Overview

overview

10

Static

static

3

835bee4006...8e.exe

windows7-x64

10

835bee4006...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2025 00:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    835bee400620ba91c4d7479dfc5f2753039757acc981c8ce2512e80b9e94e48e.exe

  • Size

    96KB

  • MD5

    c7c8e1ce6b9ea3d5ae43a9d58e772124

  • SHA1

    6896b1effa1ba57f1a8189100d00e01d2e702236

  • SHA256

    835bee400620ba91c4d7479dfc5f2753039757acc981c8ce2512e80b9e94e48e

  • SHA512

    e3b473dc377f7ff6056e06938e509840d94861e0cae5d6198e0df740585ce6c9f6e1bf82fe86978b1911054a2baf5d7591ec768abccd6c3f075922996e4a791d

  • SSDEEP

    1536:/q7EXvMNXXoQDM1lKb22LL297RZObZUUWaegPYAS:/q7DiQZbL29ClUUWaef

Score
10/10
berbewbackdoordiscoverypersistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Berbew family
    berbew
  • Executes dropped EXE 9 IoCs
  • Drops file in System32 directory 27 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 30 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\835bee400620ba91c4d7479dfc5f2753039757acc981c8ce2512e80b9e94e48e.exe
    "C:\Users\Admin\AppData\Local\Temp\835bee400620ba91c4d7479dfc5f2753039757acc981c8ce2512e80b9e94e48e.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\SysWOW64\Dobfld32.exe
      C:\Windows\system32\Dobfld32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\SysWOW64\Delnin32.exe
        C:\Windows\system32\Delnin32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\Dfnjafap.exe
          C:\Windows\system32\Dfnjafap.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3692
          • C:\Windows\SysWOW64\Deokon32.exe
            C:\Windows\system32\Deokon32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1800
            • C:\Windows\SysWOW64\Dfpgffpm.exe
              C:\Windows\system32\Dfpgffpm.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4580
              • C:\Windows\SysWOW64\Dogogcpo.exe
                C:\Windows\system32\Dogogcpo.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2868
                • C:\Windows\SysWOW64\Deagdn32.exe
                  C:\Windows\system32\Deagdn32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:624
                  • C:\Windows\SysWOW64\Dgbdlf32.exe
                    C:\Windows\system32\Dgbdlf32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1064
                    • C:\Windows\SysWOW64\Dmllipeg.exe
                      C:\Windows\system32\Dmllipeg.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1984
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 396
                        11⤵
                        • Program crash
                        PID:3960
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1984 -ip 1984
    1⤵
      PID:4340

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Deagdn32.exe
      Filesize

      96KB

      MD5

      4859b136c7c0966cc45fcccf4e71de1d

      SHA1

      b485c804bdec2bea38ed8552125c8b006faf4a2e

      SHA256

      8f2274d8835e05a1e960a354cd8bdc7f606a9b770f44fd7f7948e7913862f5f4

      SHA512

      bc620d730fff559cbff642eb90aa6ecad565347971f24c46bad98910722bf7baaae46acea88357bf12d2f5e14e694fbcf82bac7eefeea11458e816a112873989

      Download Submit

    • C:\Windows\SysWOW64\Delnin32.exe
      Filesize

      96KB

      MD5

      2170f2e4fcaac35c01f30b61ceb6aa19

      SHA1

      f8679d01999adb318a99f76e1532aa0799e2660f

      SHA256

      7f5354562294f680a4c718057f650d019ee35eef53bc372c03ea3b05e081d17d

      SHA512

      ffb90833884cbab3d54ada79a3ba58558e694669a6a2f2ab6a0429601572af91533b10672129cb35b5d42076f38db05a30901cb5e2d58e1456b1f306042e2a19

      Download Submit

    • C:\Windows\SysWOW64\Deokon32.exe
      Filesize

      96KB

      MD5

      e9cdf7aefeb92e6f2c2f8bf572581654

      SHA1

      52a6fad7336b13a6b576a7787d8c4950d6ddb949

      SHA256

      b3ebb60f4eedaa0f9edf5f4a6cf4b3dc46b3ea42ee3917a7113d3744b893f6dc

      SHA512

      8462052eab0a5819e39d3c5126931099751292378324f83ba56d55f249858f512365fa62eee3a8c46a5b7d9c219e842898d27769beb370fff6568646cbaaa11a

      Download Submit

    • C:\Windows\SysWOW64\Dfnjafap.exe
      Filesize

      96KB

      MD5

      a67d0ef72c3572d9c5145e0d809a40b2

      SHA1

      7ff2f98c408d777ed16b6c9218a28f1d045d6956

      SHA256

      365bf4963440512681604e188719f468c27838bbdf46d6da4c24592cf861db0b

      SHA512

      3c85fc0b5a62345c9167bf234d88a9f5d9ef6ecd555683ed7e0d0e1b8375d201644d5717db0c36f58b8704e6ede38df28db64edbb2fbae428733a824bc2111ff

      Download Submit

    • C:\Windows\SysWOW64\Dfpgffpm.exe
      Filesize

      96KB

      MD5

      978cc286727f524bea8569a1cf5a1b00

      SHA1

      8512b07decc331cb7eefa298fdad9d41b6bcd917

      SHA256

      3a2795fdca6db8cf8243f66a5b10482afef6da336d095368dd75de754d7dd82b

      SHA512

      731c85e7c9427795739cbf1b21ba0d7264319a09172e9fe68136986beee405841a6c486bf3454176d8868efa8f43d6deeaecc55f9dc727d8c6428936ee0e3d85

      Download Submit

    • C:\Windows\SysWOW64\Dgbdlf32.exe
      Filesize

      96KB

      MD5

      96f31e81119c4c058b44111406be8b96

      SHA1

      09577668e3f33e25d40f1d147196fe4fb87055d4

      SHA256

      1ed8295025e5676fcebe0bb92ebc227f06c7aa2bd7af8f6db3e260293a73febd

      SHA512

      923ec98d5ba5b65e2c30fc2a8ac9b57353401ef87d137057a5c0f6baa743e836e6e68e378b22091db8e340c72630efe0f4a0b1070cb0eb2150ad22b58de112e9

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      96KB

      MD5

      4cf1b3ade683e0e53f97848de355d43c

      SHA1

      3a7408d093a170a7c814a5b4b933bffe9f455576

      SHA256

      0213676c5256935bd3fff9418fca1d41b1fd2d13498866f3f908776765fee877

      SHA512

      a00caaad75d4c7e507de5d09190cd4d7a31ab920d370d2ae7ed287cf864ae870dce3b869a5ad210c8f66d97b875a408438b96451fb3730d27711aada52713283

      Download Submit

    • C:\Windows\SysWOW64\Dobfld32.exe
      Filesize

      96KB

      MD5

      bd681665d45d44d442b051c7de3b57ca

      SHA1

      53cc1e4d894dc269a4a733de742cbf0389d267e8

      SHA256

      b189b7169fac7f10a3443ca17f365cfd6cbba02b8378cece5fa5ff65acc517fb

      SHA512

      6c4740e9cc3bb699296e4bcf14fb33af49b5411f4a822ae942ea8779c6fb6368150fc0568a374383064955a0299bd0d94f48cb2727d396fbdf3352613e09b932

      Download Submit

    • C:\Windows\SysWOW64\Dogogcpo.exe
      Filesize

      96KB

      MD5

      b39080ca54b918bcf210a70dad571a84

      SHA1

      f08aefb482fb1569b75dd85c541da0be7639019b

      SHA256

      ec55b02f86d18754529795d704675980cf5e3315430db8597b233b9abedd5a0a

      SHA512

      af65f23f338885bbda32c0722fcb3c6dc34e588a396fc58a14b80a5fe0687e7435317b55530b57ec28e0ca46aabe4c4723eb6bad2792b688c2f91cc11c5d7e66

      Download Submit

    • memory/624-80-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/624-56-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1064-64-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1064-77-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1800-32-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1800-85-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1984-72-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1984-76-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2868-81-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2868-48-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2996-89-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2996-16-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3692-24-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3692-87-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4580-41-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4580-83-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4848-91-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4848-8-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4916-0-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4916-93-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4916-1-0x0000000000431000-0x0000000000432000-memory.dmp

      Filesize

      4KB

      Download