Analysis
-
max time kernel
104s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
10/04/2025, 13:37
General
-
Target
2025-04-10_af240e88fd324e4f64186a78d1a711ea_amadey_elex_rhadamanthys_smoke-loader.exe
-
Size
400KB
-
MD5
af240e88fd324e4f64186a78d1a711ea
-
SHA1
9b78c227b9c76450a834e4900f907c8ac65179c2
-
SHA256
96e9fea2cc59ec4be3988255c009e11d0fdd787cfcfad08164d5f4567dff0662
-
SHA512
7f0ce5a42d8759764e6cea7f6f851abd5c7de882db32f4f8902d2f95321dddda50d79f0ba9d604ca7e7c58a80ffafebc6cee19b49a0adf8b685a08d0dfc3ef6e
-
SSDEEP
12288:cT5/p4HMJ2o8wE39uW8wESByvNv54B9f01Zm:cxb2o8wDW8wQvr4B9f01Zm
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Executes dropped EXE 15 IoCs
-
Drops file in System32 directory 45 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 48 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-10_af240e88fd324e4f64186a78d1a711ea_amadey_elex_rhadamanthys_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-10_af240e88fd324e4f64186a78d1a711ea_amadey_elex_rhadamanthys_smoke-loader.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 22017⤵
- Program crash
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4872 -ip 48721⤵
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
400KB
MD52d5e68171db0d92b1360eb1c2dded706
SHA1a4b2c93efd8b112fe7a2a67cb25654d57d5fda25
SHA256142c4811fd33e400cfbe6267f8d802ab7184d3163f074cd3ef3163c92ab3d15f
SHA512c74b8e86f475eead3f0e448c6e389a4f4700ba8bced33e79c633ea42eff296171b67ba70c9109c4b6fbc36ff6b61dd652e524e44fd24dbb47abe6eb9de2b6ee6
-
Filesize
400KB
MD53218a13e4d00d8a5946fb410124f3567
SHA1a208dfa22ac57c9d3a49f05b9e681f7faf979ed5
SHA2561d5f6e89448943450acb8a377e68ecc94c1903b37013d49b2bb9641c155e7471
SHA512d21c050115b43b2d7372d00b5c93ee8e676144c82bf37d31f6bbbe65d08848ded314379ab582ac9dcea03719faf35cd69cee08d426a6a2431262922d0bd97dcb
-
Filesize
400KB
MD5202e813d16eb5f3af1da9b4acf72af07
SHA14e63ad180e1299dd8e6de502895ac199db5c03c1
SHA256c65f7ae1feba0ce144055f23615de1e523850bfbe0e7a5a4fbab4ed1a89935f8
SHA51280cad7c84389bd2572772c989fae8528c41cec906b9cb9d722765a0bfec2180de5e306da0224ad0bad85864d48698a1d8460e7657b25c80ea27895e439ec34ca
-
Filesize
400KB
MD50a007a5edb0963d55803cd8aa9aa4c59
SHA112af40fa720d05541f3fa21be252961d28b6d9e5
SHA256de95ec83eaab4857823c18003cc0827d34a19744834e0f77250b11af7c7457a6
SHA5122105088bdeb90093f59fe2fa2bd75b2001db85a3f6a35f652da9bd0eddf534f5bc457b3b6ac3e7a07f9df2f4f8f5d9ad2190581715330a7fec5e175db259c660
-
Filesize
400KB
MD525cc5d9480c189aedf1c5bbe861bf7af
SHA13aa7df8b1ccfb2274f4bdba8c5661c3f161562c9
SHA256f646f6af87f28d18045e4b074d01f309c625433df42730d784295da2bfeadb0a
SHA51298e2bb6d16471409d10d5961a41f1e9f447e8f7829cda71727748e21a7793bc5939b78e64a9650768d930c98e382155c756c25c4d05cda90ad14f1514ac7dce5
-
Filesize
7KB
MD5a6862358fd22fd77ff564c4485989564
SHA1a620ade9018aa3ecefa34f8666553c865b939973
SHA25657a9dd37b590749887f4620c7a80d623eb890ad5004f1aabacd23c38952c0fdb
SHA5125cffa0371cfe0c74b91f17ca490f0ca0f0315c3f2bdaefc42973bea4818c7e33c303475a5ae3defdfd71f16923767dc0c091256130831278e09731cc62992c68
-
Filesize
400KB
MD53f6b0980a0cf46bbc1e13ffbd498678d
SHA19bb656250d75fd8827b9f50380c3f7cd6966210a
SHA2565f856f2eb6d50dd01f08e47dbeba2980923758a349cb4c089099ecabadf3839c
SHA51220e5fef1fb86f7041737003c0acb3d03736751b367e4f6bfa154c92305735943a321d74a94672f8a6b63431183433edbf2d13e4c9b2039ca6d7c65b5b62d7b35
-
Filesize
400KB
MD51b5b529dc05b4b28c8b93d9ad568a2b8
SHA1cdf4b7d8252cf0f820053871f72deada3bc92838
SHA2564bcdeb76ff5713b13adf5ab7e5f1867775eda4f4fc658c9c66ca9a63c6314e96
SHA51296372dc3195363372451da16cacc85cec702f03be318dbcd907981116629496037b85d04a6290587d204dca41b6d59e618e12a32cda97116f37e198811aa0bdb
-
Filesize
400KB
MD57fb6f6ebfc75c6ed4ede4b63648dcdb6
SHA1844b57c6532a1f5ca90e0e8bc6608daaefb0eb4f
SHA256f82eec59d36f04ff9e9001766182038aaed538136b73bdec17965487b4015b44
SHA512c8546cea9b2d90029ed133b492b7f20f45bc7e2181137dc21137f30f313390d48b61ee1b53c4095c52fd63672fb292f45fa02d8bbfa30c32b5de68f70e7c69fc
-
Filesize
400KB
MD50e70e0fbb560642efd6d9eadc41dc2c0
SHA14a369f1b5fdc1d4f1fc18bbda3bb748fb83d7fff
SHA256e045346558085c8cfff21bd3cc4256da2b14ca939064e6fd4b4063430e54e44b
SHA51235b5ca37c59fdb4e29f58a7953492e06c57e78de66ca5167dee351b09add5a064576b816765b8a9ee026ca28c7aba92f39bbc345cb6aecc4d278d3401910bd97
-
Filesize
400KB
MD57df637618621d1d940b6a50543fcf5b4
SHA19a8edf3032bed76db624efa345ccffd5da2a9351
SHA2564abfb647b2b7875b4ff2b8f824b0975c716b8dd419e41ee7dce50c5e669ec475
SHA512a7fdb740515b882ca81ed65acee42907f78db6e1c5cb4019b103897fff74750aef75e723a9f107f10d395ff7a5cf2c05e7bb1644eb670780bc0b85c328697e17
-
Filesize
400KB
MD565525ce424f1c05eeff64c8d016c901c
SHA18d9855ece16eb84966063ed53b7a7d6d2c1152e4
SHA2560f29ae780619fe85e65c2b0291eb3faa2b33d306f3f4323f46729d4a7a967457
SHA512091bfbec2bb7f6072ecceaf861b59c227b5851531332e63f096d7d98629e03f08676475aac754bb4d534f7d107801e5cf268cc2bb5e4ce9c75d8c4b1f6e3e758
-
Filesize
400KB
MD5beafe7cd0e784aeb031074785fa8ffd4
SHA1f31fed1a559bc435a080a72a591814b3c74f6d9b
SHA256076dea8dd7dce8d41585ff191ae3225b404e68f345f816b94700d959b68416b6
SHA512eb47cf0809cb4b40a4656400b5913c25ba732beca45f075dcf4c15da65f5671378a93add86fc1d23c5f035e45182f7e53228b98211bb998ecfeabf8abd289d16
-
Filesize
400KB
MD5f16e2151de6385c47e2727a950238ab4
SHA17a23ec8be8bb6f13418585792b8cb08066e1478f
SHA25637904c9b1da0faa65cce98e1844281a7f1c924f1d6a979b18b0142252621143d
SHA5125d3fe46ce2ce239b73bcbef7be98dce63d128ce3e9032a4aa8e90282ade2dabac7d3d5e38e0659d028d193a37e1a98aaa11b15b0a18ede0901d707063141ecd6
-
Filesize
400KB
MD5e1b7008c49ece55a5687c63954bcae6d
SHA1c5a9c9eff37c30f55475950959fcb22aad028e07
SHA256f615c88934e353739c58184409498e331d73d444e8352cc5e86b25e9d5f405d6
SHA512c3eb179d632d093f8c7b8e873f1b213ad22c5d603766c24fa5faf91461f7bb12fd9387dd9e3ee6f6939d4c4b49a84a1977665f7764af42d26ec7a4faaeba10f4
-
Filesize
400KB
MD5a925f5af58a056ae4948974a004d79b6
SHA1cc8de321af9b8151dc751ece1cbc6bb2be61c2c2
SHA25682aaafb5cca96fb6134dbd83da5bd7ecf879fc521845029ac244e3983c4cf031
SHA512964a9a24f2329f83b2c0d5c43b39e3e75841edefc327afe7b5fbc5eaa81f8ebb156d8c293483db7e9017c1398c624311f0593e7e443d015d78b237140d986e42
-
Filesize
400KB
MD5fc1fe73ff136972390303aab9b6e4bbf
SHA11e6aa99b48f532bbcbdf9040c4e76989c44b9c21
SHA2567dbcdcb5e27856e8dd9251694359f4129067b15e3b7021cf794ad40f4ed3319e
SHA512d088532d8d48696fe127409f4dfc566abb1532f11b1f69a816542e45595db00454c101cd084c1ee71b068eee95e9c52bf9e19371962d0c15c69d5c81c56163d3
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB