betabot | 9f829213a1f233378e8e9069adac865edfb8dd4a7e64998d273930c54ab258eb

General

Target

Customer Complaint letter NHBRC258812.PDF.exe
Size

329KB
MD5

69940b99a87df030b38ab4b04281d7ff
SHA1

a4cecf005b0777ed740e4dc9671e87349e3017cc
SHA256

9f829213a1f233378e8e9069adac865edfb8dd4a7e64998d273930c54ab258eb
SHA512

e43a7dedfcd91b104dcf77b45fd57e28b8dc20ce5a2ae0b094479c4651c8f60154695c13ac770e975d3cecd0d7cefd6d9237428c01cbea2ef1a85f9c29eae2dd

Score

10^/10

evasion trojan backdoor botnet betabot

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Customer Complaint letter NHBRC258812.PDF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Customer Complaint letter NHBRC258812.PDF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Customer Complaint letter NHBRC258812.PDF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Customer Complaint letter NHBRC258812.PDF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Customer Complaint letter NHBRC258812.PDF.exe

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Customer Complaint letter NHBRC258812.PDF.exe

pid process

1332 Customer Complaint letter NHBRC258812.PDF.exe

pid	process
1332	Customer Complaint letter NHBRC258812.PDF.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

Customer Complaint letter NHBRC258812.PDF.exe

description	pid	process
Token: SeDebugPrivilege	1332	Customer Complaint letter NHBRC258812.PDF.exe
Token: SeRestorePrivilege	1332	Customer Complaint letter NHBRC258812.PDF.exe
Token: SeBackupPrivilege	1332	Customer Complaint letter NHBRC258812.PDF.exe
Token: SeLoadDriverPrivilege	1332	Customer Complaint letter NHBRC258812.PDF.exe
Token: SeCreatePagefilePrivilege	1332	Customer Complaint letter NHBRC258812.PDF.exe
Token: SeShutdownPrivilege	1332	Customer Complaint letter NHBRC258812.PDF.exe
Token: SeTakeOwnershipPrivilege	1332	Customer Complaint letter NHBRC258812.PDF.exe
Token: SeChangeNotifyPrivilege	1332	Customer Complaint letter NHBRC258812.PDF.exe
Token: SeCreateTokenPrivilege	1332	Customer Complaint letter NHBRC258812.PDF.exe
Token: SeMachineAccountPrivilege	1332	Customer Complaint letter NHBRC258812.PDF.exe
Token: SeSecurityPrivilege	1332	Customer Complaint letter NHBRC258812.PDF.exe
Token: SeAssignPrimaryTokenPrivilege	1332	Customer Complaint letter NHBRC258812.PDF.exe
Token: SeCreateGlobalPrivilege	1332	Customer Complaint letter NHBRC258812.PDF.exe
Token: 33	1332	Customer Complaint letter NHBRC258812.PDF.exe

C:\Users\Admin\AppData\Local\Temp\Customer Complaint letter NHBRC258812.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Customer Complaint letter NHBRC258812.PDF.exe"
1⤵
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1332

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1332-0-0x00000000033DD000-0x00000000033DE000-memory.dmp

Filesize
4KB

Download
memory/1332-1-0x0000000004DD0000-0x0000000004DE1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads