betabot | ef781682e4a93247b663991423cb28c6c0111c21f80bc5c2c94a6d239808e446 | Triage

Submit
Reports

Overview

overview

Static

static

CFDI_826271_53535.exe

windows7_x64

CFDI_826271_53535.exe

windows10-2004_x64

Sharing

General

Target

CFDI_826271_26-01-2022.zip
Size

771KB
Sample

220713-g9glzaaheq
MD5

40cfabe26ea0d257173b230c43666dc6
SHA1

ade967270c2549bc2499f0247cf5811bc9168d37
SHA256

ef781682e4a93247b663991423cb28c6c0111c21f80bc5c2c94a6d239808e446
SHA512

b81eca57fa281bafc1fea09cad9edd24319f9e334011add4261ac7545e61d3d18cea36a5f8ea3cf47a4a17861fd95664bbdc063b01f6fbe28534861ae3d9f21c

Score

10^/10

betabot backdoor botnet evasion persistence suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

CFDI_826271_53535.exe

Resource

win7-20220414-en

betabot backdoor botnet evasion persistence suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

CFDI_826271_53535.exe

Resource

win10v2004-20220414-en

betabot backdoor botnet evasion persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  CFDI_826271_53535.exe
- Size
  
  894KB
- MD5
  
  f89a4c9d373e3c928bc405d56a496850
- SHA1
  
  de58bf97363c74d83249df1ec2f1e9d62a2101d9
- SHA256
  
  c040a2c32938707e1579fecce89e3c4fa04d019a467f642dd2bb18bab35bf99d
- SHA512
  
  eb02dcd476e67db8ec0d9bfde5698967c657bbc6cb55973445c565cd10999772b8ba18ecacd85c36bb88ac81898a0d34f2509cf6e2a954c890ffc5c07421d514
Score

10^/10

betabot backdoor botnet evasion persistence suricata trojan
- BetaBot
  Beta Bot is a Trojan that infects computers and disables Antivirus.
  trojan backdoor botnet betabot
- Modifies firewall policy service
  evasion
- suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
  suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Sets file execution options in registry
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

betabotbackdoorbotnetevasionpersistencesuricatatrojan

behavioral2

betabotbackdoorbotnetevasionpersistencetrojan

© 2018-2024

Terms | Privacy