Concrete signature match: Backdoor - Provides unauthorized remote access for 32-bit Windows platform, family Berbew
Backdoor:Win32/Berbew is a trojan that provides attackers with remote control over a compromised system. It establishes persistence through methods like scheduled tasks and startup folders, and utilizes hooking techniques to intercept system functions, likely for stealing credentials or other sensitive data.
Relevant strings associated with this threat: - io\Programas\Inicio\ (PEHSTR_EXT) - \WINME\M (PEHSTR_EXT) - dLLl (SNID) - /'\R. (SNID) - WinExec (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule Backdoor_Win32_Berbew_B_2147594707_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Win32/Berbew.gen!B"
threat_id = "2147594707"
type = "Backdoor"
platform = "Win32: Windows 32-bit platform"
family = "Berbew"
severity = "Critical"
info = "gen: malware that is detected using a generic signature"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "8"
strings_accuracy = "High"
strings:
$x_2_1 = {70 64 33 32 00 00 00 00 42 6c 61 63 6b 64 00 00 42 6c 61 63 6b 69 63 65 00 00 00 00 43 66 69 61} //weight: 2, accuracy: High
$x_2_2 = {57 66 69 6e 64 76 33 32 00 00 00 00 5a 6f 6e 65 61 6c 61 72 6d 00 00 00 6d 73 62 6c 61 73 74 00} //weight: 2, accuracy: High
$x_2_3 = {69 6f 5c 50 72 6f 67 72 61 6d 61 73 5c 49 6e 69 63 69 6f 5c 00 00 00 00 5c 57 49 4e 4d 45 5c 4d} //weight: 2, accuracy: High
$x_2_4 = {4e 49 43 4b 20 25 73 0a 55 53 45 52 20 25 73 20} //weight: 2, accuracy: High
$x_2_5 = {73 74 61 72 74 0d 0a 69 66 20 6e 6f 74 20 65 78 69 73 74 20 22 22 25 2a 22 22 20 67 6f 74 6f 20} //weight: 2, accuracy: High
condition:
(filesize < 20MB) and
(4 of ($x*))
}8b32b32951c101b304f6def90ed002f99a58fca7d2958699f9f3a35704624a0a407eb9f9d55687cd6d532600d4ad5846073f8f46a540fb71d04d4bbe2cfa0332cf7a4980d57b03adc6cc1cff874601449e61bd74ac27091cc575c846a47b0d411cf48e24ec0befdc5600daf6362a66ae28dfd42e48262680fd296ae9c4c377b3140bb888bd7c8734184cbb0329e2a50e73589a5e4dc50d8286149ce03af9ec7bImmediately isolate the affected machine from the network to prevent further malicious activity. Use your security software to remove the detected threat. Due to the backdoor nature, conduct a full investigation for persistence mechanisms, reset all user credentials on the system, and consider reimaging the machine to ensure complete eradication.