MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 362df35906c51bcf799b7afe4f85dcf721a286a9a68c38862eefa2cdb403ba7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Berbew


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 362df35906c51bcf799b7afe4f85dcf721a286a9a68c38862eefa2cdb403ba7c
SHA3-384 hash: 8e7c3ae9c2c2d72ecda1bc8a7f7a7b5f60258058edd119ca0dcb2b961bbdf18b189a0907de68de9defb53a57c7d8febf
SHA1 hash: 49d1b0cb0107d97eb91186b673bcabb8a2a4ae7d
MD5 hash: 189a6b289c59184eed51ee4980861472
humanhash: oranges-may-east-three
File name:362df35906c51bcf799b7afe4f85dcf721a286a9a68c38862eefa2cdb403ba7c
Download: download sample
Signature Berbew
Create hunting rule
File size:95'888 bytes
First seen:2026-06-06 04:11:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ea15a9145b2a4ebd1ffff42444ad78f (2 x Berbew)
ssdeep 1536:nzJ4mi+WF6B/Mms/KK0/TG65cKSDCK5TgskULU3/O53q52IrFzTXMtDhGJ5taRFa:z2mFJ/Xsw/v5cKSDCK5TgsjA3/g3q/h7
Threatray 32 similar samples on MalwareBazaar
TLSH T104938E27B2F54E52C99D02F214939BFD970743F8F22797991878E2583737B3062E6A90
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4504/4/1)
8.4% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter EnthecSolutions
Tags:Berbew enthec exe PE

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
CA CA
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_362df35906c51bcf799b7afe4f85dcf721a286a9a68c38862eefa2cdb403ba7c.exe
Verdict:
No threats detected
Analysis date:
2026-06-06 04:14:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5af98c18-42fe-4a9d-84fd-3409cfdd8820

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69287/
Detection(s):
Win.Trojan.Crypted-31
Create hunting rule

Win.Trojan.Crypted-29
Create hunting rule

Win.Trojan.Obfus-38
Create hunting rule

Win.Dropper.Berbew-9106192-0
Create hunting rule

Win.Malware.Qukart-10015323-0
Create hunting rule

Win.Malware.Qukart-6838239-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a239e3157b7bf261d615f19
Tags:
shellcode backdoor padodor berbew
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug crypto overlay packed packed reconnaissance
Link:
https://www.filescan.io/uploads/6a239e2c12da0d249c66ba0b/reports/ec1adf5c-882f-42fb-b586-837ca7984ba4/overview
Verdict:
Malicious
Labled as:
GenPack:Generic.Dacic.1.Backdoor.Hangup.A
Link:
https://www.hybrid-analysis.com/sample/362df35906c51bcf799b7afe4f85dcf721a286a9a68c38862eefa2cdb403ba7c
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-08T06:36:00Z UTC
Last seen:
2026-06-07T20:05:00Z UTC
Hits:
~100
Detections:
Trojan.Multi.Agent.sb HEUR:Trojan.Win32.Generic HEUR:Trojan-Proxy.Win32.Qukart.sb Backdoor.Win32.Padodor.gen Backdoor.Win32.Padodor.get Trojan-Proxy.Win32.Qukart.vjh Trojan-Proxy.Win32.Qukart.gen HEUR:Trojan.Win32.Agent.gen HEUR:Trojan-Proxy.Win32.Qukart.pef PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/362df35906c51bcf799b7afe4f85dcf721a286a9a68c38862eefa2cdb403ba7c/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/219b489d-20a5-4aaf-bab5-69d29e61ac0e
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/362df35906c51bcf799b7afe4f85dcf721a286a9a68c38862eefa2cdb403ba7c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/362df35906c51bcf799b7afe4f85dcf721a286a9a68c38862eefa2cdb403ba7c/
Verdict:
Malicious
Threat:
Family.BERBEW
Link:
https://tip.neiki.dev/file/362df35906c51bcf799b7afe4f85dcf721a286a9a68c38862eefa2cdb403ba7c
Threat name:
Win32.Infostealer.Berbew
Create hunting rule
Status:
Malicious
First seen:
2026-05-07 21:21:37 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
35 of 36 (97.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gyw7gwigyun466m3pl7e7bo464q2fbvju2gdrbro56rm3nadxj6a._file
Verdict:
malicious
Label(s):
berbew
Create hunting rule
Similar samples:
0f175f7fcbd0e7ceae68a0e720765f367dd6496fd4db9df5f49ebd6f93de2508
Berbew
255bf67d04eedb4f8cdb35228292e18dbaa8b9625c51b046c84d90c4d1ca11b3
Berbew
5601eb09023210296350c4c312ddab59018e974c372f3944af3175147874a762
Berbew
9aac68d2e3b376a0bb31f04c952a3932e66c6063b73ecf780f566d961fde1e2a
Berbew
e5011a5a889058f394e8e4bc50eca5ae9d4ca557f487778df6314e7ae5159b9d
Berbew
error
Berbew
+ 22 additional samples on MalwareBazaar
Result
Malware family:
berbew
Create hunting rule
Score:
  10/10
Tags:
family:berbew backdoor discovery persistence
Link:
https://tria.ge/reports/260606-esq3zahx8y/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Drops file in System32 directory
Executes dropped EXE
Adds autorun key to be loaded by Explorer.exe on startup
Family: Berbew
Malware Config
C2 Extraction:
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Unpacked files
SH256 hash:
362df35906c51bcf799b7afe4f85dcf721a286a9a68c38862eefa2cdb403ba7c
MD5 hash:
189a6b289c59184eed51ee4980861472
SHA1 hash:
49d1b0cb0107d97eb91186b673bcabb8a2a4ae7d
Link:
https://www.unpac.me/results/4d81640c-52a8-4f68-998a-2c2a184b3a8f/
SH256 hash:
9053ded149ccda766ab9f0104472f9ac05796d778b1f2079b30032e446a1f86b
MD5 hash:
92a50e8114e85884cb61edeebbd9ba3c
SHA1 hash:
83268101b1b007b3b3a54f0b0bdd0ccdd0925f85
Link:
https://www.unpac.me/results/4d81640c-52a8-4f68-998a-2c2a184b3a8f/
SH256 hash:
faa438418568c41b8cb421f1017e6cce9a33d9e7e8f65653b9b0ede5a7e10f36
MD5 hash:
4806a7056475d1285b491a2c673f62f6
SHA1 hash:
82b40217b9829114c255a1636e898cabbad20dbb
Detections:
triage_berbew_infostealer
Create hunting rule
Link:
https://www.unpac.me/results/4d81640c-52a8-4f68-998a-2c2a184b3a8f/
Malware family:
Berbew
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/362df35906c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/362df35906c51bcf799b7afe4f85dcf721a286a9a68c38862eefa2cdb403ba7c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69287/

Comments