General

  • Target

    4698845684203520.zip

  • Size

    11.2MB

  • Sample

    210601-pnx128bems

  • MD5

    2496e79cc3d5506d37398c34e158fda7

  • SHA1

    b649b0ebf76fd551a6905abb55f9f4de24c35d96

  • SHA256

    2750d82acc17245fb3f34ceb34d12d50090626ce0bb28902dd2dcc5db924dd48

  • SHA512

    91f5606dfddf5d2860bd1a62375fac333ab0923e0a754588d0544b64da6c2638c242467eedd1e83ae22c51141e7c44254a94bd87132a5d0d936427ca78242fca

Malware Config

Targets

    • Target

      1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd

    • Size

      3.5MB

    • MD5

      88124e4aba906259af28a466774431ea

    • SHA1

      fbc1c27e0d7177238ec99481ffa7d839d1f51594

    • SHA256

      1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd

    • SHA512

      cdc0af6ea2686d35e4a77f4eb802ba9e41819b052253071a397601bec4d6232e5351d21b5d8ab4644e9f6ffd67057ec8c6f2db8605b429afcdf7b3ecd8005e2d

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

    • Modifies firewall policy service

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Sets file execution options in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1

    • Size

      3.5MB

    • MD5

      aa8c93e9e5160d638ad2cd03714d863f

    • SHA1

      bfadd4ed975732a0ad370962aabb371da020ed94

    • SHA256

      3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1

    • SHA512

      5ce5e78bcd183298150b801a4e7e133a7e97a5294f7c851dd60281fd10d0d7ce1074fa1a45e4d895b58232e1d8dcff4c7be8792054a300f9993709ef4f55ed33

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

    • Modifies firewall policy service

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Sets file execution options in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c

    • Size

      3.8MB

    • MD5

      9094886e98dfabe1e5ad8489e08069e2

    • SHA1

      69120139b6195741210d89e963538014190bfa8e

    • SHA256

      4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c

    • SHA512

      ccef13646bceaf423db355743b0213d834520ea5091fe46acc95deb794b59695703161a782a7cf24707cdfa28696333f2218202a9bec7c351d34686cce67f337

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

    • Modifies firewall policy service

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Sets file execution options in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      d33647e9d09ffe352d2d6c6db4d48c11f2c04c4aab3deb0fd4c48a65cb47385a

    • Size

      3.6MB

    • MD5

      b8ec881b0e5bec784e035a45fd411a62

    • SHA1

      99455b72835a88664f735927e731fcb2f9bba6b2

    • SHA256

      d33647e9d09ffe352d2d6c6db4d48c11f2c04c4aab3deb0fd4c48a65cb47385a

    • SHA512

      d627a28f98cc4a9441f61d4d66d9677cc13ab0d79b76880cc39bfd1e302dc981a831432e420fa2f379cb554f427a489844996800d6a9ad7304a622108a4fafa5

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

    • Modifies firewall policy service

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Sets file execution options in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

4
T1031

Registry Run Keys / Startup Folder

8
T1060

Hidden Files and Directories

4
T1158

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

24
T1112

Hidden Files and Directories

4
T1158

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

20
T1012

System Information Discovery

24
T1082

Peripheral Device Discovery

4
T1120

Collection

Data from Local System

4
T1005

Tasks