MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d1ebb33f1140a16037e8cb3f6f490496a742bbbd36d7405af097d3a4c8e7c5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Berbew


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d1ebb33f1140a16037e8cb3f6f490496a742bbbd36d7405af097d3a4c8e7c5b
SHA3-384 hash: 2f5c95c343af116f669d2e491b13827f2e164b3b45345031161169979a25ae92271f333a4b360cf7ddb049abdc8ef992
SHA1 hash: 707a47bb28c49a99dfd68a97129cd3c6bd877c6b
MD5 hash: c1b1fa5b6faf06194c42e67d771d3ac0
humanhash: fanta-network-failed-alpha
File name:exe007.exe
Download: download sample
Signature Berbew
Create hunting rule
File size:196'608 bytes
First seen:2024-11-19 11:09:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 62ec3dce1eba1b68f6a4511bb09f8c2c (12 x Berbew)
ssdeep 3072:FfE8xJvSU2B1xdLm102VZjuajDMyap9jCyFsWtex:F7mU2B1xBm102VQltex
Threatray 54 similar samples on MalwareBazaar
TLSH T13514091073FC5AE9E9FF5A3D767514261D73FD460819E2782E10EE0E0AB2B8499E2713
TrID 30.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
19.7% (.EXE) Win64 Executable (generic) (10522/11/4)
12.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.4% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Joker
Tags:Berbew exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
394
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2d1ebb33f1140a16037e8cb3f6f490496a742bbbd36d7405af097d3a4c8e7c5b
Verdict:
Malicious activity
Analysis date:
2024-11-18 11:56:42 UTC
Tags:
berbew
Link:
https://app.any.run/tasks/db45871b-fc0a-48c7-ba77-6a80ea50474e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Crypted-29
Create hunting rule

Win.Trojan.Obfus-38
Create hunting rule

Win.Malware.Qukart-6838239-0
Create hunting rule

SecuriteInfo.com.BackDoor.HangUp.43874.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673b2b725107a56eacc769a7
Tags:
shellcode backdoor padodor berbew
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun
Verdict:
Malicious
Labled as:
Trojan.ShellObject.Generic
Link:
https://www.hybrid-analysis.com/sample/2d1ebb33f1140a16037e8cb3f6f490496a742bbbd36d7405af097d3a4c8e7c5b
Malware family:
Qukart
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db2ca9a4-a504-48ed-8d58-10b16e38d9fe
Result
Threat name:
Berbew
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1558342
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Yara detected Berbew
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1558342 Sample: exe007.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 96 Antivirus detection for URL or domain 2->96 98 Antivirus detection for dropped file 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 7 other signatures 2->102 14 exe007.exe 3 3 2->14         started        process3 file4 82 C:\Windows\SysWOW64\Kdimap32.exe, PE32 14->82 dropped 84 C:\Windows\SysWOW64\Fbihenhf.dll, PE32 14->84 dropped 86 C:\Windows\...\Kdimap32.exe:Zone.Identifier, ASCII 14->86 dropped 118 Creates an undocumented autostart registry key 14->118 120 Drops executables to the windows directory (C:\Windows) and starts them 14->120 18 Kdimap32.exe 2 14->18         started        signatures5 process6 file7 54 C:\Windows\SysWOW64\Khgehn32.exe, PE32 18->54 dropped 56 C:\Windows\SysWOW64\Aafncg32.dll, PE32 18->56 dropped 104 Drops executables to the windows directory (C:\Windows) and starts them 18->104 22 Khgehn32.exe 2 18->22         started        signatures8 process9 file10 66 C:\Windows\SysWOW64\Lilcim32.dll, PE32 22->66 dropped 68 C:\Windows\SysWOW64\Kaojqclf.exe, PE32 22->68 dropped 110 Drops executables to the windows directory (C:\Windows) and starts them 22->110 26 Kaojqclf.exe 2 22->26         started        signatures11 process12 file13 74 C:\Windows\SysWOW64\Kdpcboig.exe, PE32 26->74 dropped 76 C:\Windows\SysWOW64\Ilpgnb32.dll, PE32 26->76 dropped 114 Drops executables to the windows directory (C:\Windows) and starts them 26->114 30 Kdpcboig.exe 2 26->30         started        signatures14 process15 file16 88 C:\Windows\SysWOW64\Lpgdgpol.exe, PE32 30->88 dropped 90 C:\Windows\SysWOW64behaviorgraphgjmfh32.dll, PE32 30->90 dropped 122 Drops executables to the windows directory (C:\Windows) and starts them 30->122 34 Lpgdgpol.exe 2 30->34         started        signatures17 process18 file19 58 C:\Windows\SysWOW64\Lohdeg32.exe, PE32 34->58 dropped 60 C:\Windows\SysWOW64behaviorgraphekmkj32.dll, PE32 34->60 dropped 106 Drops executables to the windows directory (C:\Windows) and starts them 34->106 38 Lohdeg32.exe 2 34->38         started        signatures20 process21 file22 70 C:\Windows\SysWOW64\Ldelnn32.exe, PE32 38->70 dropped 72 C:\Windows\SysWOW64\Idhjldmd.dll, PE32 38->72 dropped 112 Drops executables to the windows directory (C:\Windows) and starts them 38->112 42 Ldelnn32.exe 2 38->42         started        signatures23 process24 file25 78 C:\Windows\SysWOW64\Lnmafc32.exe, PE32 42->78 dropped 80 C:\Windows\SysWOW64\Kbiodj32.dll, PE32 42->80 dropped 116 Drops executables to the windows directory (C:\Windows) and starts them 42->116 46 Lnmafc32.exe 2 42->46         started        signatures26 process27 file28 92 C:\Windows\SysWOW64\Lommpfce.exe, PE32 46->92 dropped 94 C:\Windows\SysWOW64\Lhpleplf.dll, PE32 46->94 dropped 124 Drops executables to the windows directory (C:\Windows) and starts them 46->124 50 Lommpfce.exe 2 46->50         started        signatures29 process30 file31 62 C:\Windows\SysWOW6462iplmdja.dll, PE32 50->62 dropped 64 C:\Windows\SysWOW64\Lhebil32.exe, PE32 50->64 dropped 108 Drops executables to the windows directory (C:\Windows) and starts them 50->108 signatures32
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2d1ebb33f1140a16037e8cb3f6f490496a742bbbd36d7405af097d3a4c8e7c5b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d1ebb33f1140a16037e8cb3f6f490496a742bbbd36d7405af097d3a4c8e7c5b/
Threat name:
Win32.Infostealer.Berbew
Create hunting rule
Status:
Malicious
First seen:
2024-11-14 15:06:25 UTC
File Type:
PE (Exe)
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fuplwm7rcqfbma36rsz7n5eqjfvhik532nwxibnpbf6tuteoprnq._file
Verdict:
malicious
Label(s):
berbew
Create hunting rule
Similar samples:
62a9f6ecb3f55ac8c772d9658e4997dae78a6b51eccbaadd6b12b8f30b7632ba
Berbew
77f6c63fa9bd7455c1bbd538123b90665000c1246d5dddd3ed38c9cf6b9c4954
Berbew
a34c59a6e89daa064094dac8e89f5311dbaccb9fb8bcc63a8608c72088acaa9a
Berbew
e611cbcc4ea83bbb5f2e48423ba864cb4f118ab5c8e29b989a67ae67e9443897
Berbew
error
Berbew
fef1825bea19ffe16358ad69155a6bff7e09ae77426ce49e4a00fdab1067370b
Berbew
+ 44 additional samples on MalwareBazaar
Result
Malware family:
berbew
Create hunting rule
Score:
  10/10
Tags:
family:berbew backdoor discovery persistence
Link:
https://tria.ge/reports/241119-m86scswbnk/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Drops file in System32 directory
Executes dropped EXE
Loads dropped DLL
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Berbew family
Malware Config
C2 Extraction:
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Verdict:
Malicious
Tags:
Win.Trojan.Crypted-29
YARA:
n/a
Link:
https://app.threat.zone/submission/0e7f408e-1031-4fc9-9aad-1b5bbc1494cf
Unpacked files
SH256 hash:
f20c67efcb78bafbddb92c62f5dac7e6947d41e0b669cbf2d950afab115da7db
MD5 hash:
89ad934e5c4a3249331fbfdc0e3d88e4
SHA1 hash:
2a112cbee9e86f920dfe275cb4ad822e4465035d
Link:
https://www.unpac.me/results/a5a36f3b-7f16-4cd3-8975-bfb237c3ed29/
SH256 hash:
5dc13e5a7da3ebf37fe8fc9e2b54c4e6185389977f8a2e4332f41616a6d940da
MD5 hash:
10bb823119a2978588b9b449393f1366
SHA1 hash:
e8203c5e793e68b083e02dcf9f5928509a7d6bbb
Detections:
berbew
Create hunting rule
SUSP_Imphash_Mar23_2
Create hunting rule
Link:
https://www.unpac.me/results/a5a36f3b-7f16-4cd3-8975-bfb237c3ed29/
SH256 hash:
2d1ebb33f1140a16037e8cb3f6f490496a742bbbd36d7405af097d3a4c8e7c5b
MD5 hash:
c1b1fa5b6faf06194c42e67d771d3ac0
SHA1 hash:
707a47bb28c49a99dfd68a97129cd3c6bd877c6b
Link:
https://www.unpac.me/results/a5a36f3b-7f16-4cd3-8975-bfb237c3ed29/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d1ebb33f114/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d1ebb33f1140a16037e8cb3f6f490496a742bbbd36d7405af097d3a4c8e7c5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Berbew

Executable exe 2d1ebb33f1140a16037e8cb3f6f490496a742bbbd36d7405af097d3a4c8e7c5b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3296046/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.DLL::GetSecurityInfo
ADVAPI32.DLL::SetEntriesInAclA
ADVAPI32.DLL::SetSecurityInfo
COM_BASE_APICan Download & Execute componentsole32.DLL::CoCreateInstance
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.DLL::CreateProcessA
KERNEL32.DLL::CloseHandle
KERNEL32.DLL::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::TerminateProcess
KERNEL32.DLL::LoadLibraryA
KERNEL32.DLL::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.DLL::WinExec
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CopyFileA
KERNEL32.DLL::CreateFileA
KERNEL32.DLL::DeleteFileA
KERNEL32.DLL::GetWindowsDirectoryA
KERNEL32.DLL::GetSystemDirectoryA
KERNEL32.DLL::GetTempPathA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.DLL::GetComputerNameA
ADVAPI32.DLL::GetUserNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegCreateKeyExA
ADVAPI32.DLL::RegOpenKeyExA
ADVAPI32.DLL::RegQueryValueExA
ADVAPI32.DLL::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.DLL::FindWindowA
USER32.DLL::CreateWindowExA

Comments