General
-
Target
f1321b40fdc58c922e60d68a367c8e93942e92eab38ea56603a8d7e93ba1b4ab
-
Size
96KB
-
Sample
250213-ngjzysxpfy
-
MD5
d3677e34a060f7fad0d585cc41fab4d9
-
SHA1
a1d8034f5299f4158d39d4e2c38a45bed40a5472
-
SHA256
f1321b40fdc58c922e60d68a367c8e93942e92eab38ea56603a8d7e93ba1b4ab
-
SHA512
5ea335d4f540e74fba9f1ddacdd64cca461aad1ffc0afb07c6eec37dddb9abef5dbd9ba657ccab263881a43033ce0b79e5ad9f4aeff7428d3d7424afbb436124
-
SSDEEP
1536:wR/f1he5pvbjy58OY+WXN75PU4QI85M2LwH7RZObZUUWaegPYAW:wR/f1hGvbhOY+875PU4f85FiClUUWaeF
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
Targets
-
-
Target
f1321b40fdc58c922e60d68a367c8e93942e92eab38ea56603a8d7e93ba1b4ab
-
Size
96KB
-
MD5
d3677e34a060f7fad0d585cc41fab4d9
-
SHA1
a1d8034f5299f4158d39d4e2c38a45bed40a5472
-
SHA256
f1321b40fdc58c922e60d68a367c8e93942e92eab38ea56603a8d7e93ba1b4ab
-
SHA512
5ea335d4f540e74fba9f1ddacdd64cca461aad1ffc0afb07c6eec37dddb9abef5dbd9ba657ccab263881a43033ce0b79e5ad9f4aeff7428d3d7424afbb436124
-
SSDEEP
1536:wR/f1he5pvbjy58OY+WXN75PU4QI85M2LwH7RZObZUUWaegPYAW:wR/f1hGvbhOY+875PU4f85FiClUUWaeF
Score10/10-
Adds autorun key to be loaded by Explorer.exe on startup
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1