Skip navigation.
Home

Berbew malware

|

I downloaded two Berbew malware samples with the exact same names (according to ClamAV, BitDefender and AVGScan) but different MD5, SHA1 and SHA256 values. My question is, are these files that I downloaded two different variants of the the Berbew malware? Thanks.

...

Just in case you haven't solved this yet. One thing you could do is have IDA produce an ASM of the samples and then diff the two ASMs using Kdiff. If you are not very familiar with IDA, you can download the freeware version here (http://www.hex-rays.com/idapro/idadownfreeware.htm). Open the cmdline then type (C:\Program Files\IDA\Idag.exe -B BerbewSample.exe (I think 4.9 has this capabilities) then do the same to the second Berbew sample. Then diff the two ASMs using kdiff (http://kdiff3.sourceforge.net/). Kdiff will try to align matching text that might be at a different address. If the right bar has lots of white, you have the same sample. Good luck.

P.S. if the file is packed you will just be diffing the packers code not the malware's. Run the file in ollydbg, dump and then start from the beginning. :)