betabot

General

Target

7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70exe.exe
Size

3.8MB
Sample

240107-xww3hacbfj
MD5

6ebf4dbc2f41cfe7c3e55e5a76d2a670
SHA1

ee509d9c5910532340694e17fa0b50d0d9558414
SHA256

7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
SHA512

c87dd97ab8ca254fd189df96cb04a32ba53c17e3ee46fc0a28217d96c423e2f8c2fa1b45b3d78d5a5138f13cbcf0c19e955edb7547187cc3a45312a7737d9ac3
SSDEEP

98304:y56aQtE6efCFSGn/Qvp2b/5/fKVzuJiShnf4NMM5/L1hY:y56aeJefAXt4Mf4NMM5/A

Malware Config

Extracted

Family

nullmixer

C2

http://hsiens.xyz/

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

vidar

Version

40.1

Botnet

706

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

gozi

Targets

- Target
  
  7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70exe.exe
- Size
  
  3.8MB
- MD5
  
  6ebf4dbc2f41cfe7c3e55e5a76d2a670
- SHA1
  
  ee509d9c5910532340694e17fa0b50d0d9558414
- SHA256
  
  7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
- SHA512
  
  c87dd97ab8ca254fd189df96cb04a32ba53c17e3ee46fc0a28217d96c423e2f8c2fa1b45b3d78d5a5138f13cbcf0c19e955edb7547187cc3a45312a7737d9ac3
- SSDEEP
  
  98304:y56aQtE6efCFSGn/Qvp2b/5/fKVzuJiShnf4NMM5/L1hY:y56aeJefAXt4Mf4NMM5/A
Score

10^/10

betabot fabookie gozi nullmixer privateloader smokeloader vidar 706 aspackv2 backdoor banker botnet dropper evasion isfb loader persistence spyware stealer trojan
- BetaBot
  Beta Bot is a Trojan that infects computers and disables Antivirus.
  trojan backdoor botnet betabot
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- Disables taskbar notifications via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Sets file execution options in registry
  persistence
- Sets service image path in registry
  persistence
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2