berbew

Sharing

Copy URL

Twitter E-mail

General

Target

Virussign.2024.12.25.7z
Size

22.7MB
Sample

250131-xffetawlhj
MD5

362cffb15f28c5b27503e8d9bb4ed548
SHA1

6072864fd823f39a9895b734c7b4cf68746d26ea
SHA256

f04afa122d919fe049eb055ab6d29f8a414b4041440af660895916b7e32f20a0
SHA512

ff7d08ffff9a590b92a5ae7bd207eade68464adabf75436f48d8643597711678bac466159f028da6d0ae64dd52cfcc9d63f6cf61b87004f58852d19a054a5a7f
SSDEEP

393216:DUfW7XJu+Ah4PwyyxAs7+I85EcR7J8IjuCW0LaoXFBJPb:DUSXJuthOyt745l7WK80LaEJT

Score

10^/10

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Targets

- Target
  
  virussign.com_e9db7f543abe55498e2fe9e81adbd150.vir
- Size
  
  694KB
- MD5
  
  e9db7f543abe55498e2fe9e81adbd150
- SHA1
  
  733744d9a70cd274c03136ff77fdf4e2e92ef3b8
- SHA256
  
  eaf8a5f8274a994a5102074b58d341d6d5f8bead8ef8ff1eef1c1a233d621ac9
- SHA512
  
  a4cc8e5b0c15c0a6e1c6a665dbbf0b05ccefd89d5f78f31eba08bdc9e409248cc169a6a10adfe1bc3c282854ad37247a9d27f714db1dc953b6e63f7f2b8292ab
- SSDEEP
  
  768:5BBdFYDgao5/AUrLEEzayTpBJfxBDlxcFNXK8D1Foj/:5pcC/eAayJ3Rx0g
Score

7^/10

discovery persistence
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  virussign.com_eaaf615aa5e8154699b86613ef98de77.vir
- Size
  
  468KB
- MD5
  
  eaaf615aa5e8154699b86613ef98de77
- SHA1
  
  8c412f4f4db4c834f65f29251a60fb18f0d2ba5b
- SHA256
  
  a084496476b0917665554d72d164d59f7780c154c066b7c845eb9df5d27eae02
- SHA512
  
  41b4ca9171db952925ed053c1f072d7244f9148c04cdd91237aed1b39bb55a65adf367b30b321c3ec0be007b28e9ee2bf098ddd6fcda88aa1040b540562c16de
- SSDEEP
  
  3072:F8vXogtBIh5U4bYGPzQMcc8/G2m4R3pvhmHekVej6k+kOocVtSl1:F8/oZHU45PMMccwZDH6kjTcVt
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
behavioral3 behavioral4
- Target
  
  virussign.com_eb1164afcd72b42faf1ed16fe69415f2.vir
- Size
  
  6KB
- MD5
  
  eb1164afcd72b42faf1ed16fe69415f2
- SHA1
  
  000b812418a9ee25e6ad3828927a5b01d06c305b
- SHA256
  
  d2cc0c11b63bfd8f99d298ad4673ef4f93f821a099b47565641921ba55f63234
- SHA512
  
  2aee9925468b529be72ddb88a57c985b4dab43183ded7e2595e1c75b87ea36f966f5b28ec58b85c655310bede5671675bbf03a908a13e45f64c6e8d8d131d24e
- SSDEEP
  
  96:ZcimbEILPlEcE2VYlnlYJnLEM/mTL0KfEeg1VtXmrWHK:mbEGVInlYJL/eTLT/
Score

1^/10
behavioral5 behavioral6
- Target
  
  virussign.com_eb1a20a14bfd42ddd3c295062ff4c91f.vir
- Size
  
  1.7MB
- MD5
  
  eb1a20a14bfd42ddd3c295062ff4c91f
- SHA1
  
  30c284cd629408332ab5f2b128e963076ade24ca
- SHA256
  
  23964bf30d3886719493bbb50efed384efdc7f39103fe37d87e41593447f6460
- SHA512
  
  e37604a6cb31a8d1a54b0318ed78f5e2b99efd02da4faeaa3d43915f4a6b6d0e4c61eca24d7e9fc83a7cf0c324ecdd1b5fe65c7ba082233f402ee87595d4d0ae
- SSDEEP
  
  49152:GezaTF8FcNkNdfE0pZ9ozttwIRxj4c5yOBZddgJV7N:GemTLkNdfE0pZym
Score

10^/10

xmrig miner
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Executes dropped EXE
- Loads dropped DLL
behavioral7 behavioral8
- Target
  
  virussign.com_eb4dc797b31871c193bd57e75feda4cd.vir
- Size
  
  960KB
- MD5
  
  eb4dc797b31871c193bd57e75feda4cd
- SHA1
  
  6bbf67fdd8afb7169029c380759ed466bc6a9c6e
- SHA256
  
  6df068e0c186d1dcfbe22e568f0ae287f89bbb7be04d9fbe38b47e2694c0bbe7
- SHA512
  
  80c5f4a047ad63c23ff5158f6966d066716c7ca826d5f9d55170b5a4508cbfb1bdcf153cb4c7e664408e5cbef85ca9ac6ba932f2a046060cce092a8316dff7dd
- SSDEEP
  
  12288:OCh9wJlnu3M5taezc6+RmstjlDa/ZSt4mv+ni5:FPwJlnu8ba2c6+RmsDa/ZSt4mv+ni5
Score

7^/10

discovery
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
behavioral10 behavioral9
- Target
  
  virussign.com_ec6cca2542808661cbc8b554736f52e8.vir
- Size
  
  83KB
- MD5
  
  ec6cca2542808661cbc8b554736f52e8
- SHA1
  
  fa89ae97a49897d65d9ed30c49402c13d676eb90
- SHA256
  
  8decbee0ba4137052b4955039e53dc74cc72c13349bef5dad17131e15f03d4b3
- SHA512
  
  4ed2f84fb490c8869451d1f6fa7ff02a034076df5b26d5bd5df79b9183be2a6900750857faa390cf88260679ac6d586ba74ed087304dfa58ef3863c076a11cc6
- SSDEEP
  
  1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+JK6:LJ0TAz6Mte4A+aaZx8EnCGVuJd
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral11 behavioral12
- Target
  
  virussign.com_ecb767dd467a854cb9068795c708edb9.vir
- Size
  
  83KB
- MD5
  
  ecb767dd467a854cb9068795c708edb9
- SHA1
  
  257d762e492915b63885124593594cfefb53926a
- SHA256
  
  5399c72af3c4fc72880427859a76f93f75057d839138c7d9ac85ba23875e7d37
- SHA512
  
  4738f5228ddc6dae12b8a1015d7db581a89f8537e0f74bcb485211fc8d85c3cf0013f9dac1a0cb834dc5bd40273190b619f0a85b62d22079f645ce6b2dc2b446
- SSDEEP
  
  1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+fKe:LJ0TAz6Mte4A+aaZx8EnCGVuf3
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral13 behavioral14
- Target
  
  virussign.com_ecc04a1ce003b4a5edb12825179f3a61.vir
- Size
  
  83KB
- MD5
  
  ecc04a1ce003b4a5edb12825179f3a61
- SHA1
  
  23f2a98442ae9052c27df0b15a61c2fd2b02d402
- SHA256
  
  32b649b2719a9bef61cfa95b7306ad8a4de55df04bb2100b052e51b6720c867a
- SHA512
  
  73bf47d32b61a6b41fbe82a6cbeecece9a65f25fe1b5d9d9bbdee8adc3d9541e7a3587075474f0d7064f48ae63669a62d599f1cd4ab045300d29fd3f1cfe2370
- SSDEEP
  
  1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+0K+:LJ0TAz6Mte4A+aaZx8EnCGVu0n
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral15 behavioral16
- Target
  
  virussign.com_ed168bd396c4fdc03053f5b02fcf6994.vir
- Size
  
  83KB
- MD5
  
  ed168bd396c4fdc03053f5b02fcf6994
- SHA1
  
  fa83602f13cc058945dc0ffe796510bd73432ef6
- SHA256
  
  7c1118da7a1ad2ca1409b0b99a7fafacf27dd4174dc74601cd23273b056f5d95
- SHA512
  
  0fc3956fd25723db4d3f4b87a202393aa15a8ad27e03ce0ea96a7ed9c8a21ba1e5150411ae18dc1ee80aa249de3b35bb0c5acd58f5a24b5856fa8e82f677ec98
- SSDEEP
  
  1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+EK+:LJ0TAz6Mte4A+aaZx8EnCGVuEH
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral17 behavioral18
- Target
  
  virussign.com_edbc11f0b4f0a9f3964923415573569f.vir
- Size
  
  67KB
- MD5
  
  edbc11f0b4f0a9f3964923415573569f
- SHA1
  
  b55197b342c4b1ad0a66c85d80070c4a02e19b76
- SHA256
  
  4459fcff5e5829889f5a646b2e7e091ef876fed4cae77ca1b010c790657177ae
- SHA512
  
  4eeb217f92821bf354e3f343e626f81c0fdcdc55039dea1f9dd6619683bc38f0b8a84247e442704dbcc39fdf380117f5cd950fc52e7771b4f2cfdb9a141d03b9
- SSDEEP
  
  1536:T5rHFSi7vy7pt2yGWn9pwIdsJifTduD4oTxw:F8i7vyGJWpwEsJibdMTxw
Score

10^/10

berbew backdoor discovery persistence
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- Berbew family
  berbew
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral19 behavioral20
- Target
  
  virussign.com_eec6bc403630659c6ed893e51572f6b3.vir
- Size
  
  1.7MB
- MD5
  
  eec6bc403630659c6ed893e51572f6b3
- SHA1
  
  6c539984650992a60edc16c41973b20a48e0ef67
- SHA256
  
  5f9ef289e977ca0f11ad6d192c09ebb8038bd8c0aba50da083d761926fbf58cb
- SHA512
  
  3a5a975e0d534d83bed30262eb203188f166851fdc4d49822c40f5d630d4e4a66167bea3bf64e6fdaa5c06501682d82f1c118a49b5d3b96ca93224619069ea18
- SSDEEP
  
  49152:GezaTF8FcNkNdfE0pZ9ozttwIRxecd2K7Y7:GemTLkNdfE0pZyU
Score

10^/10

xmrig miner
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Executes dropped EXE
- Loads dropped DLL
behavioral21 behavioral22
- Target
  
  virussign.com_eef74eda1855b3cf10300926cc0e0693.vir
- Size
  
  73KB
- MD5
  
  eef74eda1855b3cf10300926cc0e0693
- SHA1
  
  37dd25ea3a30c50e706ab4e9a3596d53f608cc6b
- SHA256
  
  dec299a87f673f6048d7e12ae6002802df7e45f3f746654edb64b03a2537549b
- SHA512
  
  38f0b5c597e323e9259ee80c4714c99ecd81f5d107205de65f08a74ab105f0b48f22070777fec7b3cfc35a799f70f105beff7414964e28a60fb898e5b98fc0ed
- SSDEEP
  
  1536:qAo0+j2d6rnJqlIUlizbR9XwzSPamvDsdHgHSIQEvTbWh7MzdPAxHyHfOdIRIRZl:qAoVl4lX8Pvw2PamvDsdHgHSIQEvTbWX
Score

7^/10

discovery persistence
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral23 behavioral24
- Target
  
  virussign.com_f0b6e9f132c0d0549c401fe8943b708a.vir
- Size
  
  109KB
- MD5
  
  f0b6e9f132c0d0549c401fe8943b708a
- SHA1
  
  c15252292edd570535213a74dcddbe82e5bf080e
- SHA256
  
  4c2e9a063fddab6d7991504f0481c5e22f088ac033803d26b787fc05f60efc75
- SHA512
  
  13abf2258ec5516b587605ddffd1f391741e01fa11ade799ca9029c33ea715f33cbdd4c5e23e9f479c06e6edf8fda56d6616ff572abcb1a7b2afe90c1ac51083
- SSDEEP
  
  1536:DXho/2EFeJp+LcOU0bLMVjuSI2hKeCQSPfBEUiy8/LE3NIJ7HhoRBCTm+6m2vkC5:lO2EFKoLRLkjuJUSPfmUXP3NIJ7mWi5
Score

1^/10
behavioral25 behavioral26
- Target
  
  virussign.com_f0d49bace28a764cdbca55aafbd5da32.vir
- Size
  
  468KB
- MD5
  
  f0d49bace28a764cdbca55aafbd5da32
- SHA1
  
  f35d566c9e67c67e1b93e1de0b4b5a500b65d4c2
- SHA256
  
  27e6ddbc37659abdf7b1d282b35d848ca54131fe3d6262be017bb7c2364ea830
- SHA512
  
  c57d46243bc8d1fda398aa407f4823e9a2d7e74e19532eb08b24b6f523022abd9b99f31c17710312fa767f440487a978387462adc264e73f05323df18c38a146
- SSDEEP
  
  3072:tbelogxaIY573bY7PzTfmbfD/nwinsIHzzmyeQVZOL4ekaibuxGlK:tb4oCY73QPvfmbfaamDL4vxbux
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
behavioral27 behavioral28
- Target
  
  virussign.com_f201c60260bf5daf402404b095776202.vir
- Size
  
  83KB
- MD5
  
  f201c60260bf5daf402404b095776202
- SHA1
  
  1e2acb174ffb0e946e3d0cedd0a9735c12e4c7a3
- SHA256
  
  563c59f9649a67801b142a45bd90c9b13ce0bcacfed8be8cf5c9bf0f6121348d
- SHA512
  
  ed6de65b7a49bbf0fbb02079a6f909169d7f4cb7d834246f8285852037e9ef494ad4caaca6de1b05bec218d24709bb1b6772183a53628b15475142da31cc9e64
- SSDEEP
  
  1536:LJaPJpAz869DUxWB+i4OQ4NR2Kk+aSnfZaG8fcaOCzGquSE0cF+iKO:LJ0TAz6Mte4A+aaZx8EnCGVuiP
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral29 behavioral30
- Target
  
  virussign.com_f34196caf20b1d0c9aca4ecca9fca907.vir
- Size
  
  68KB
- MD5
  
  f34196caf20b1d0c9aca4ecca9fca907
- SHA1
  
  5645aa9b9834a607691bbfd502d281354b0aa4fa
- SHA256
  
  77756f3f697f423182c62028f5c5f89b33adaa2623e80c55ddf95608e370cdeb
- SHA512
  
  27fd1bf2ec54efc925103590fbf651791790512d09b77372ef84df3706ba6ad8e9e65303ba45edcc91dcedae158392efd4e379c693b1a89f40cc2f7b77763a66
- SSDEEP
  
  1536:78QIlQGWw5jlDqc+5G2tJru1QSrgM+6qF/kvyWaCovtloox:gQwow5jlDqc+70aHtlrx
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Executes dropped EXE

Loads dropped DLL

Xmrig family

xmrig

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

UPX packed file

UPX packed file

UPX packed file

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Xmrig family

xmrig

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

Deletes itself

Executes dropped EXE

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32