MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e45c8a0057c86bf0279d9c7173a2a7edc397ada2a72494692646e2ab84c49e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Berbew


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e45c8a0057c86bf0279d9c7173a2a7edc397ada2a72494692646e2ab84c49e5
SHA3-384 hash: 44cb0af7744cfdd02e3ff04b7790335dbd28e30ccdefdc6a79a0146cb94b87cace7e9b5713c56025008f8b772c31326f
SHA1 hash: 2fce937015e59dc556d1e9526fed13561fc22ae3
MD5 hash: ca6696fe5e7491d331faea8bc86c6460
humanhash: twenty-burger-batman-vegan
File name:PADORU.EXE
Download: download sample
Signature Berbew
Create hunting rule
File size:238'879 bytes
First seen:2024-01-07 04:21:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8622c292d40e9b919198ea1e062a44a8 (1 x Berbew)
ssdeep 6144:nm+NDlBYRGMCftMfRKB3A4U2dga1mcyw7I6BjtCYYs2:m05BYYMCe5WHR1mK7fVtXP2
TLSH T1E2346C0AAE043F72D7CD01B3573E4E92B6FBA32421668170CCE7A04B13E6A2555F65F1
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adm1n_usa32
Tags:Berbew exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469769/
Detection(s):
Win.Trojan.Crypted-28
Create hunting rule

Win.Trojan.Obfus-38
Create hunting rule

Win.Dropper.Berbew-10009643-0
Create hunting rule

Win.Packed.Razy-10009896-0
Create hunting rule

Win.Trojan.Razy-10009897-0
Create hunting rule

Win.Trojan.Qukart-10010381-0
Create hunting rule

Win.Packed.Ijypy-10012795-0
Create hunting rule

Win.Malware.Padodor-10012877-0
Create hunting rule

Win.Packed.Razy-10012926-0
Create hunting rule

Win.Trojan.Generickdz-10013422-0
Create hunting rule

Win.Packed.Qukart-10013976-0
Create hunting rule

Win.Trojan.Padodor-10013986-0
Create hunting rule

Win.Trojan.Padodor-10014180-0
Create hunting rule

Win.Trojan.Razy-10015064-0
Create hunting rule

Win.Trojan.Berbew-10016268-0
Create hunting rule

Win.Trojan.Packz-10016934-0
Create hunting rule

Win.Malware.Renos-10016969-0
Create hunting rule

Win.Malware.Renos-10016973-0
Create hunting rule

Win.Malware.Renos-10016993-0
Create hunting rule

Win.Malware.Renos-10016994-0
Create hunting rule

Win.Trojan.Packz-10017161-0
Create hunting rule

Win.Trojan.Packz-10017163-0
Create hunting rule

Win.Trojan.Packz-10017363-0
Create hunting rule

Win.Packed.Wacatac-10017526-0
Create hunting rule

Win.Packed.Generickdz-10018234-0
Create hunting rule

Win.Malware.Padodor-6840301-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control crypted keylogger lolbin masquerade overlay packed
Link:
https://www.filescan.io/uploads/659a26eb59502c0e7b2de5eb/reports/56b83211-cd98-4155-90e7-54cad30b59b4/overview
Verdict:
Malicious
Labled as:
Trojan.ShellObject.Generic
Link:
https://www.hybrid-analysis.com/sample/8e45c8a0057c86bf0279d9c7173a2a7edc397ada2a72494692646e2ab84c49e5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95900f29-a931-4040-8e43-ac64eb5dcec8
Result
Threat name:
Berbew
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370873
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Yara detected Berbew
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1370873 Sample: PADORU.EXE.exe Startdate: 07/01/2024 Architecture: WINDOWS Score: 100 94 Antivirus detection for dropped file 2->94 96 Antivirus / Scanner detection for submitted sample 2->96 98 Multi AV Scanner detection for dropped file 2->98 100 5 other signatures 2->100 14 PADORU.EXE.exe 3 3 2->14         started        process3 file4 82 C:\Windows\SysWOW64\Mcicfh32.dll, PE32 14->82 dropped 84 C:\Windows\SysWOW64\Cmdqbl32.exe, PE32 14->84 dropped 144 Creates an undocumented autostart registry key 14->144 146 Drops executables to the windows directory (C:\Windows) and starts them 14->146 18 Cmdqbl32.exe 2 14->18         started        signatures5 process6 file7 54 C:\Windows\SysWOW64\Cikagmbo.exe, PE32 18->54 dropped 56 C:\Windows\SysWOW64\Ccdkgime.dll, PE32 18->56 dropped 102 Antivirus detection for dropped file 18->102 104 Machine Learning detection for dropped file 18->104 106 Drops executables to the windows directory (C:\Windows) and starts them 18->106 22 Cikagmbo.exe 2 18->22         started        signatures8 process9 file10 66 C:\Windows\SysWOW64\Cbcfpbip.exe, PE32 22->66 dropped 68 C:\Windows\SysWOW64\Balamble.dll, PE32 22->68 dropped 120 Antivirus detection for dropped file 22->120 122 Machine Learning detection for dropped file 22->122 124 Drops executables to the windows directory (C:\Windows) and starts them 22->124 26 Cbcfpbip.exe 2 22->26         started        signatures11 process12 file13 74 C:\Windows\SysWOW64\Qhliaglc.dll, PE32 26->74 dropped 76 C:\Windows\SysWOW64\Clljih32.exe, PE32 26->76 dropped 132 Antivirus detection for dropped file 26->132 134 Machine Learning detection for dropped file 26->134 136 Drops executables to the windows directory (C:\Windows) and starts them 26->136 30 Clljih32.exe 2 26->30         started        signatures14 process15 file16 86 C:\Windows\SysWOW64\Cmlgckfc.exe, PE32 30->86 dropped 88 C:\Windows\SysWOW64\Ahlqbn32.dll, PE32 30->88 dropped 148 Antivirus detection for dropped file 30->148 150 Machine Learning detection for dropped file 30->150 152 Drops executables to the windows directory (C:\Windows) and starts them 30->152 34 Cmlgckfc.exe 2 30->34         started        signatures17 process18 file19 58 C:\Windows\SysWOW64\Oooami32.dll, PE32 34->58 dropped 60 C:\Windows\SysWOW64\Dmnchk32.exe, PE32 34->60 dropped 108 Antivirus detection for dropped file 34->108 110 Machine Learning detection for dropped file 34->110 112 Drops executables to the windows directory (C:\Windows) and starts them 34->112 38 Dmnchk32.exe 2 34->38         started        signatures20 process21 file22 70 C:\Windows\SysWOW64\Feiaidpc.dll, PE32 38->70 dropped 72 C:\Windows\SysWOW64\Dffhapka.exe, PE32 38->72 dropped 126 Antivirus detection for dropped file 38->126 128 Machine Learning detection for dropped file 38->128 130 Drops executables to the windows directory (C:\Windows) and starts them 38->130 42 Dffhapka.exe 2 38->42         started        signatures23 process24 file25 78 C:\Windows\SysWOW64\Ddjhkdjk.exe, PE32 42->78 dropped 80 C:\Windows\SysWOW64\Aopbjfje.dll, PE32 42->80 dropped 138 Antivirus detection for dropped file 42->138 140 Machine Learning detection for dropped file 42->140 142 Drops executables to the windows directory (C:\Windows) and starts them 42->142 46 Ddjhkdjk.exe 2 42->46         started        signatures26 process27 file28 90 C:\Windows\SysWOW64chdkp32.dll, PE32 46->90 dropped 92 C:\Windows\SysWOW64\Dpaipepo.exe, PE32 46->92 dropped 154 Antivirus detection for dropped file 46->154 156 Machine Learning detection for dropped file 46->156 158 Drops executables to the windows directory (C:\Windows) and starts them 46->158 50 Dpaipepo.exe 2 46->50         started        signatures29 process30 file31 62 C:\Windows\SysWOW64\Diinhk32.exe, PE32 50->62 dropped 64 C:\Windows\SysWOW64\Bnhonl32.dll, PE32 50->64 dropped 114 Antivirus detection for dropped file 50->114 116 Machine Learning detection for dropped file 50->116 118 Drops executables to the windows directory (C:\Windows) and starts them 50->118 signatures32
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8e45c8a0057c86bf0279d9c7173a2a7edc397ada2a72494692646e2ab84c49e5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e45c8a0057c86bf0279d9c7173a2a7edc397ada2a72494692646e2ab84c49e5/
Threat name:
Win32.Trojan.ShellObject
Create hunting rule
Status:
Malicious
First seen:
2023-10-08 00:43:21 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
32 of 37 (86.49%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzc4riafpsdl6atz3hdroorkp3ods6w2fjzesrusmrxcvocmjhsq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/240107-ey8j7sfdh9/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Executes dropped EXE
Loads dropped DLL
Adds autorun key to be loaded by Explorer.exe on startup
Unpacked files
SH256 hash:
5e087c9a9f5bce044612a6bc15dac2cbc5f12c79d44520d287e56d59c7a16016
MD5 hash:
3d2e54d885afb3684018f18a8b8c1dcb
SHA1 hash:
56e3dc1d78ee13150c916311ca545cd679a1d808
Link:
https://www.unpac.me/results/3d016672-a8df-4f62-8598-622e69ddceed/
SH256 hash:
b39fcb2e9bccd1d8c40a848e5d51d8d9a094716228bbb270744b7ee7f76fd556
MD5 hash:
f97809ff4da2515407708b888715b5a7
SHA1 hash:
4d0172fd1744e802f2cc8f561d201b31cf5c144d
Detections:
berbew_2004
Create hunting rule
Link:
https://www.unpac.me/results/3d016672-a8df-4f62-8598-622e69ddceed/
SH256 hash:
8e45c8a0057c86bf0279d9c7173a2a7edc397ada2a72494692646e2ab84c49e5
MD5 hash:
ca6696fe5e7491d331faea8bc86c6460
SHA1 hash:
2fce937015e59dc556d1e9526fed13561fc22ae3
Link:
https://www.unpac.me/results/3d016672-a8df-4f62-8598-622e69ddceed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e45c8a0057c86bf0279d9c7173a2a7edc397ada2a72494692646e2ab84c49e5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/469769/

Comments