betabot

General

Target

1923715e6214c54be40797c3d821fbfc
Size

3.8MB
Sample

231230-p42c7acden
MD5

1923715e6214c54be40797c3d821fbfc
SHA1

bb8de537a9502abcc9b2ea48d9705ff95f44b73a
SHA256

d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
SHA512

e7c692ee1bda08f07be54b151dd04947328cf514e3646d74d87cd9264c4876f510b994d72af1826b25306bb2cc799dd1252b8ac6a893db25e97c441c9e42743f
SSDEEP

98304:yht/20k51M8Ubz0aDAbCZ11x3vhNrG+mqh4IIQ:yhA0k5Ohz0ZWZPxf7Eqn

Malware Config

Extracted

Family

nullmixer

C2

http://watira.xyz/

Extracted

Family

vidar

Version

40.1

Botnet

706

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

gozi

Targets

- Target
  
  1923715e6214c54be40797c3d821fbfc
- Size
  
  3.8MB
- MD5
  
  1923715e6214c54be40797c3d821fbfc
- SHA1
  
  bb8de537a9502abcc9b2ea48d9705ff95f44b73a
- SHA256
  
  d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
- SHA512
  
  e7c692ee1bda08f07be54b151dd04947328cf514e3646d74d87cd9264c4876f510b994d72af1826b25306bb2cc799dd1252b8ac6a893db25e97c441c9e42743f
- SSDEEP
  
  98304:yht/20k51M8Ubz0aDAbCZ11x3vhNrG+mqh4IIQ:yhA0k5Ohz0ZWZPxf7Eqn
Score

10^/10

betabot fabookie gozi nullmixer privateloader smokeloader vidar 706 aspackv2 backdoor banker botnet dropper evasion isfb loader persistence spyware stealer trojan
- BetaBot
  Beta Bot is a Trojan that infects computers and disables Antivirus.
  trojan backdoor botnet betabot
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies firewall policy service
  evasion
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- Looks for VMWare services registry key.
  evasion
- Sets file execution options in registry
  persistence
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2