betabot

General

Target

dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe
Size

2.5MB
Sample

240107-w7pxwscff6
MD5

e338fba38c82e46b25dcec3dce9ed5d1
SHA1

7d76df722d5820c4a6320d26d9240264dab19b0b
SHA256

dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5
SHA512

99100aacc05d50f02d3a53fb2bd677deecf51c60e60f7559e0ff0d0d40ee6a86b81606638d619ea457454045efb240855097f8095f0396b6d24978b38ad8ab9a
SSDEEP

49152:xcB/W2pZACrSaZjfBgNUIk5ZOwE1rmIvARVrxe8+ocT9L0pP5hYSnPdm9:xsWOCdcriNUIvdIRtE9oc9L0pPdnFO

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://hsiens.xyz/

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

vidar

Version

40.1

Botnet

706

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

gozi

Targets

- Target
  
  dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe
- Size
  
  2.5MB
- MD5
  
  e338fba38c82e46b25dcec3dce9ed5d1
- SHA1
  
  7d76df722d5820c4a6320d26d9240264dab19b0b
- SHA256
  
  dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5
- SHA512
  
  99100aacc05d50f02d3a53fb2bd677deecf51c60e60f7559e0ff0d0d40ee6a86b81606638d619ea457454045efb240855097f8095f0396b6d24978b38ad8ab9a
- SSDEEP
  
  49152:xcB/W2pZACrSaZjfBgNUIk5ZOwE1rmIvARVrxe8+ocT9L0pP5hYSnPdm9:xsWOCdcriNUIvdIRtE9oc9L0pPdnFO
Score

10^/10

betabot gozi nullmixer privateloader smokeloader vidar 706 aspackv2 backdoor banker botnet dropper evasion isfb loader persistence stealer trojan
- BetaBot
  Beta Bot is a Trojan that infects computers and disables Antivirus.
  trojan backdoor botnet betabot
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- Disables taskbar notifications via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Sets file execution options in registry
  persistence
- Sets service image path in registry
  persistence
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2