General

  • Target

    CFDI_52154.exe

  • Size

    577KB

  • Sample

    200909-pchf2769ya

  • MD5

    eac081e7b44345046ebaa6eb36ceb3af

  • SHA1

    43396b4f44409794616d160d953ddb608770e68d

  • SHA256

    89dd8d0c8bfa44ae902f86561e85c7b32beee1e018ea35e761d197dadbfc932b

  • SHA512

    ee1a4db51855b4fa3f4015a590371ddd1894ae172d6b27eeba3d96240d38c381530acf7dca8d8865900d918a967e3701b03fc83db71645ced084c58688b99b88

Malware Config

Targets

    • Target

      CFDI_52154.exe

    • Size

      577KB

    • MD5

      eac081e7b44345046ebaa6eb36ceb3af

    • SHA1

      43396b4f44409794616d160d953ddb608770e68d

    • SHA256

      89dd8d0c8bfa44ae902f86561e85c7b32beee1e018ea35e761d197dadbfc932b

    • SHA512

      ee1a4db51855b4fa3f4015a590371ddd1894ae172d6b27eeba3d96240d38c381530acf7dca8d8865900d918a967e3701b03fc83db71645ced084c58688b99b88

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

    • Modifies firewall policy service

    • Executes dropped EXE

    • Sets file execution options in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

4
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Tasks