MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0be5a6d038af15814cd6ee1dcdb1cab645f36b53356d86150f75c778b0362231. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Berbew


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0be5a6d038af15814cd6ee1dcdb1cab645f36b53356d86150f75c778b0362231
SHA3-384 hash: e1d5833132c15c7c756befbc2ecfebdf4c70b51e67c34d77a8cd9849c07e8ce552f2992a2eec96204adc12a6a4386d46
SHA1 hash: 34e58f204e82caeba550253a4f3948a5ea556449
MD5 hash: aa26e4a0ae74ad691c896aab8f6b6d20
humanhash: nine-jersey-finch-friend
File name:exe001.exe
Download: download sample
Signature Berbew
Create hunting rule
File size:81'920 bytes
First seen:2024-11-19 11:02:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 62ec3dce1eba1b68f6a4511bb09f8c2c (12 x Berbew)
ssdeep 1536:N1axMpEQWi53baie+aHgXrKbNdxgI5XL2LiCYrum8SPG2:DaxMpr53bai1aAXrOrxg6oiVT8SL
TLSH T10183F8F7F8329F6FC70C9239C1BA9671E2A28067349AC53763385DE4A41F14264F5D8A
TrID 25.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
19.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.1% (.EXE) Win32 Executable (generic) (4504/4/1)
7.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.8% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Joker
Tags:Berbew exe hacktool malware

Intelligence

File Origin
# of uploads :
1
# of downloads :
402
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
exe001.exe
Verdict:
Malicious activity
Analysis date:
2024-11-19 11:05:05 UTC
Tags:
berbew
Link:
https://app.any.run/tasks/d47ef4ac-42e0-430b-9054-6e3508020e4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Crypted-28
Create hunting rule

Win.Trojan.Obfus-38
Create hunting rule

Win.Malware.Qukart-6838239-0
Create hunting rule

SecuriteInfo.com.BackDoor.HangUp.43874.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673c72155107a56eacc7f03d
Tags:
shellcode backdoor berbew packed
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerber crypted overlay packed
Link:
https://www.filescan.io/uploads/673c706de5748936cfcb1807/reports/9a60d008-b294-4bbd-a2cc-af26a7176892/overview
Verdict:
Malicious
Labled as:
Trojan.ShellObject.Generic
Link:
https://www.hybrid-analysis.com/sample/0be5a6d038af15814cd6ee1dcdb1cab645f36b53356d86150f75c778b0362231
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d5aed6f-c7b9-446a-a336-94f167fdb000
Result
Threat name:
Berbew
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1558338
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Yara detected Berbew
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1558338 Sample: exe001.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 96 Antivirus detection for URL or domain 2->96 98 Antivirus detection for dropped file 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 7 other signatures 2->102 14 exe001.exe 3 3 2->14         started        process3 file4 82 C:\Windows\SysWOW64\Hljahf32.dll, PE32 14->82 dropped 84 C:\Windows\SysWOW64\Bbcofp32.exe, PE32 14->84 dropped 86 C:\Windows\...\Bbcofp32.exe:Zone.Identifier, ASCII 14->86 dropped 148 Creates an undocumented autostart registry key 14->148 150 Drops executables to the windows directory (C:\Windows) and starts them 14->150 18 Bbcofp32.exe 2 14->18         started        signatures5 process6 file7 54 C:\Windows\SysWOW64\Mhpkbd32.dll, PE32 18->54 dropped 56 C:\Windows\SysWOW64\Bklcoepb.exe, PE32 18->56 dropped 104 Antivirus detection for dropped file 18->104 106 Machine Learning detection for dropped file 18->106 108 Drops executables to the windows directory (C:\Windows) and starts them 18->108 22 Bklcoepb.exe 2 18->22         started        signatures8 process9 file10 66 C:\Windows\SysWOW64\Dmaagehp.dll, PE32 22->66 dropped 68 C:\Windows\SysWOW64\Bgbddf32.exe, PE32 22->68 dropped 122 Antivirus detection for dropped file 22->122 124 Multi AV Scanner detection for dropped file 22->124 126 Machine Learning detection for dropped file 22->126 128 Drops executables to the windows directory (C:\Windows) and starts them 22->128 26 Bgbddf32.exe 2 22->26         started        signatures11 process12 file13 74 C:\Windows\SysWOW64\Cfmgdmmm.dll, PE32 26->74 dropped 76 C:\Windows\SysWOW64\Bbjegocj.exe, PE32 26->76 dropped 136 Antivirus detection for dropped file 26->136 138 Machine Learning detection for dropped file 26->138 140 Drops executables to the windows directory (C:\Windows) and starts them 26->140 30 Bbjegocj.exe 2 26->30         started        signatures14 process15 file16 88 C:\Windows\SysWOW64\Deloioic.dll, PE32 30->88 dropped 90 C:\Windows\SysWOW64\Bkcipd32.exe, PE32 30->90 dropped 152 Antivirus detection for dropped file 30->152 154 Machine Learning detection for dropped file 30->154 156 Drops executables to the windows directory (C:\Windows) and starts them 30->156 34 Bkcipd32.exe 2 30->34         started        signatures17 process18 file19 58 C:\Windows\SysWOW6458nkioc32.dll, PE32 34->58 dropped 60 C:\Windows\SysWOW64\Cgjjde32.exe, PE32 34->60 dropped 110 Antivirus detection for dropped file 34->110 112 Machine Learning detection for dropped file 34->112 114 Drops executables to the windows directory (C:\Windows) and starts them 34->114 38 Cgjjde32.exe 2 34->38         started        signatures20 process21 file22 70 C:\Windows\SysWOW64\Dclkonoa.dll, PE32 38->70 dropped 72 C:\Windows\SysWOW64\Cfkjbmhm.exe, PE32 38->72 dropped 130 Antivirus detection for dropped file 38->130 132 Machine Learning detection for dropped file 38->132 134 Drops executables to the windows directory (C:\Windows) and starts them 38->134 42 Cfkjbmhm.exe 2 38->42         started        signatures23 process24 file25 78 C:\Windows\SysWOW64\Iicajnep.dll, PE32 42->78 dropped 80 C:\Windows\SysWOW64\Cpcokb32.exe, PE32 42->80 dropped 142 Antivirus detection for dropped file 42->142 144 Machine Learning detection for dropped file 42->144 146 Drops executables to the windows directory (C:\Windows) and starts them 42->146 46 Cpcokb32.exe 2 42->46         started        signatures26 process27 file28 92 C:\Windows\SysWOW64\Ihihkj32.dll, PE32 46->92 dropped 94 C:\Windows\SysWOW64\Cpelqblk.exe, PE32 46->94 dropped 158 Antivirus detection for dropped file 46->158 160 Machine Learning detection for dropped file 46->160 162 Drops executables to the windows directory (C:\Windows) and starts them 46->162 50 Cpelqblk.exe 2 46->50         started        signatures29 process30 file31 62 C:\Windows\SysWOW64\Hgaeljkb.dll, PE32 50->62 dropped 64 C:\Windows\SysWOW64\Cinpjh32.exe, PE32 50->64 dropped 116 Antivirus detection for dropped file 50->116 118 Machine Learning detection for dropped file 50->118 120 Drops executables to the windows directory (C:\Windows) and starts them 50->120 signatures32
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0be5a6d038af15814cd6ee1dcdb1cab645f36b53356d86150f75c778b0362231
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0be5a6d038af15814cd6ee1dcdb1cab645f36b53356d86150f75c778b0362231/
Threat name:
Win32.Infostealer.Berbew
Create hunting rule
Status:
Malicious
First seen:
2024-11-15 02:51:24 UTC
File Type:
PE (Exe)
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bps2nubyv4kyctgw5yo43mokwzc7g22tgvwymfipoxdxrmbweiyq._file
Verdict:
malicious
Label(s):
berbew
Create hunting rule
Similar samples:
error
Berbew
Result
Malware family:
berbew
Create hunting rule
Score:
  10/10
Tags:
family:berbew backdoor discovery persistence
Link:
https://tria.ge/reports/241119-m5nsdavdlb/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Drops file in System32 directory
Executes dropped EXE
Loads dropped DLL
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Berbew family
Malware Config
C2 Extraction:
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Verdict:
Malicious
Tags:
Win.Trojan.Crypted-28
YARA:
n/a
Link:
https://app.threat.zone/submission/6e038402-d701-45bb-b1b1-18f7fb2a6706
Unpacked files
SH256 hash:
2dc779282ff506ea6c7633014c8bc6ba213158458e6d2bfaaef483f764dc47df
MD5 hash:
d3acb4a48b5ffe79a486046c5d4c4d6a
SHA1 hash:
fb86848dd3ebdc3594b54984d83008782a4d4840
Link:
https://www.unpac.me/results/cf860ff8-d426-46d2-a8f2-3222d17381a9/
SH256 hash:
f67c7ba2182082588725cd44ae7090885c56a151d288ac5f707286fc2ca083b0
MD5 hash:
980f4968e11e5c46fb0bda89a41572e8
SHA1 hash:
5c15403fb1b9823c3b4c9dccf9f66a5c5e311f0a
Detections:
berbew
Create hunting rule
SUSP_Imphash_Mar23_2
Create hunting rule
Link:
https://www.unpac.me/results/cf860ff8-d426-46d2-a8f2-3222d17381a9/
SH256 hash:
0be5a6d038af15814cd6ee1dcdb1cab645f36b53356d86150f75c778b0362231
MD5 hash:
aa26e4a0ae74ad691c896aab8f6b6d20
SHA1 hash:
34e58f204e82caeba550253a4f3948a5ea556449
Link:
https://www.unpac.me/results/cf860ff8-d426-46d2-a8f2-3222d17381a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/0be5a6d038af15814cd6ee1dcdb1cab645f36b53356d86150f75c778b0362231

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Berbew

Executable exe 0be5a6d038af15814cd6ee1dcdb1cab645f36b53356d86150f75c778b0362231

(this sample)

  
Link
https://www.virustotal.com/gui/file/0be5a6d038af15814cd6ee1dcdb1cab645f36b53356d86150f75c778b0362231/detection
  
URLhaus
https://urlhaus.abuse.ch/url/3296043/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.DLL::GetSecurityInfo
ADVAPI32.DLL::SetEntriesInAclA
ADVAPI32.DLL::SetSecurityInfo
COM_BASE_APICan Download & Execute componentsole32.DLL::CoCreateInstance
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.DLL::CreateProcessA
KERNEL32.DLL::CloseHandle
KERNEL32.DLL::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::TerminateProcess
KERNEL32.DLL::LoadLibraryA
KERNEL32.DLL::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.DLL::WinExec
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CopyFileA
KERNEL32.DLL::CreateFileA
KERNEL32.DLL::DeleteFileA
KERNEL32.DLL::GetWindowsDirectoryA
KERNEL32.DLL::GetSystemDirectoryA
KERNEL32.DLL::GetTempPathA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.DLL::GetComputerNameA
ADVAPI32.DLL::GetUserNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegCreateKeyExA
ADVAPI32.DLL::RegOpenKeyExA
ADVAPI32.DLL::RegQueryValueExA
ADVAPI32.DLL::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.DLL::FindWindowA
USER32.DLL::CreateWindowExA

Comments