{
	"id": "22ee637a-8bde-4831-84b4-9b0de8ae43d1",
	"created_at": "2026-04-06T00:15:05.208528Z",
	"updated_at": "2026-04-10T03:22:10.08351Z",
	"deleted_at": null,
	"sha1_hash": "20878c977b7da92ece7dfe2b0a05604fb6a5434b",
	"title": "Berbew Backdoor Spotted In The Wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 105543,
	"plain_text": "Berbew Backdoor Spotted In The Wild\r\nPublished: 2023-02-03 · Archived: 2026-04-05 22:45:39 UTC\r\nThis week, the Sonicwall Capture Labs Research team analyzed a sample of Berbew, a trojan that has been seen used in\r\nconnection with Download.Ject and FormBook to steal user passwords for banking and other financial institutions. Berbew\r\nacts as both an infostealer and proxy to allow for command and control (C2) activities or routing of additional malware.\r\nAnalysis\r\nBerbew has previously been reported as being a second-stage payload once the first stage has infiltrated a target and used an\r\nexploit; Download.Ject targeted Microsoft IIS services, FormBook is transmitted via phishing email attachments. Static\r\nanalysis shows that the file is 56kb in size with a timestamp set in the year 2036.\r\n Figure 1:\r\nFuture creation date\r\nThere are a variety of additional red flags in the form of file sections, in which each is a random alphanumeric string. Two of\r\nthese are also self-modifying, a method that malware can use to change its own code. The second section (.E9Mdns0) is also\r\nmaking use of virtualized code which is a protective measure against analysis, but it's empty before runtime meaning that\r\ndata will be inserted during runtime. The last item to note is that the entry-point is set within section '.neYm'; this is atypical\r\nbecause the entry-point is generally in the first section of any program.\r\nFigure 2: Items to note, 1) section names, 2) self-modifying sections, 3) virtualized code, 4) entry-point address\r\nThe strings show some additional context as to what the program can do. WININET.DLL is a networking library which\r\nappears will read from URL entries. It has the ability to read, write and search through registry entries using the 'Reg' values,\r\nas well as obtaining security settings on the system.\r\nhttps://blog.sonicwall.com/en-us/2023/02/berbew-backdoor-spotted-in-the-wild/\r\nPage 1 of 5\n\nFigure 3: Berbew program strings\r\nAt runtime, the executable drops 934 files within 'C:\\Windows\\SYSWOW64' and executes between 23-25 in sequence. Of\r\nthe files dropped, 467 are duplicates of the main executable, with the other half being DLL files. They have a naming\r\nscheme of six alphabetic characters and 32.exe, or eight alphabetic characters (this applies to both the .EXE and .DLL files).\r\nA hook is set up for capturing data using 'DirectDrawCreateEx', which allows for saving keyboard, mouse, clipboard, and\r\nscreen activity.\r\nhttps://blog.sonicwall.com/en-us/2023/02/berbew-backdoor-spotted-in-the-wild/\r\nPage 2 of 5\n\nFigure 4: Runtime sequence of dropped executables\r\nIn addition, there are also registry keys written for persistence:\r\n-\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\r\nWeb Event Logger\r\n- HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{79FEACFF-FFCE-815E-A900-\r\n316290B5B738}\\InProcServer32\r\n-\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\r\nThese will be triggered on restart to load one of the dropped DLL files and restart the program. The dropped DLL files are\r\nall identical to each other and only 7kb in size.\r\nhttps://blog.sonicwall.com/en-us/2023/02/berbew-backdoor-spotted-in-the-wild/\r\nPage 3 of 5\n\nFigure 5: Detection of dropped DLL\r\nWhen a financial website has been brought up, or during regular use, the system will bring up prompts to change passwords.\r\nThis info is then relayed to one of the URLs in memory; however, no connections are made before data has been collected.\r\nSonicWall Capture Labs provides protection against this threat via the following signature:\r\nGAV: Berbew.F (Trojan)\r\nThis threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.\r\nIOCs\r\nSample 1\r\nMD5: 7350C5C9F3020FB201AD2184453DBBAC\r\nSHA1: C68E9514A58D803C65647191153F35BD742A7463\r\nSHA256: BCC12EEF62B196293032ECB05804510474A276B9A12DD70248F55EFFD405474C\r\nSize: 56kb\r\nSample 2\r\nMD5: FE1AE2707A3D86E7EF8B921A77D571EB\r\nSHA1: 01F484BA1B4B28555FD8DD959A428C94A652443D\r\nSHA256: 73AE10E87168EA0F543C0CFE23B1BA71726AC597E52F06075432EFE30FDED843\r\nSize: 7kb\r\nRegistry Keys\r\n-\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\r\nWeb Event Logger\r\n- HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{79FEACFF-FFCE-815E-A900-\r\n316290B5B738}\\InProcServer32\r\n-\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\r\nURLs\r\nhttps://blog.sonicwall.com/en-us/2023/02/berbew-backdoor-spotted-in-the-wild/\r\nPage 4 of 5\n\nhxxp://adult-empire[.]com/index.php\r\nhxxp://color-bank[.]ru/index.php\r\nhxxp://crutop.nu\r\nhxxp://crutop.nu/index.htm\r\nhxxp://crutop.nu/index.php\r\nhxxp://crutop.nuAWM\r\nhxxp://crutop[.]ru/index.htm\r\nhxxp://crutop[.]ru/index.php\r\nhxxp://cvv[.]ru/index.htm\r\nhxxp://cvv[.]ru/index.php\r\nhxxp://devx.nm[.]ru/index.php\r\nhxxp://fethard.biz/index.htm\r\nhxxp://fethard.biz/index.php\r\nhxxp://gaz-prom[.]ru/index.htm\r\nhxxp://hackers.lv/index.php\r\nhxxp://kadet[.]ru/index.htm\r\nhxxp://kavkaz[.]ru/index.htm\r\nhxxp://kidos-bank[.]ru/index.htm\r\nhxxp://konfiskat.org/index.htm\r\nhxxp://ldark.nm[.]ru/index.htm\r\nhxxp://master-x\r\nhxxp://parex-bank[.]ru/index.htm\r\nhxxp://promo[.]ru/index.htm\r\nhxxp://ros-neftbank[.]ru/index.php\r\nhxxp://trojan[.]ru/index.php\r\nhxxp://virus-list.com/index.php\r\nhxxp://www.redline[.]ru/index.php\r\nSource: https://blog.sonicwall.com/en-us/2023/02/berbew-backdoor-spotted-in-the-wild/\r\nhttps://blog.sonicwall.com/en-us/2023/02/berbew-backdoor-spotted-in-the-wild/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sonicwall.com/en-us/2023/02/berbew-backdoor-spotted-in-the-wild/"
	],
	"report_names": [
		"berbew-backdoor-spotted-in-the-wild"
	],
	"threat_actors": [],
	"ts_created_at": 1775434505,
	"ts_updated_at": 1775791330,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20878c977b7da92ece7dfe2b0a05604fb6a5434b.pdf",
		"text": "https://archive.orkl.eu/20878c977b7da92ece7dfe2b0a05604fb6a5434b.txt",
		"img": "https://archive.orkl.eu/20878c977b7da92ece7dfe2b0a05604fb6a5434b.jpg"
	}
}