MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6876c7c4981863fdf415b65d8740bdfc3044fbf8b70add105d3bdf4e76ee7ae8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Berbew


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6876c7c4981863fdf415b65d8740bdfc3044fbf8b70add105d3bdf4e76ee7ae8
SHA3-384 hash: 7abc82e86a17c208a10add5af6514783c62864ae075d82666762ae14c1cfe09b8eb3617d475b659fe52312d0cdfedd24
SHA1 hash: 7a0084adc764557557211362a83228cb552ef1b0
MD5 hash: efdc3e93070ac4e4a1c7b38e1b1f073e
humanhash: alaska-mirror-april-yellow
File name:efdc3e93070ac4e4a1c7b38e1b1f073e.exe
Download: download sample
Signature Berbew
Create hunting rule
File size:355'392 bytes
First seen:2024-01-16 01:00:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8100db2f304d29ff67d95d7a2e2bfc85 (1 x Berbew)
ssdeep 6144:xljgjgK+5bx4brq2Ah1FM6234lKm3mo8Yvi4KsLTFM6234lKm3qk9:3rK0x4brRGFB24lwR45FB24lEk
Threatray 2 similar samples on MalwareBazaar
TLSH T176746B36616AAE68D8C80FB565377DCBD23087343FF94081091DC13D992ACF65EA61EE
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter smica83
Tags:Berbew exe UKR

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471021/
Detection(s):
Win.Packed.Lazy-10005437-0
Create hunting rule

Win.Packed.Lazy-10009038-0
Create hunting rule

Win.Dropper.Berbew-10009643-0
Create hunting rule

Win.Trojan.Razy-10009897-0
Create hunting rule

Win.Trojan.Qukart-10010381-0
Create hunting rule

Win.Malware.Padodor-10012877-0
Create hunting rule

Win.Packed.Razy-10013433-0
Create hunting rule

Win.Trojan.Berbew-10013977-0
Create hunting rule

Win.Packed.Qukart-10014173-0
Create hunting rule

Win.Trojan.Razy-10014326-0
Create hunting rule

Win.Packed.Generickdz-10014530-0
Create hunting rule

Win.Malware.Renos-10015209-0
Create hunting rule

Win.Packed.Copak-10015994-0
Create hunting rule

Win.Packed.Au5i-10016088-0
Create hunting rule

Win.Packed.Glupteba-10016954-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
crypted keylogger lolbin overlay packed remote
Link:
https://www.filescan.io/uploads/65a5d54f59502c0e7b37ca9b/reports/a193fb4d-76e7-4631-a89f-d8ed6b5a93da/overview
Verdict:
Malicious
Labled as:
Trojan.ShellObject.Generic
Link:
https://www.hybrid-analysis.com/sample/6876c7c4981863fdf415b65d8740bdfc3044fbf8b70add105d3bdf4e76ee7ae8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Berbew
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c34a10a4-fdd8-4de5-9a5a-2bcf8bb1a791
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1375090
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1375090 Sample: ZssFGaIHiO.exe Startdate: 16/01/2024 Architecture: WINDOWS Score: 100 94 Antivirus detection for URL or domain 2->94 96 Antivirus detection for dropped file 2->96 98 Antivirus / Scanner detection for submitted sample 2->98 100 5 other signatures 2->100 14 ZssFGaIHiO.exe 3 3 2->14         started        process3 file4 82 C:\Windows\SysWOW64\Mendfbkc.dll, PE32 14->82 dropped 84 C:\Windows\SysWOW64\Inhgbjle.exe, PE32 14->84 dropped 116 Creates an undocumented autostart registry key 14->116 118 Drops executables to the windows directory (C:\Windows) and starts them 14->118 18 Inhgbjle.exe 2 14->18         started        signatures5 process6 file7 54 C:\Windows\SysWOW64\Jdbhoned.dll, PE32 18->54 dropped 56 C:\Windows\SysWOW64\Inkdgjjb.exe, PE32 18->56 dropped 102 Drops executables to the windows directory (C:\Windows) and starts them 18->102 22 Inkdgjjb.exe 2 18->22         started        signatures8 process9 file10 66 C:\Windows\SysWOW64\Ipomeann.exe, PE32 22->66 dropped 68 C:\Windows\SysWOW64\Fadpfeno.dll, PE32 22->68 dropped 108 Drops executables to the windows directory (C:\Windows) and starts them 22->108 26 Ipomeann.exe 2 22->26         started        signatures11 process12 file13 74 C:\Windows\SysWOW64\Jnobgj32.dll, PE32 26->74 dropped 76 C:\Windows\SysWOW64\Ihhbkoln.exe, PE32 26->76 dropped 112 Drops executables to the windows directory (C:\Windows) and starts them 26->112 30 Ihhbkoln.exe 2 26->30         started        signatures14 process15 file16 86 C:\Windows\SysWOW64\Jmggie32.exe, PE32 30->86 dropped 88 C:\Windows\SysWOW64\Bbimhc32.dll, PE32 30->88 dropped 120 Antivirus detection for dropped file 30->120 122 Machine Learning detection for dropped file 30->122 124 Drops executables to the windows directory (C:\Windows) and starts them 30->124 34 Jmggie32.exe 2 30->34         started        signatures17 process18 file19 58 C:\Windows\SysWOW64\Jaepocoi.exe, PE32 34->58 dropped 60 C:\Windows\SysWOW64\Aqnnqd32.dll, PE32 34->60 dropped 104 Drops executables to the windows directory (C:\Windows) and starts them 34->104 38 Jaepocoi.exe 2 34->38         started        signatures20 process21 file22 70 C:\Windows\SysWOW64\Jpjmqpcq.exe, PE32 38->70 dropped 72 C:\Windows\SysWOW64\Ipmfcm32.dll, PE32 38->72 dropped 110 Drops executables to the windows directory (C:\Windows) and starts them 38->110 42 Jpjmqpcq.exe 2 38->42         started        signatures23 process24 file25 78 C:\Windows\SysWOW64\Kkbnch32.exe, PE32 42->78 dropped 80 C:\Windows\SysWOW64dobjoof.dll, PE32 42->80 dropped 114 Drops executables to the windows directory (C:\Windows) and starts them 42->114 46 Kkbnch32.exe 2 42->46         started        signatures26 process27 file28 90 C:\Windows\SysWOW64\Kkanmnho.dll, PE32 46->90 dropped 92 C:\Windows\SysWOW64\Khhkbl32.exe, PE32 46->92 dropped 126 Drops executables to the windows directory (C:\Windows) and starts them 46->126 50 Khhkbl32.exe 2 46->50         started        signatures29 process30 file31 62 C:\Windows\SysWOW64\Kgnhci32.exe, PE32 50->62 dropped 64 C:\Windows\SysWOW64\Ifmcbj32.dll, PE32 50->64 dropped 106 Drops executables to the windows directory (C:\Windows) and starts them 50->106 signatures32
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6876c7c4981863fdf415b65d8740bdfc3044fbf8b70add105d3bdf4e76ee7ae8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6876c7c4981863fdf415b65d8740bdfc3044fbf8b70add105d3bdf4e76ee7ae8/
Threat name:
Win32.Trojan.ShellObject
Create hunting rule
Status:
Malicious
First seen:
2024-01-12 21:32:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nb3mpreydbr735avwzoyoqf57qyej67yw4fn2ec5hppu45xoplua._file
Verdict:
malicious
Similar samples:
f9277d2c2610860f724480ffe1deb3a6e4bcf0cc7b8f591f44503b70ae281aca
Berbew
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/240116-bc75rsbac7/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Executes dropped EXE
Loads dropped DLL
Adds autorun key to be loaded by Explorer.exe on startup
Unpacked files
SH256 hash:
d8a8dfd2239d2dfe1999905a226a6ac4bd05c55cf15a764b151fcae0a8af79e1
MD5 hash:
973e52882ea628daa82bd8159a433e7e
SHA1 hash:
f5ab92601cd899771a8093cf0e21c57c70a20def
Link:
https://www.unpac.me/results/955dd48d-dcc2-4c2c-959c-be9e1d9b0831/
SH256 hash:
34e3b7ff18b83363c9bef553cef6934d1e732b9aef7f0e58c747adda11202576
MD5 hash:
a392a44a4d6ff62f6589581494ca0dea
SHA1 hash:
b6573739bdf8ef8727183a4327d1480deaede3d4
Link:
https://www.unpac.me/results/955dd48d-dcc2-4c2c-959c-be9e1d9b0831/
SH256 hash:
dab026799122dc7945a6527f00c089e58fa670e244ac4a7add0c234ebc562793
MD5 hash:
f603a50bb77ed051012139b964b9f69a
SHA1 hash:
146b47f37821604d8e6ab29151291c5ecfe4bae1
Link:
https://www.unpac.me/results/955dd48d-dcc2-4c2c-959c-be9e1d9b0831/
SH256 hash:
bbbbc7d09fc15d5ee0a66a955d31db0685b0af96d27a5c6e6bb451510fa09f86
MD5 hash:
be3fb0786af32d7986f07f61b0b42cba
SHA1 hash:
7f8cff6c5fcf0ec36713f794630394618c810d98
Link:
https://www.unpac.me/results/955dd48d-dcc2-4c2c-959c-be9e1d9b0831/
SH256 hash:
6876c7c4981863fdf415b65d8740bdfc3044fbf8b70add105d3bdf4e76ee7ae8
MD5 hash:
efdc3e93070ac4e4a1c7b38e1b1f073e
SHA1 hash:
7a0084adc764557557211362a83228cb552ef1b0
Link:
https://www.unpac.me/results/955dd48d-dcc2-4c2c-959c-be9e1d9b0831/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6876c7c4981863fdf415b65d8740bdfc3044fbf8b70add105d3bdf4e76ee7ae8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471021/

Comments