MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 beedd8dccf6cb33d7b15cdb4ac78429696426563265de71d4f66208fee125e02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Berbew


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: beedd8dccf6cb33d7b15cdb4ac78429696426563265de71d4f66208fee125e02
SHA3-384 hash: c784754ba0fe315b6be55549fd8b78719a49c70ffaf34d00ca9c8876c839aeb35f1457b87fc01e0c1080060686faf566
SHA1 hash: 66bec143eb41071eb334e6c4000c36369523f88b
MD5 hash: 165ed1318f2ca06284fac60306c23e30
humanhash: lion-blossom-georgia-chicken
File name:virussign.com_165ed1318f2ca06284fac60306c23e30
Download: download sample
Signature Berbew
Create hunting rule
File size:113'664 bytes
First seen:2022-07-13 14:13:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b36fc85e0cb5e337c80982db5210969 (7 x Berbew, 6 x njrat)
ssdeep 1536:foZBUloyNm6kCzgk/9F1X1zfsCTPSG9APA+gsRabUDUIbJvz:gZWoyNm5+/Ft1Lfag4lWQDUIbxz
Threatray 80 similar samples on MalwareBazaar
TLSH T15EB34B0A497CDEA1DCCC09774C7D85FDD88D8FCD4DA2745426B0B5886B7628AABCCA0D
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter KdssSupport
Tags:Berbew exe


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/287188/
Detection(s):
Win.Trojan.Crypted-31
Create hunting rule

Win.Trojan.Obfus-38
Create hunting rule

Win.Malware.Qukart-6838239-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Enabling autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/62ced3add6d93426ceea20fa/reports/b0ae6129-7959-430d-9134-ff9fdce3ca96/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49fe66b5-9dc2-474a-9d16-4d657fe984a5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/beedd8dccf6cb33d7b15cdb4ac78429696426563265de71d4f66208fee125e02/
Threat name:
Win32.Backdoor.DacicHangup
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 06:03:39 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3w5rxgpnszt26yvzw2ky6ccs2leezldezo6ohkpmyqi73qslyba._file
Verdict:
malicious
Similar samples:
177dc6eb9550a0bd1905c49d2289e4be299d801ef144605dd1d331948b0df651
Berbew
1d1026c14b9bc5fa6d8294da928085a3698d62dc29287429e3eae9cddc603e97
Berbew
38c8ad98aa9af0df9cf89f6e6009a4992aa7aabe673e348bcb6478e8576dae3f
Berbew
477435b5dffab09deb3fbc0ceba951a59608ff19d66c794b0895ae45cac38a01
Berbew
6574f1b9d0dc6451993ccf8c0ab2277051c7d1c8c3a2386db261f4eaa4898da0
Berbew
745905fc6c621066133fa3eaedc9746064f2c7ad83b324423571862ab681591c
Berbew
93250c493eb18e3d5239f8386453d1e1b26bb2f6d3f47a9038132b6da217c2b6
Berbew
9601c268a4fab57aeda5c79ce310d4e7364dbc643a526b6d80599d23459f1dfd
Berbew
a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d
Berbew
b5bc198fb2a8b60bc89da31776fe8e1285bd425e0c9f7d7fa6bad60f7451be60
Berbew
+ 70 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220713-rjjzhsaae8/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Adds autorun key to be loaded by Explorer.exe on startup
Unpacked files
SH256 hash:
199220ff6b4e3d19c90ade488e49f3efd920297b92abfa6e605731377c6dda82
MD5 hash:
e4cfa7d283caf758f8154177084616c4
SHA1 hash:
f3f58f613f94a13775098991ce24722ac3cddfed
Link:
https://www.unpac.me/results/64b37b11-7b1d-49b0-bdb4-0df3b1b25e05/
SH256 hash:
e1426dc4646461777e5a187f22fbdb5b1942ae6d6e8b1783bcb4c33e14d52e55
MD5 hash:
10fb99843e99d07990bc216f2a50eab3
SHA1 hash:
1b93237b1fc0a13f4a867c6de17439b760061e6e
Link:
https://www.unpac.me/results/64b37b11-7b1d-49b0-bdb4-0df3b1b25e05/
SH256 hash:
beedd8dccf6cb33d7b15cdb4ac78429696426563265de71d4f66208fee125e02
MD5 hash:
165ed1318f2ca06284fac60306c23e30
SHA1 hash:
66bec143eb41071eb334e6c4000c36369523f88b
Link:
https://www.unpac.me/results/64b37b11-7b1d-49b0-bdb4-0df3b1b25e05/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/beedd8dccf6cb33d7b15cdb4ac78429696426563265de71d4f66208fee125e02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Berbew

Executable exe beedd8dccf6cb33d7b15cdb4ac78429696426563265de71d4f66208fee125e02

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/287188/

Comments