MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 409e0130211b0b0eccf32859b4678295f3b658ce5b34efac06b42a2cd1da5687. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Berbew


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 409e0130211b0b0eccf32859b4678295f3b658ce5b34efac06b42a2cd1da5687
SHA3-384 hash: d75209df5f97a12428920ad68bb92fc017c3aa2efd66025ec06f798bab21b8a53b832d2cfdeff3b040a5933129b9686a
SHA1 hash: 9e3170913a2fa1d44223bf95c24b73964644f007
MD5 hash: ab2038e886c61de608a48f6f61d434a0
humanhash: spaghetti-mike-zulu-jupiter
File name:virussign.com_ab2038e886c61de608a48f6f61d434a0
Download: download sample
Signature Berbew
Create hunting rule
File size:542'576 bytes
First seen:2022-07-15 17:11:49 UTC
Last seen:2024-07-24 13:29:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 26babd76bbb7f9c516a338b0601b4c9f (34 x Berbew)
ssdeep 12288:KLONpV6yYPsyd0pV6yYPQEpV6yYPsyd0pV6yYPm:ZWsG0WQEWsG0Wm
Threatray 27 similar samples on MalwareBazaar
TLSH T152B48D12BBEB2E09C804C8FC742A6C295686CC3D0DFB57F40AFAC9FA654D39545D8279
TrID 47.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter KdssSupport
Tags:Berbew exe


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
virussign.com_ab2038e886c61de608a48f6f61d434a0
Verdict:
Suspicious activity
Analysis date:
2022-07-16 00:39:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0ef174af-f7b2-44d7-ac94-17cea044bbfa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/290409/
Detection(s):
Win.Trojan.Crypted-28
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger obfuscated overlay packed
Link:
https://www.filescan.io/uploads/62d1a061d6d93426cef20335/reports/187c01c6-9be4-4299-8ac8-29ce12ccd293/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1033290
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 665783 Sample: qsuzRIPF2J.com_ab2038e886c6... Startdate: 16/07/2022 Architecture: WINDOWS Score: 84 96 Antivirus detection for dropped file 2->96 98 Antivirus / Scanner detection for submitted sample 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 3 other signatures 2->102 14 qsuzRIPF2J.exe 3 3 2->14         started        process3 file4 82 C:\Windows\SysWOW64\Lkmiabgp.exe, PE32 14->82 dropped 84 C:\Windows\SysWOW64\Bddlejna.dll, PE32 14->84 dropped 86 C:\Windows\...\Lkmiabgp.exe:Zone.Identifier, ASCII 14->86 dropped 130 Creates an undocumented autostart registry key 14->130 132 Drops executables to the windows directory (C:\Windows) and starts them 14->132 18 Lkmiabgp.exe 2 14->18         started        signatures5 process6 file7 54 C:\Windows\SysWOW64\Onjkfila.exe, PE32 18->54 dropped 56 C:\Windows\SysWOW64\Dlphmcca.dll, PE32 18->56 dropped 104 Drops executables to the windows directory (C:\Windows) and starts them 18->104 22 Onjkfila.exe 2 18->22         started        signatures8 process9 file10 66 C:\Windows\SysWOW64behaviorgraphjfngm32.dll, PE32 22->66 dropped 68 C:\Windows\SysWOW64\Aeplep32.exe, PE32 22->68 dropped 114 Drops executables to the windows directory (C:\Windows) and starts them 22->114 26 Aeplep32.exe 2 22->26         started        signatures11 process12 file13 74 C:\Windows\SysWOW64\Cejgbldq.exe, PE32 26->74 dropped 76 C:\Windows\SysWOW64\Qneanp32.dll, PE32 26->76 dropped 122 Antivirus detection for dropped file 26->122 124 Machine Learning detection for dropped file 26->124 126 Drops executables to the windows directory (C:\Windows) and starts them 26->126 30 Cejgbldq.exe 2 26->30         started        signatures14 process15 file16 88 C:\Windows\SysWOW64\Fidlackd.exe, PE32 30->88 dropped 90 C:\Windows\SysWOW64\Ffqjgn32.dll, PE32 30->90 dropped 134 Antivirus detection for dropped file 30->134 136 Machine Learning detection for dropped file 30->136 138 Drops executables to the windows directory (C:\Windows) and starts them 30->138 34 Fidlackd.exe 2 30->34         started        signatures17 process18 file19 58 C:\Windows\SysWOW64\Hfplbd32.exe, PE32 34->58 dropped 60 C:\Windows\SysWOW64behaviorgraphpidibnp.dll, PE32 34->60 dropped 106 Antivirus detection for dropped file 34->106 108 Machine Learning detection for dropped file 34->108 110 Drops executables to the windows directory (C:\Windows) and starts them 34->110 38 Hfplbd32.exe 2 34->38         started        signatures20 process21 file22 70 C:\Windows\SysWOW64\Jmdplk32.exe, PE32 38->70 dropped 72 C:\Windows\SysWOW64\Daeqbaap.dll, PE32 38->72 dropped 116 Antivirus detection for dropped file 38->116 118 Machine Learning detection for dropped file 38->118 120 Drops executables to the windows directory (C:\Windows) and starts them 38->120 42 Jmdplk32.exe 2 38->42         started        signatures23 process24 file25 78 C:\Windows\SysWOW64\Moadfoda.exe, PE32 42->78 dropped 80 C:\Windows\SysWOW64\Ihmibian.dll, PE32 42->80 dropped 128 Drops executables to the windows directory (C:\Windows) and starts them 42->128 46 Moadfoda.exe 2 42->46         started        signatures26 process27 file28 92 C:\Windows\SysWOW64\Onnmfb32.exe, PE32 46->92 dropped 94 C:\Windows\SysWOW6494nclcm32.dll, PE32 46->94 dropped 140 Drops executables to the windows directory (C:\Windows) and starts them 46->140 50 Onnmfb32.exe 2 46->50         started        signatures29 process30 file31 62 C:\Windows\SysWOW64\Cplkgd32.exe, PE32 50->62 dropped 64 C:\Windows\SysWOW64\Babnajam.dll, PE32 50->64 dropped 112 Drops executables to the windows directory (C:\Windows) and starts them 50->112 signatures32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/409e0130211b0b0eccf32859b4678295f3b658ce5b34efac06b42a2cd1da5687/
Threat name:
Win32.Backdoor.Berbew
Create hunting rule
Status:
Malicious
First seen:
2022-07-11 02:10:46 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=icpacmbbdmfq5thtfbm3iz4csxz3mwgolm2o7lagwqvczuo2k2dq._file
Verdict:
malicious
Similar samples:
67cf4d17bc2afb86fd7a736cd129903f6006b731203d7e2f0d46c9fd71f68d19
Berbew
6acc6a5bb313eac46bb5058079ac832caaeb808485878aeceb7368c3c9b51a22
Berbew
8859fbec11df9f4db1a2d9618ee39bccfdb7c5841165d8d5791a8b69b590eb59
Berbew
916d03279ae66323710d3808878f712cfed8666ab2ad8924fb0a43dc5d19fc40
Berbew
df904c7918e95632b1aa7cf939a27f51d062b4288295b20f9956b194804ce70e
Berbew
e4cd84b2861d18f45e7eababa25e47562ac50aedce7811f880eaa37431522acd
Berbew
edb588d7ee61dc1930a61f359b1cfec0c4d4d1cbd1b0ec6a50d7a75e0f07ff5a
Berbew
f616de53cd3acc9a95700ea6debe913a8375ec0b29665363adffc7f15d47c0e0
Berbew
f722cac72157d9d8257f7a395d68a13329b8b088d9434e0ab2c80444a9449571
Berbew
f7e15243647a967c96ce342b47c1884e39eb10244df1db7a51f24c002d36e464
Berbew
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220715-vqwtfachd2/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Adds autorun key to be loaded by Explorer.exe on startup
Unpacked files
SH256 hash:
a4219ffbf01629f3dc07c60a56c54a4985771127c9c2a74153f5508efd8e1666
MD5 hash:
0b9e927de321921b3a3d0f68a7e596c5
SHA1 hash:
77c8bfac3ecceb39eb2629cd6911c483c2f089a0
Link:
https://www.unpac.me/results/85219ab6-c02c-40f8-be35-4afe5dbfeece/
SH256 hash:
ca19dc6ed78dfc77da5462dc2c38bb7fa6b89089b1fad3b6deee4dbb45784ac6
MD5 hash:
5bfd838b7ffd2b88f4f8ed4aca706e45
SHA1 hash:
99ba65f958a7fd0cdcde4c0a5356ee9b1e421a29
Link:
https://www.unpac.me/results/85219ab6-c02c-40f8-be35-4afe5dbfeece/
SH256 hash:
d6ab7990954fa0733dc9431c39cf7f71cb4fc86c57312cb177c5a54cc5408baa
MD5 hash:
06fafd7acc7fcbca17f54855f42f5524
SHA1 hash:
8e27f4195d4daa9c62df6a33e3dce341b1810971
Link:
https://www.unpac.me/results/85219ab6-c02c-40f8-be35-4afe5dbfeece/
SH256 hash:
20aba446d97a334fdec24408256cf58fc0289a4b7fcc7b7b032a98e5a9fca7b9
MD5 hash:
d5abe4bb6e7cdbfc3f742168a017ea5d
SHA1 hash:
194052161465f801136e5f2ef34cdcc84ac5c720
Link:
https://www.unpac.me/results/85219ab6-c02c-40f8-be35-4afe5dbfeece/
SH256 hash:
5af9fb6a93e12cd5290f7bd318b4aa912781f1e54cb092764be217808a133e31
MD5 hash:
c4d16a07f472cb5352f286e833f18053
SHA1 hash:
08f28d03f439d2fd201252cd0826bfd9641ba9ee
Link:
https://www.unpac.me/results/85219ab6-c02c-40f8-be35-4afe5dbfeece/
SH256 hash:
51c60746919719095e9a2d5a1a51dd4129cc694cfcd78475fa82a521b22fd288
MD5 hash:
27532247e17359c0827beab9d5a6e4f7
SHA1 hash:
b1c4626e63f37ca9cffab1fe9e24f0a7eb4b8873
Link:
https://www.unpac.me/results/85219ab6-c02c-40f8-be35-4afe5dbfeece/
SH256 hash:
409e0130211b0b0eccf32859b4678295f3b658ce5b34efac06b42a2cd1da5687
MD5 hash:
ab2038e886c61de608a48f6f61d434a0
SHA1 hash:
9e3170913a2fa1d44223bf95c24b73964644f007
Link:
https://www.unpac.me/results/85219ab6-c02c-40f8-be35-4afe5dbfeece/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/409e0130211b0b0eccf32859b4678295f3b658ce5b34efac06b42a2cd1da5687

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Berbew

Executable exe 409e0130211b0b0eccf32859b4678295f3b658ce5b34efac06b42a2cd1da5687

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/290409/

Comments