berbew

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_6014b30bcb29b6bcc758164ee4057e84dc08180c12688e2396dd638f2142c322
Size

853KB
Sample

241221-wygj6awkfn
MD5

3f07601c9e60d83a9bdc46f7d771473e
SHA1

c904774644f38785645ac5300b37e7b53754bd75
SHA256

6014b30bcb29b6bcc758164ee4057e84dc08180c12688e2396dd638f2142c322
SHA512

b8ac7dce230edceba1b121a9b264d408a037d6f3b5375e31738948d008db859c695b4fedae6e0aae76df732f71f72581ab7b962f8c56c28c2c02e5fa76953a23
SSDEEP

24576:n5aIeEHCbAJcreVGxzKjqsclfIwK/BW4q:5HybAJOeVGxzKjqscUBW4q

Score

10^/10

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Extracted

Family

fickerstealer

80.87.192.115:80

Targets

- Target
  
  7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8
- Size
  
  209KB
- MD5
  
  1a736d7a0881473473a6c5f782836e69
- SHA1
  
  9e42b57a2076867afdd47373b867ac87cba5083f
- SHA256
  
  7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8
- SHA512
  
  7e758e89292fec2d23f7b1041bb375ef0baab55571324a0c8414bd3a5332361936a552b07e27ae217bedddf777d6ae5bffff91870280b32421d6137e5905256d
- SSDEEP
  
  6144:lreOmET+k+aBChc06gTOKBJWuSml64ps7O61:MOmEHchc0HOKPWujl64pKf
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  7be6c0d38ef7ac12dbfd8a45d5b9513934d1e1195eb62c7cb44f103269b1bbce
- Size
  
  222KB
- MD5
  
  d97990b3f79d8ec2d4b174cf0c8b8a1e
- SHA1
  
  1dbd733efb3c0064739c9da11e4de6319984b98f
- SHA256
  
  7be6c0d38ef7ac12dbfd8a45d5b9513934d1e1195eb62c7cb44f103269b1bbce
- SHA512
  
  ee5ee5613391d8231d1ad6855f155d3fd3fcffa19c9f7f0bf0e19be42c4472e3436d269e0d59e462734ba9dcbaca83d3c1b0b5ce8174cde111a14cf405ae4252
- SSDEEP
  
  6144:5wqpv0UqVUNLwJu90GbICZqeprVUNLwJu90G:5t50gNJ9GCZqesNJ9
Score

10^/10

berbew backdoor discovery persistence
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- Berbew family
  berbew
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  8e9d85ae521c93539b3c58c3c9f3aedfe235ee4cea0688f580fc67cefdbeaa28
- Size
  
  296KB
- MD5
  
  0284ad0eb6ae288cc4cb13fbd9280483
- SHA1
  
  f8e81aa7be42334347b7433414dbd4e919232a46
- SHA256
  
  8e9d85ae521c93539b3c58c3c9f3aedfe235ee4cea0688f580fc67cefdbeaa28
- SHA512
  
  927bcae18074850771882cf864c68504cf30ccdc59ca42412e07bbbd4d70b8e24b237656b25210220dd0b06ebe38263cccb9a43dab4d73409c6df73e3d0dcd6a
- SSDEEP
  
  1536:eWH9Z5yroVsyKCUrb2v+iDnRZ7x3UH/sJow80IE8PQC2Ym:eWH92rUKbH+UfYow8pEDX
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  a246c7a0362b24c2022ebdb4c229f3c8bdd0f8541f55880a03d394f85aa10582
- Size
  
  366KB
- MD5
  
  edcb9e4837cb1118d11931bc0955c5eb
- SHA1
  
  cb5505dea7d55cf00a7bf3db3d21becf4872da76
- SHA256
  
  a246c7a0362b24c2022ebdb4c229f3c8bdd0f8541f55880a03d394f85aa10582
- SHA512
  
  fc3fff3da308f4cb0359e96a0969393eda0d71ffe03c47ca5caabbe6a91616e4e3b17cd3409262b59503012d37e16f1dd151fd8115dd9ba413f99af7f1845fb0
- SSDEEP
  
  6144:Q8JsLcpjzTDDmHayakLkrb4NSarQW5IG5X9hkY3yj:9zxzTDWikLSb4NS7MIG5X9tyj
Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  a8a9389353cbc3155ef587c59f6f2e250740cbad4c7bd1c6f3ff501652f593c4
- Size
  
  535KB
- MD5
  
  24529921569a021456436d4088937002
- SHA1
  
  e51ed743a9b4e639c44e9dd01879ed9861301374
- SHA256
  
  a8a9389353cbc3155ef587c59f6f2e250740cbad4c7bd1c6f3ff501652f593c4
- SHA512
  
  508aedf4215b944ce454c89134d19cc1bb51d3eebfada2c5a75cb53d271c5ac1cead074cd61c784eceb7ac8a70fbefb14ecf42e7635218ca85188da3348f6112
- SSDEEP
  
  6144:TPMsDJ+WdooOjnbd77EfncL62UhKCx6jB3MW0rLAb56dpLN4XQKJrsu:TPM0JTKo8np8Pce2UhDx613MW0rwrsu
Score

10^/10

fickerstealer discovery infostealer
- Fickerstealer
  Ficker is an infostealer written in Rust and ASM.
  infostealer fickerstealer
- Fickerstealer family
  fickerstealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral10 behavioral9