982fcf45f168d0bc0227b26d9c9a1048c1ac75bdb1ee59c

SHA512
45009d61d504d219b410d381915f0dfdf52c8c10d731529575296a5bcd5090fc7d4c4e4cc8c1907fc9826f78860e5ad26a08329986d45ce95559707b76b1762a

Download Submit
\Windows\SysWOW64\Nifgekbm.exe

Filesize
84KB

MD5
7c0bd3759b2124c0a6d957b19f262ab4

SHA1
4d2d79cd93b0b97b15ddf031222a0b26a678c8bd

SHA256
b2f389609eb1a4c8e8c058300724838b1f9ce5b560dc323691b85dad74c9edc0

SHA512
bdfbff291bc6012330b17e41ea7f139989255b077e90046b50cfd912a2e486050ce9d226a44c1f54aea08f22f2f57229639da1bc5eca968ee714c2c945cacb57

Download Submit
\Windows\SysWOW64\Opblgehg.exe

Filesize
84KB

MD5
e59e6daadee8b64e00254476d8cf6fc4

SHA1
222db90cdb0119ec7da19bc69c53673a7b7e9430

SHA256
6debd14cae7109795e61910ec88e3721e5b2cef95d0a974a950c2afefbc6cbeb

SHA512
3e1869c4e6c15c53169f14d658c382edffb793dedfcf85d2ee1dd5a000d0182e1618b79bbdc9a52364f0325cafe21027c84d37e8edefac372a1e3b05497a36f1

Download Submit
memory/568-45-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/636-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/636-53-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1692-26-0x0000000000230000-0x000000000026F000-memory.dmp

Filesize
252KB

Download
memory/1692-24-0x0000000000230000-0x000000000026F000-memory.dmp

Filesize
252KB

Download
memory/1692-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2548-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2548-7-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2548-74-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2760-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2760-75-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2984-27-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2984-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads