General

  • Target

    CFDI_826271.zip

  • Size

    772KB

  • Sample

    220713-g9glzaaher

  • MD5

    39d18965b64c2d246e47ac6bdca89948

  • SHA1

    af8a963f9dd8e4533ced74e175aac15397d5bf22

  • SHA256

    003d956c79e94020bd1c15c118ed6533a76cc1932ed5c05dd303d3b7564739e3

  • SHA512

    253dc2a159e0b08e358a90a5670fd795bcd2f1b5245c049b481c1dbb852d4a9136a685a7536b86dd782e2b176169ccaaaaf36779350cfe2d76175c88993d3b81

Malware Config

Targets

    • Target

      CFDI_826271_53535.exe

    • Size

      894KB

    • MD5

      f89a4c9d373e3c928bc405d56a496850

    • SHA1

      de58bf97363c74d83249df1ec2f1e9d62a2101d9

    • SHA256

      c040a2c32938707e1579fecce89e3c4fa04d019a467f642dd2bb18bab35bf99d

    • SHA512

      eb02dcd476e67db8ec0d9bfde5698967c657bbc6cb55973445c565cd10999772b8ba18ecacd85c36bb88ac81898a0d34f2509cf6e2a954c890ffc5c07421d514

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

    • Modifies firewall policy service

    • suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4

      suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets file execution options in registry

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Hidden Files and Directories

2
T1158

Defense Evasion

Modify Registry

6
T1112

Hidden Files and Directories

2
T1158

Discovery

Query Registry

4
T1012

System Information Discovery

6
T1082

Remote System Discovery

1
T1018

Tasks