Overview

overview

10

Static

static

10

dc9401805c...67.exe

windows7-x64

10

dc9401805c...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 02:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc9401805c748dea2e082cac792922d8fa78f02f4822e7112d2eeb6a289ad967.exe

  • Size

    93KB

  • MD5

    d253fb9d4da141bf48521df3c706508a

  • SHA1

    1fbcea8a7f64ea26d335f6220d7f8f15458d4600

  • SHA256

    dc9401805c748dea2e082cac792922d8fa78f02f4822e7112d2eeb6a289ad967

  • SHA512

    3aba79868b2a81fc52d2addceed828ee7866c4d90858f7112b709cf41c3f226989ce01732c4050c373e855d676c2578e5307a0f9f83e3e74f717395eee3a52ce

  • SSDEEP

    1536:NYzdymcyOphebJ7iwDZ9Qjy0KD11DaYfMZRWuLsV+1R:NidOHmJ7iuQjBKD1gYfc0DV+1R

Score
10/10
berbewnjratbackdoordiscoverypersistencetrojan

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Berbew family
    berbew
  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 14 IoCs
  • Drops file in System32 directory 15 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 18 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc9401805c748dea2e082cac792922d8fa78f02f4822e7112d2eeb6a289ad967.exe
    "C:\Users\Admin\AppData\Local\Temp\dc9401805c748dea2e082cac792922d8fa78f02f4822e7112d2eeb6a289ad967.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\SysWOW64\Llbconkd.exe
      C:\Windows\system32\Llbconkd.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\Lghgmg32.exe
        C:\Windows\system32\Lghgmg32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\SysWOW64\Loclai32.exe
          C:\Windows\system32\Loclai32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\SysWOW64\Llgljn32.exe
            C:\Windows\system32\Llgljn32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Windows\SysWOW64\Lepaccmo.exe
              C:\Windows\system32\Lepaccmo.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2624
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 140
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\Lepaccmo.exe
    Filesize

    93KB

    MD5

    7a3b7fa0d57cd2c732649946e5a1746e

    SHA1

    df89c1d356ec000285664a226f26cfe411ac7411

    SHA256

    6193ea800c44d7d5c2132d039ebe6e9d55c184b3423f193d4b0468028e9b115c

    SHA512

    f5c23522a2bb095f6f9b16f7200f2ebe4330a36dfde8232ab58d40fd2c4f2d0196e7d7e4c1426fa3afa0b2e29390c13a5c7b1e2a947240425e2c82350f8e7e43

    Download Submit

  • \Windows\SysWOW64\Lghgmg32.exe
    Filesize

    93KB

    MD5

    643f7edbeea5bfcab8f2202b8fd8dc96

    SHA1

    594790a45dbcb54d00d40605cc8bf4f7a62e23e1

    SHA256

    30184bc0c351dbe6896e599297fbc2da939cbd7cb23bbc564a3ffaa7c11f3630

    SHA512

    b2779dcc2e5d02fe95cb75d47c633d86430a6af7e015d693830e2d38f7536d9ad0660c6ef38cd34c2b33aea914cb9bffe04a6e8c155758f1b8494c04e2df3126

    Download Submit

  • \Windows\SysWOW64\Llbconkd.exe
    Filesize

    93KB

    MD5

    62e80f2cfaebc41002d5e6f4559162dc

    SHA1

    7dff26822275c18b52ce4506afd7a0f6205bace5

    SHA256

    e7d7418fe8fe9e67021e6f2312b0f046d6ee2b53ab6e6cf26cdb853fade46826

    SHA512

    7e79098c98e296f769a9685fafd37a26604f1520e93a5928ec968dcf98e302e6cc78bcafa5fbcd488fde9e9ee4cb602ee66fb5550395c69f0750a2f8c368e698

    Download Submit

  • \Windows\SysWOW64\Llgljn32.exe
    Filesize

    93KB

    MD5

    484a6119647dbb0f62378c1b51db1a9c

    SHA1

    2cb3c2adf7682946b266bf9b7f35eaef22f2747f

    SHA256

    b613334b3cbc8361feecee1e8e3648c6efcf2fdb9ab6211cc8d483a0f791af8d

    SHA512

    317af346827ee3b9b0d66d37fa37bf0be8bed48610bd8fa519260c5e706feb6471dabe5b9f5c81df53c8552a53e0621489a1a97adc7816942e3edc630a1e9cfc

    Download Submit

  • \Windows\SysWOW64\Loclai32.exe
    Filesize

    93KB

    MD5

    b608aaa25745bfff6f8290c14836fa7c

    SHA1

    3033ff1b20ac0456b9b24f1a2500e217cf388e5f

    SHA256

    eb93db6ba0bd4d5b53156ea19465364ecfb3bbea6045d2c66c6608a80871fc73

    SHA512

    7cb009c247c37048a3448f464f8dabe5a66d6d68f33b0b6fdb4cbed8a8d38ac06bceec5a82e93e67071f77e7fd7f70f460e3d88901694e7d50950591b87c8519

    Download Submit

  • memory/2600-72-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2624-74-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2624-67-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2640-13-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2640-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2640-77-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2640-12-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2652-33-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2652-75-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2692-14-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2692-76-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2692-26-0x0000000000310000-0x0000000000343000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2752-49-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2752-73-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2752-41-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download