berbew | cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbe

General

Target

cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
Size

64KB
MD5

7407c5b7c6d5e52a10c87a3fd8c235f0
SHA1

0b5479387cea28067f30eb030492df7846b0b8c7
SHA256

cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbe
SHA512

c1f2d0388cc5300a0435da16e6f3ccb57729a29c58dadfc66d955c34096400f163cdcd9364ae43519f0cb778c0e022cd00efa175125a3865ac1335a1006332e0
SSDEEP

768:7TixpAykcoORlJgG0JNOMf0zUPExuAk4F3LX2dCRLPrpoMgmLPv2p/1H5DpXdnhE:firyORPQNOMf6uExUuT20LNLg0v2L1Zc

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 3 IoCs

pid	Process
2692	Kbhbai32.exe
2672	Kkojbf32.exe
2808	Lbjofi32.exe

Loads dropped DLL 10 IoCs

pid	Process
1620	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
1620	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
2692	Kbhbai32.exe
2692	Kbhbai32.exe
2672	Kkojbf32.exe
2672	Kkojbf32.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2684	2808	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2692	1620	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe	30
PID 1620 wrote to memory of 2692	1620	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe	30
PID 1620 wrote to memory of 2692	1620	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe	30
PID 1620 wrote to memory of 2692	1620	cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe	30
PID 2692 wrote to memory of 2672	2692	Kbhbai32.exe	31
PID 2692 wrote to memory of 2672	2692	Kbhbai32.exe	31
PID 2692 wrote to memory of 2672	2692	Kbhbai32.exe	31
PID 2692 wrote to memory of 2672	2692	Kbhbai32.exe	31
PID 2672 wrote to memory of 2808	2672	Kkojbf32.exe	32
PID 2672 wrote to memory of 2808	2672	Kkojbf32.exe	32
PID 2672 wrote to memory of 2808	2672	Kkojbf32.exe	32
PID 2672 wrote to memory of 2808	2672	Kkojbf32.exe	32
PID 2808 wrote to memory of 2684	2808	Lbjofi32.exe	33
PID 2808 wrote to memory of 2684	2808	Lbjofi32.exe	33
PID 2808 wrote to memory of 2684	2808	Lbjofi32.exe	33
PID 2808 wrote to memory of 2684	2808	Lbjofi32.exe	33

C:\Users\Admin\AppData\Local\Temp\cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe
"C:\Users\Admin\AppData\Local\Temp\cb0d57acb3c6b22d52d66af0890cc2130fed2e561520f8ee63852011828c5cbeN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\Kbhbai32.exe
  C:\Windows\system32\Kbhbai32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\Kkojbf32.exe
    C:\Windows\system32\Kkojbf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\Lbjofi32.exe
      C:\Windows\system32\Lbjofi32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Kbhbai32.exe

Filesize
64KB

MD5
3685a61ed1d8c2e4a6f3d88e6c5dd7be

SHA1
35e9ea9fc4a1940893f2aa2a6cbd1c4f1688afd2

SHA256
9240a296a36434f053c5b7fb5cb2bcea3c8e95416e5496a9e4abcf9b5e311e16

SHA512
899c6ac3cebaef3180fa2a265f795e3fd336203bf2476b54bde1fbb6ca99146a59d3be433dbbcdbed68366ce60508610696b93a2c1343b2bf7dfe31004997d63

Download Submit
\Windows\SysWOW64\Kkojbf32.exe

Filesize
64KB

MD5
168b5de7e7029802378751be2d265e84

SHA1
fead58190cb6b34d259d72289f19c20dc624649c

SHA256
cbd346806f3f26bf0a7905d8952e301248314c317beb7cfc2807f7d983a0d2ec

SHA512
b0b05846b413f924ac41403c424754d43d0afd3de0f1307ffe60c95eab996ac92cf8d7727be3c6ca603de055905aeb80919e0869d9c1ca81b781f964841e027f

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
64KB

MD5
e56c7a7b7d096960f0f1cabbbd7399ce

SHA1
4dcc43cb7d4e6aeb356fdf1ec3ca78274a614887

SHA256
0f6c7339ad321a7a01da333e10497be8ea49173adaddc3f6097d17f8884a7eb8

SHA512
108596b41180131157f76601c9c5451a45fdb1cc26e5a30770fe015e128d3771780583f0f3c89ee6c975f31aa4436282af9dc406b2b7039495ec70f9fe3e052e

Download Submit
memory/1620-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-11-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1620-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-38-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2672-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-21-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2692-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads