berbew | 8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa

General

Target

8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
Size

360KB
MD5

0df70b4f52a1d912d4c9c756f7433aeb
SHA1

9e83fc83dc34f10c2d4c0127ad5effe7e5e1bde6
SHA256

8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa
SHA512

684d63d321d3e641541c87c98e36da49b99084664bbf43ba54474eb54b950578821df9ec78f53e7334120b9fe93882af775edc55b1f7187a0d5268288edd51be
SSDEEP

6144:jGvBthnrCpX2/mnbzvdLaD6OkPgl6bmIjlQFxU:jUrCpXImbzQD6OkPgl6bmIjKxU

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fllaopcg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 2 IoCs

pid	Process
2452	Fllaopcg.exe
2700	Flnndp32.exe

Loads dropped DLL 8 IoCs

pid	Process
1732	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
1732	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
2452	Fllaopcg.exe
2452	Fllaopcg.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fllaopcg.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fllaopcg.exe
File created	C:\Windows\SysWOW64\Fllaopcg.exe	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
File opened for modification	C:\Windows\SysWOW64\Fllaopcg.exe	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
File created	C:\Windows\SysWOW64\Fpkljm32.dll	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fllaopcg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2792	2700	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fllaopcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fllaopcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkljm32.dll"	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fllaopcg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2452	1732	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe	30
PID 1732 wrote to memory of 2452	1732	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe	30
PID 1732 wrote to memory of 2452	1732	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe	30
PID 1732 wrote to memory of 2452	1732	8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe	30
PID 2452 wrote to memory of 2700	2452	Fllaopcg.exe	31
PID 2452 wrote to memory of 2700	2452	Fllaopcg.exe	31
PID 2452 wrote to memory of 2700	2452	Fllaopcg.exe	31
PID 2452 wrote to memory of 2700	2452	Fllaopcg.exe	31
PID 2700 wrote to memory of 2792	2700	Flnndp32.exe	32
PID 2700 wrote to memory of 2792	2700	Flnndp32.exe	32
PID 2700 wrote to memory of 2792	2700	Flnndp32.exe	32
PID 2700 wrote to memory of 2792	2700	Flnndp32.exe	32

C:\Users\Admin\AppData\Local\Temp\8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe
"C:\Users\Admin\AppData\Local\Temp\8b0f8de1e3c92ce93d41ba6418287352eccb6234966615ad33ac28a947ba5aaa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\Fllaopcg.exe
  C:\Windows\system32\Fllaopcg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\Flnndp32.exe
    C:\Windows\system32\Flnndp32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Fllaopcg.exe

Filesize
360KB

MD5
f03ba29bfc58ea98d6faf90d8fe38ef2

SHA1
132484cceb03692f49ea597f4e59e89e7083bb52

SHA256
57474f4dc8f4c984a2892a9bbe804a0b787f2a84ffd7c688cbd32f5abf7cbad7

SHA512
cf113659098a7287fd6fa97b79ec09234b2a0df6e5bd85539f9e98da54e30c8ee5cfcf3f4f1019a4deba6fe6ec5801639013b6921046870b4c8de1877ad3a816

Download Submit
\Windows\SysWOW64\Flnndp32.exe

Filesize
360KB

MD5
8906654c967fc217af9c9d6687e5a92b

SHA1
994c4e9d70196c741a8f0f7cd74ae7621da22cae

SHA256
00171be172532b21f0f2c893d392d1c99088a6efdedf35f220c42c76099feca6

SHA512
3c9a953efe95a45be6d950f670e2845cdfa532e3dc7774501ddc42845a6490d44d731df8c496c099ad2d4d092f57c3945840843c9b83e46fc43cd72e2ce4d208

Download Submit
memory/1732-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-13-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1732-12-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1732-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-27-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2452-26-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2452-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-38-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads