MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b836a69abc38cfca0cca8b20213ffcc84037229e3325edbc80603bc9fc163a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Berbew


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b836a69abc38cfca0cca8b20213ffcc84037229e3325edbc80603bc9fc163a9
SHA3-384 hash: a5843ed738783339a292422cf74b6f1f3bce80828ecbaea55fc707253439313310c80f5922615d5743dbcec5c07da3cd
SHA1 hash: a24398168cf801c3bb18693ff1a3a1a43d13a112
MD5 hash: 33c2e0093b2156cf9c21806e93e97cc0
humanhash: princess-glucose-mexico-uncle
File name:virussign.com_33c2e0093b2156cf9c21806e93e97cc0
Download: download sample
Signature Berbew
Create hunting rule
File size:122'880 bytes
First seen:2022-07-13 14:16:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 62ec3dce1eba1b68f6a4511bb09f8c2c (15 x Berbew)
ssdeep 1536:/sl+Pt4VRhETltJfGieJ7GYWQ2LUK56tbTHY8ihk1B4RtBlt/Q1vHub6m6z2LG:/slSuiTcieJi/Z56BP1BexQ1vHuePQG
Threatray 86 similar samples on MalwareBazaar
TLSH T19DC32672C5369E62C07DDD3003A942ADD0BDF05B6826B5093AEBDDCF7E6A17940E61B0
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter KdssSupport
Tags:Berbew exe


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/287193/
Detection(s):
Win.Trojan.Crypted-31
Create hunting rule

Win.Malware.Qukart-6838239-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/62ced46ad6d93426ceea224e/reports/afb78ed7-bb01-4b12-9136-11043a208875/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba07b77c-0c14-4f9f-8b29-571dbe5d56e3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b836a69abc38cfca0cca8b20213ffcc84037229e3325edbc80603bc9fc163a9/
Threat name:
Win32.Backdoor.DacicHangup
Create hunting rule
Status:
Malicious
First seen:
2022-07-07 17:30:00 UTC
File Type:
PE (Exe)
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fobwu2nlyogpzigmvczaee77zscag4rj4mzf5w6iayb3zh6bmouq._file
Verdict:
malicious
Similar samples:
177dc6eb9550a0bd1905c49d2289e4be299d801ef144605dd1d331948b0df651
Berbew
477435b5dffab09deb3fbc0ceba951a59608ff19d66c794b0895ae45cac38a01
Berbew
69a62a1fb4b844bf19b8e17432a7aada5947d9ff5e73fefda01f2b571f5dfa9a
Berbew
93250c493eb18e3d5239f8386453d1e1b26bb2f6d3f47a9038132b6da217c2b6
Berbew
9601c268a4fab57aeda5c79ce310d4e7364dbc643a526b6d80599d23459f1dfd
Berbew
b5bc198fb2a8b60bc89da31776fe8e1285bd425e0c9f7d7fa6bad60f7451be60
Berbew
c74553c7e1a454db1cfcb85c62d14d4bc5ac63de57c06d64dfed877035e6a82c
Berbew
c9611a2b6cb074644dcdcf27dfaaf3adf42b734c46a7292b6b8d5b37f686afe3
Berbew
e2221376087f037a9f493a0da138f301a6ceab55dc11b5a27d3998c4e46cd472
Berbew
ffe53e36304bc25aa703cae5c4930d809031e5aa84fd6b4e4179932f82ae38f8
Berbew
+ 76 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220713-rlsdnsfafq/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Adds autorun key to be loaded by Explorer.exe on startup
Unpacked files
SH256 hash:
1ff1fbf14c8adffd4f9bae8f13af415baf66567cd6d2a5f410491137e7adac15
MD5 hash:
395da13e61ea2d4a0607ddf9261d577c
SHA1 hash:
38f12e751549dac5e72edf1c64aa8161724a6e53
Link:
https://www.unpac.me/results/ea48ebcc-644b-437f-893a-7d896e43eb1a/
SH256 hash:
4d6278a4aca91120faeb99a336bcbd611da3b4d5a3806a5520f27fe191301a6a
MD5 hash:
eaedf6eda0035df32ae10de7f8f48bcc
SHA1 hash:
b387aaa8a4f574c3f2494741b798b2245a18c850
Link:
https://www.unpac.me/results/ea48ebcc-644b-437f-893a-7d896e43eb1a/
SH256 hash:
2b836a69abc38cfca0cca8b20213ffcc84037229e3325edbc80603bc9fc163a9
MD5 hash:
33c2e0093b2156cf9c21806e93e97cc0
SHA1 hash:
a24398168cf801c3bb18693ff1a3a1a43d13a112
Link:
https://www.unpac.me/results/ea48ebcc-644b-437f-893a-7d896e43eb1a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2b836a69abc38cfca0cca8b20213ffcc84037229e3325edbc80603bc9fc163a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Berbew

Executable exe 2b836a69abc38cfca0cca8b20213ffcc84037229e3325edbc80603bc9fc163a9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/287193/

Comments