Overview

overview

10

Static

static

3

fbec4956a1...28.exe

windows7-x64

1

fbec4956a1...28.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2024 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbec4956a178bb65221cf87ab537b828.exe

  • Size

    207KB

  • MD5

    fbec4956a178bb65221cf87ab537b828

  • SHA1

    5e587f1f30a712e45b35e451af167a5ba54f508d

  • SHA256

    f22e8c6027000f421c70d5733ff537d1e2e49deb5cc1d6ad3287175dffc2668e

  • SHA512

    805d8ac96078aa598e2cd562e60748aeb9f36710490015d3203f309d26f341795fd1a3c82e28cb828947ff99777985fd00a540d3e1f42edd0b471a0739f8a490

  • SSDEEP

    3072:Bo/htLJYeiJiiKVYgTemVAJny/8WyrtD7wmxRivBL2A:uTLJYefYgT/AByyug

Score
10/10
betabotsmokeloaderpub1backdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • NSIS installer 8 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbec4956a178bb65221cf87ab537b828.exe
    "C:\Users\Admin\AppData\Local\Temp\fbec4956a178bb65221cf87ab537b828.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:5044
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 368
      2⤵
      • Program crash
      PID:4572
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5044 -ip 5044
    1⤵
      PID:4908
    • C:\Users\Admin\AppData\Local\Temp\AA88.exe
      C:\Users\Admin\AppData\Local\Temp\AA88.exe
      1⤵
      • Sets file execution options in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        2⤵
        • Modifies firewall policy service
        • Sets file execution options in registry
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        PID:4420
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1112
          3⤵
          • Program crash
          PID:1928
    • C:\Users\Admin\AppData\Local\Temp\AEBF.exe
      C:\Users\Admin\AppData\Local\Temp\AEBF.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:232
      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:380
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4420 -ip 4420
      1⤵
        PID:2520

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\AA88.exe
        Filesize

        127KB

        MD5

        a06f8744accc2c49b34c79f481562733

        SHA1

        230de9d72fe3b6a49fd0895eb2fcf17b80935ba0

        SHA256

        69ce003729f2a748ae8ca18c08e8d7d7c2c79bade6bd5ec3e5ca8498026d0f2e

        SHA512

        622a91a57dbba49d6b64404ac52d718afd7e61a15b3d0e7c14196fe64f7d54454184075a8151273f0aa69373e3975298787b13ddfc4d58246c65a2ef5f404f93

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\AA88.exe
        Filesize

        234KB

        MD5

        b777f21997af7b4290ef9f5dc35c1f78

        SHA1

        87da9668a85c8e29dc43f21914f560993dd0bb96

        SHA256

        5f682a3ddb28bd978e72c69aaaf7474e6373d91e536ec6e06cbd2e94cbc14c9e

        SHA512

        b273a0d54c69e79aa0a52b20a690b6b12e98cc05817ba0a2bb7857672fc85487845e16bf7314f2f94a929ce7623399a6297ce6b6d178d04978c52ae243a46622

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\AEBF.exe
        Filesize

        338KB

        MD5

        3b05762385dbb8e0e6b591ab8377b496

        SHA1

        b1cf75ce2d96ce97259bc831fa70bff161dc8136

        SHA256

        95a95ef3fbae6d18ee74dc2d3fcbd8720e5b7a1d09507f6cd3a5a06f4541fdcc

        SHA512

        f161da08448efb2b7f48de4698a3744d4c93cd0280f739e4929e6c3fb3f80d621f87814a9f61c86cdce1382cb68d9bb115e52122f083d3e430d7290b09bb3801

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\AEBF.exe
        Filesize

        398KB

        MD5

        f27b7a257f5bceb450df2ec686f3e3da

        SHA1

        c99b50825c9bc252ded7ca13772a292b727fda31

        SHA256

        3e09ed287d6bdd99ee5cbfc182166ea3f24e40447b18654d1b33924625d76c4f

        SHA512

        3cbd954cd8413bd781f97f77d47907fc37de47397537c2f75e9b6bff4011ddc0582116fc541cdbd1ed2630e86fcb9e8eea9d752eddb45495c82050422f265748

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        Filesize

        282KB

        MD5

        f26c389d121fea33ece68d31c7ff4990

        SHA1

        674f8371b6ce415a86456defd7d12f24dd762671

        SHA256

        2af8700bf2aca99bb1fb4d643349727394efb61739f0e7f33cd52801083326a5

        SHA512

        47ecd66622c6e36d8b00105f793c7cd6e2a48a514cd909221c5fdd105a280952410c3e2eb29e73153c76a7aea133eb2f25da342d83808a9aed0b4ba59a640357

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        Filesize

        342KB

        MD5

        f7eee29b5f2eff53e82d8c71cd41b4f1

        SHA1

        7599826a81ae31a506caefd087bb16f0c0b258f7

        SHA256

        ab034036af2f0cdf362f3836b9d10526914893aeca8bbf3096998e6aa8a2e2d9

        SHA512

        f933c1c11541218c61b95068239aa966792a0073ad1139e4142519bc32d9cb57bcdfed861b0bb43eb74d5e78c8172fbc4d4b825af1b5bf2e1fedcda022c6a202

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        Filesize

        315KB

        MD5

        89aec1e3562b560e5e7ca3699d4a657b

        SHA1

        40fc14c956c261ccf1aeb6f7c049aeb233bca84e

        SHA256

        5f2225c238f02b7c9eb5e3a0195beea89fafa2ee67d49f858e1373714303bfef

        SHA512

        ff512eb62c8ba2a1e8cda4c2aab0373cc74af829369e92cd5156af53688c9ed1a64d10e28af7c4e1188501fff9c1be5a9cac41f2dde91369a75e3e773395e073

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\lib.dll
        Filesize

        316KB

        MD5

        194fca1c467bd9a2b4d72908b2eef631

        SHA1

        ba78f97471144e86260ed9c0d21dd3bb47128253

        SHA256

        286aa06db99afbee261daf73634488b0c7ba329cd5db8263890e9fc737363233

        SHA512

        b0ef7e2ccb0be355bb743d3e7230338e2f6610981fdcfcbea810848cf6783c7b6523eac2f16dc10020ac2dabe33ab51e29b32107ff2075c25103eb6921ad95d9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsbAFE8.tmp\System.dll
        Filesize

        12KB

        MD5

        dd87a973e01c5d9f8e0fcc81a0af7c7a

        SHA1

        c9206ced48d1e5bc648b1d0f54cccc18bf643a14

        SHA256

        7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

        SHA512

        4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

        Download Submit

      • memory/232-36-0x00000000008A0000-0x0000000000E36000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/232-43-0x00000000008A0000-0x0000000000E36000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/380-63-0x00000000731F0000-0x0000000073907000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/380-57-0x00000000731F0000-0x0000000073907000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/1040-14-0x0000000000010000-0x000000000006D000-memory.dmp

        Filesize

        372KB

        Download

      • memory/1040-20-0x0000000077A04000-0x0000000077A05000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1040-23-0x00000000022F0000-0x0000000002356000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1040-22-0x0000000002830000-0x000000000283C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1040-21-0x0000000002800000-0x0000000002801000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1040-52-0x00000000022F0000-0x0000000002356000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1040-17-0x0000000000620000-0x000000000062D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1040-16-0x00000000022F0000-0x0000000002356000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1040-18-0x00000000022F0000-0x0000000002356000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3520-4-0x0000000003340000-0x0000000003356000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4420-58-0x0000000002A80000-0x0000000002A81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4420-33-0x00000000008E0000-0x00000000009A4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/4420-29-0x00000000008E0000-0x00000000009A4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/4420-26-0x0000000000D90000-0x00000000011C4000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/4420-27-0x00000000008E0000-0x00000000009A4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/4420-61-0x0000000000D90000-0x00000000011C3000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/4420-62-0x00000000008E0000-0x00000000009A4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/4420-59-0x0000000004630000-0x0000000004632000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4420-24-0x0000000000D90000-0x00000000011C4000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/5044-7-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/5044-3-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/5044-1-0x00000000005F0000-0x00000000006F0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/5044-2-0x00000000005A0000-0x00000000005A9000-memory.dmp

        Filesize

        36KB

        Download