MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22fef62c81c2cefa216890ea28c8c8cf5beca54310bf1a577730388a40ea5995. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Berbew

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	22fef62c81c2cefa216890ea28c8c8cf5beca54310bf1a577730388a40ea5995
SHA3-384 hash:	be3eb60eabf091f80a626d57b5f50ed9c3cf79c7356780fb7eda313f4a1499e322a31e75603955876573df65257b7584
SHA1 hash:	2236346911081ef312e57cef0d851faf04127fe3
MD5 hash:	ff40b95cd56932d01b3851918d0de01f
humanhash:	kilo-steak-princess-moon
File name:	22fef62c81c2cefa216890ea28c8c8cf5beca54310bf1a577730388a40ea5995
Download:	download sample
Signature	Berbew Create hunting rule
File size:	286'720 bytes
First seen:	2026-06-04 13:42:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c2a87fabf96470db507b2e6b43bd92eb (6 x Berbew)
ssdeep	3072:5iJba6TNYA0Ggvji7a4hZK7xVG9Btj676ZBI:5KVgGaqZo4tjS6Y
TLSH	T15954B9F74CA25F1FDA2EA379C46BCAE1626AC06F4966C14221343CE5796F08278F5D4C
TrID	20.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 19.8% (.EXE) Win64 Executable (generic) (6522/11/2) 15.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.3% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	EnthecSolutions
Tags:	Berbew enthec exe PE

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_22fef62c81c2cefa216890ea28c8c8cf5beca54310bf1a577730388a40ea5995.exe

Verdict:

No threats detected

Analysis date:

2026-06-04 13:44:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3676c304-fa53-41a9-b937-b634ca54c2c6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/68991/

Detection(s):

Win.Trojan.Crypted-30

Win.Trojan.Obfus-38

Win.Dropper.Berbew-9106192-0

Win.Dropper.Berbew-10013413-0

Win.Trojan.Padodor-10013789-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a2180faf8676ad4d361063c

Tags:

shellcode backdoor padodor berbew

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Enabling autorun

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug berbew crypt crypted crypto overlay packed

Link:

https://www.filescan.io/uploads/6a2180f6099ef368af1e6d38/reports/93d6d18b-746e-4d7c-b8ed-457051c4bea9/overview

Verdict:

Malicious

Labled as:

GenPack:Generic.Dacic.1.Backdoor.Hangup.A

Link:

https://www.hybrid-analysis.com/sample/22fef62c81c2cefa216890ea28c8c8cf5beca54310bf1a577730388a40ea5995

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-05T01:05:00Z UTC

Last seen:

2026-05-05T01:31:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan-Proxy.Win32.Convagent.pef Trojan-Proxy.Win32.Qukart.gen HEUR:Trojan.Win32.Generic HEUR:Trojan.Win32.Agent.gen HEUR:Trojan-Proxy.Win32.Qukart.vho HEUR:Trojan-Proxy.Win32.Qukart.sb HEUR:Trojan-Proxy.Win32.Convagent.pefng Backdoor.Win32.Padodor.gen PDM:Trojan.Win32.Generic Trojan-Proxy.Win32.Qukart.vjh

Link:

https://opentip.kaspersky.com/22fef62c81c2cefa216890ea28c8c8cf5beca54310bf1a577730388a40ea5995/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/01ebac1e-b1b4-4ae0-a48e-f4ca179cb795

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/22fef62c81c2cefa216890ea28c8c8cf5beca54310bf1a577730388a40ea5995

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22fef62c81c2cefa216890ea28c8c8cf5beca54310bf1a577730388a40ea5995/

Verdict:

Malicious

Threat:

Family.BERBEW

Link:

https://tip.neiki.dev/file/22fef62c81c2cefa216890ea28c8c8cf5beca54310bf1a577730388a40ea5995

Threat name:

Win32.Infostealer.Berbew

Status:

Malicious

First seen:

2026-05-03 06:29:27 UTC

File Type:

PE (Exe)

AV detection:

31 of 36 (86.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=el7pmlebylhpuilisdvcrsgiz5n6zjkdcc7ruv3xga4iuqhklgkq._file

Verdict:

malicious

Label(s):

berbew

Similar samples:

error

Berbew

Result

Malware family:

berbew

Score:

10/10

Tags:

family:berbew backdoor discovery persistence

Link:

https://tria.ge/reports/260604-q1dndsgw6r/

Behaviour

Modifies registry class

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Drops file in System32 directory

Executes dropped EXE

Adds autorun key to be loaded by Explorer.exe on startup

Family: Berbew

Malware Config

C2 Extraction:

http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm

Unpacked files

SH256 hash:

22fef62c81c2cefa216890ea28c8c8cf5beca54310bf1a577730388a40ea5995

MD5 hash:

ff40b95cd56932d01b3851918d0de01f

SHA1 hash:

2236346911081ef312e57cef0d851faf04127fe3

Link:

https://www.unpac.me/results/87042ca3-a02f-4c28-96ae-c08048006260/

SH256 hash:

de1b9351409808923af6ac1c2488f6c135a9c5a0307f5971e6482ae1ceceea8d

MD5 hash:

3d3f3e5dfffa53f61b1bc00e21c153e8

SHA1 hash:

c76cd327f5c407607a2dc9937ffef13034e40316

Link:

https://www.unpac.me/results/87042ca3-a02f-4c28-96ae-c08048006260/

SH256 hash:

b8a6f0c729b042a33e4a4563faf6d7702a92342bbd1037b2d393360360da195e

MD5 hash:

4801122ad663a22f14d80a2d055da6f8

SHA1 hash:

efc248ce1a4789ba2b753cf653cf26597de5e69d

Detections:

triage_berbew_infostealer

Link:

https://www.unpac.me/results/87042ca3-a02f-4c28-96ae-c08048006260/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/22fef62c81c2cefa216890ea28c8c8cf5beca54310bf1a577730388a40ea5995

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	SUSP_Imphash_Mar23_2 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:	Internal Research

Rule name:	test_rule_vldslv Create hunting rule

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/68991/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample