betabot | a4cf004074849571bb93e91dd43985d914bafd646ee7f630cd44db1e09fa3fab | Triage

Submit
Reports

Overview

overview

Static

static

CFDI_Manag...31.exe

windows7_x64

CFDI_Manag...31.exe

windows10_x64

Sharing

General

Target

CFDI_Manager_80831.exe
Size

785KB
Sample

210125-wdfbzm8lea
MD5

d776c8207ca1a020530692d6db741b09
SHA1

2a4623b17683996333b9d2afabeb1f60eee5ccdc
SHA256

a4cf004074849571bb93e91dd43985d914bafd646ee7f630cd44db1e09fa3fab
SHA512

1b788e8c30b01ec95a49d8d30b0138c43a0cb02d837a273c44f51085287356a9300b8c1ef1220d9e62c1a26f1937b0696fce2e317c756097395081140805e158

Score

10^/10

betabot backdoor botnet evasion persistence ransomware trojan

Static task

static1

Behavioral task

behavioral1

Sample

CFDI_Manager_80831.exe

Resource

win7v20201028

betabot backdoor botnet evasion persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

CFDI_Manager_80831.exe

Resource

win10v20201028

betabot backdoor botnet evasion persistence ransomware trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  CFDI_Manager_80831.exe
- Size
  
  785KB
- MD5
  
  d776c8207ca1a020530692d6db741b09
- SHA1
  
  2a4623b17683996333b9d2afabeb1f60eee5ccdc
- SHA256
  
  a4cf004074849571bb93e91dd43985d914bafd646ee7f630cd44db1e09fa3fab
- SHA512
  
  1b788e8c30b01ec95a49d8d30b0138c43a0cb02d837a273c44f51085287356a9300b8c1ef1220d9e62c1a26f1937b0696fce2e317c756097395081140805e158
Score

10^/10

betabot backdoor botnet evasion persistence trojan ransomware
- BetaBot
  Beta Bot is a Trojan that infects computers and disables Antivirus.
  trojan backdoor botnet betabot
- Modifies firewall policy service
  evasion
- Executes dropped EXE
- Sets file execution options in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

betabotbackdoorbotnetevasionpersistencetrojan

behavioral2

betabotbackdoorbotnetevasionpersistenceransomwaretrojan

© 2018-2024

Terms | Privacy