berbew | c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb

General

Target

c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
Size

456KB
MD5

e055b590788c36b7d0a181f4cb0df6c6
SHA1

a42911ce1a19720b3832ed96ce8cb7ee89f30192
SHA256

c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb
SHA512

5370ea4b0e4a373c8288608a896f86d764dbc20e0dc6f9057baac3e98e0555d05ba04374fa4b964057b1cd162b1217418318e73b5a844ef20b2b6f7cde7065f9
SSDEEP

12288:UxOWwIKfDy/phgeczlqczZd7LFB3oFHoGnFjVZnykJGvpHGdm:wwFfDy/phgeczlqczZd7LFB3oFHoGnFg

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhacojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhacojl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 3 IoCs

pid	Process
2632	Enhacojl.exe
2752	Eplkpgnh.exe
2836	Fkckeh32.exe

Loads dropped DLL 10 IoCs

pid	Process
2712	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
2712	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
2632	Enhacojl.exe
2632	Enhacojl.exe
2752	Eplkpgnh.exe
2752	Eplkpgnh.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Eplkpgnh.exe	Enhacojl.exe
File created	C:\Windows\SysWOW64\Ahoanjcc.dll	Enhacojl.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Enhacojl.exe	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
File created	C:\Windows\SysWOW64\Ampehe32.dll	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
File created	C:\Windows\SysWOW64\Eplkpgnh.exe	Enhacojl.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Eplkpgnh.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Eplkpgnh.exe
File opened for modification	C:\Windows\SysWOW64\Enhacojl.exe	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2560	2836	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhacojl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eplkpgnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll"	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enhacojl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Eplkpgnh.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2632	2712	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe	28
PID 2712 wrote to memory of 2632	2712	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe	28
PID 2712 wrote to memory of 2632	2712	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe	28
PID 2712 wrote to memory of 2632	2712	c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe	28
PID 2632 wrote to memory of 2752	2632	Enhacojl.exe	29
PID 2632 wrote to memory of 2752	2632	Enhacojl.exe	29
PID 2632 wrote to memory of 2752	2632	Enhacojl.exe	29
PID 2632 wrote to memory of 2752	2632	Enhacojl.exe	29
PID 2752 wrote to memory of 2836	2752	Eplkpgnh.exe	30
PID 2752 wrote to memory of 2836	2752	Eplkpgnh.exe	30
PID 2752 wrote to memory of 2836	2752	Eplkpgnh.exe	30
PID 2752 wrote to memory of 2836	2752	Eplkpgnh.exe	30
PID 2836 wrote to memory of 2560	2836	Fkckeh32.exe	31
PID 2836 wrote to memory of 2560	2836	Fkckeh32.exe	31
PID 2836 wrote to memory of 2560	2836	Fkckeh32.exe	31
PID 2836 wrote to memory of 2560	2836	Fkckeh32.exe	31

C:\Users\Admin\AppData\Local\Temp\c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe
"C:\Users\Admin\AppData\Local\Temp\c71c8080cc91d66c4e6969d734d337225c2768c616f32d0e993694ea89f11cbb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\Enhacojl.exe
  C:\Windows\system32\Enhacojl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\Eplkpgnh.exe
    C:\Windows\system32\Eplkpgnh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\Fkckeh32.exe
      C:\Windows\system32\Fkckeh32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Enhacojl.exe

Filesize
456KB

MD5
e2ffc264535bbf2883dbcac9bbf176f6

SHA1
55997452716c7bbe089729fb60c27ff1f9355279

SHA256
17818546fd1d70bea216a966c5b7f801f8297fd11fa302e470334d000f549fb5

SHA512
1cc3a1aeed47123768de80fc1bbf8f07362cf1ee8afb814f1e1a8cc1cf332c5c2f6cdd5a6af2403896510cbada1a1a55e8b0ac134ccdb67a971044ed6c8d7998

Download Submit
\Windows\SysWOW64\Eplkpgnh.exe

Filesize
456KB

MD5
74f5d582ca2ad2566f72f6e7809e09ee

SHA1
a68a3d60042f315c12a4bb41347ae7df57ecc132

SHA256
ebb34a4e31a29963bb79d49f76477103ff6c9c1b8283a2d7894f6a26fe74e96a

SHA512
6bf437e26311c4c28494dfa86f4ef09cdad4e222c03c422c4f55b4804b2f89313e45576d3a388699913f71c02546c1291b79175919f259c617a6ff2a2cf6862e

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
456KB

MD5
d47a21852dfd912ef9816d49079a5b69

SHA1
ccbb983619b820dcd66b99f1eda3b5abfa17f89f

SHA256
5ab863e83a28988427880aab53eec33bf6ddcf1419e7248c80a15b27898aad86

SHA512
791196ec75e227878580d567c02bdfbda722ebd3ebadc14b473878ecc0043f17c26b235f2feb33cc149d87ede293e52f03068cf969f74e5fa162ef18ab6158c4

Download Submit
memory/2632-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-26-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2632-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2712-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2712-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-35-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2836-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads