berbew | 0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b

General

Target

0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe
Size

64KB
MD5

0e9dabdd3a4005f176866c9e29183b28
SHA1

e6cca255b3d56cc3d7d5cef3d7f24532f8f84e78
SHA256

0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b
SHA512

c6463f7e26c78065044175ba9afdd8d7d1839cdb41a86a233856de8c66ab3d26cd51adab52dcb63201ad5b8eaff6cdf9a086aab6eb42894fc81ecdf127692e6f
SSDEEP

1536:vBi07PO+1VH/cQ6e6GQBq2R833dBoBUva3vlzYE8Rm0D:n7DH/cNeCq2YdBEM0vlzY/m0D

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 1 IoCs

pid	Process
2680	Fkckeh32.exe

Loads dropped DLL 6 IoCs

pid	Process
2432	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe
2432	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fkckeh32.exe	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2796	2680	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2680	2432	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe	30
PID 2432 wrote to memory of 2680	2432	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe	30
PID 2432 wrote to memory of 2680	2432	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe	30
PID 2432 wrote to memory of 2680	2432	0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe	30
PID 2680 wrote to memory of 2796	2680	Fkckeh32.exe	31
PID 2680 wrote to memory of 2796	2680	Fkckeh32.exe	31
PID 2680 wrote to memory of 2796	2680	Fkckeh32.exe	31
PID 2680 wrote to memory of 2796	2680	Fkckeh32.exe	31

C:\Users\Admin\AppData\Local\Temp\0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe
"C:\Users\Admin\AppData\Local\Temp\0b5338c54e484737382fee7abfa0b3a4cc0d975ea173c5907acb25dfd7e7d58b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\Fkckeh32.exe
  C:\Windows\system32\Fkckeh32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 140
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
64KB

MD5
2a41073e92d7f9d2c42e6053667324f9

SHA1
1e85fd84a33ae6d6f2012d41a957e17e18324ce0

SHA256
41dd853c3362f6817fc738152dcc2f1f6bebff8659aa94b20056ace8a144780a

SHA512
4de94a411ae63e46fd44f7810b99aa05e22c4918ba10c6db79348b8f1c6be67d07b1a82153437fcf669ecb491c047ad373fcc89758ff1ea434a52c7e9ef510b4

Download Submit
memory/2432-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-12-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2432-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads