Overview

overview

10

Static

static

3

toolspab2.exe

windows7-x64

10

toolspab2.exe

windows10-1703-x64

10

toolspab2.exe

windows10-2004-x64

10

toolspab2.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-01-2024 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    toolspab2.exe

  • Size

    207KB

  • MD5

    38cb64fa3339058ae21850bb66b82279

  • SHA1

    4ab731f54aec2b9a8c49bf5e38fe294e9745b604

  • SHA256

    ef743dcfbc3b85460416d9708cd43452354c148b375ef94075aaa79207c6467b

  • SHA512

    23ac1bfc8e21b879d347867e7a66af3a2b907265ce8fe415e6315ba7e1b9631c9c32d14b51e95e226661c1630f43d2d0e10e5d17705b9b6fe3200a3a1c13b3a7

  • SSDEEP

    3072:JXNxFFqcLXdCOck2DLO5LE99KsIv3UVmi2nRpMqC3L4EkwAD:t3bqcLtL2LMMPa3UVxIyqCb41p

Score
10/10
betabotsmokeloaderpub2backdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • NSIS installer 8 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\toolspab2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Users\Admin\AppData\Local\Temp\toolspab2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2680
  • C:\Users\Admin\AppData\Local\Temp\2AB.exe
    C:\Users\Admin\AppData\Local\Temp\2AB.exe
    1⤵
    • Sets file execution options in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:128
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      2⤵
      • Modifies firewall policy service
      • Sets file execution options in registry
      • Checks BIOS information in registry
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      PID:2104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1156
        3⤵
        • Program crash
        PID:3112
  • C:\Users\Admin\AppData\Local\Temp\8F5.exe
    C:\Users\Admin\AppData\Local\Temp\8F5.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:5060
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2104 -ip 2104
    1⤵
      PID:2504
    • C:\Users\Admin\AppData\Roaming\cejvhaj
      C:\Users\Admin\AppData\Roaming\cejvhaj
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3804
      • C:\Users\Admin\AppData\Roaming\cejvhaj
        C:\Users\Admin\AppData\Roaming\cejvhaj
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: MapViewOfSection
        PID:2256

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2AB.exe
      Filesize

      360KB

      MD5

      80c413180b6bd0dd664adc4e0665b494

      SHA1

      e791e4a3391fc6b7bcb58399cd4fa3c52a06b940

      SHA256

      6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880

      SHA512

      347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\8F5.exe
      Filesize

      1.8MB

      MD5

      03918e44603c5469a8fc59d1efd19005

      SHA1

      6bff85b451ef4a80217c129dfba1b93d73ea5198

      SHA256

      f1703d0de341ffdae415e871328ba3f7cdfa6c9b09e67db5f5f1ca6edef06eed

      SHA512

      11b4d3255e22c5d8025f4f63b8957a2c8f51750b2d058037271949add0dca259ebf108f4c57830167f7502a8ed79e462d71eeb0838960dec11a335c2f3b9f4ab

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\8F5.exe
      Filesize

      1.6MB

      MD5

      9d72d1ffb28744907d35148ace38f37f

      SHA1

      e0bf0666167dc03d5888d4554c0c382948378604

      SHA256

      d6f3dc6c411aa62c812d40e21c54c074f8a1c78a0b858bebbb62c4c958593c17

      SHA512

      9823ba2f118d226cd9fe6d24058688a1c4f54d26031c1b263c50d4f9a1654735bcdaf0915d3470935e18d408ce9a6475a38538bf60ec9b339cb300696796f6f3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
      Filesize

      1.5MB

      MD5

      1ec1166182774f4c843e51f801898a85

      SHA1

      d9a58161925684763f671a24c55dce2691df3053

      SHA256

      5ce328ea4b2324cd1191cee596f41eb6d61c7be8945b11b80d50ca4e918d1468

      SHA512

      d3bfe40404eecfb2c0a618283ec74f8b59908f570bcb2f371543950d2ca804a197d1b6e84d176b10416885f00b57ee8b4e2e1b4f9fbab0c700abd43bf4db0b8b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
      Filesize

      1.7MB

      MD5

      277848a12e47b2f94f3def66b2b1c050

      SHA1

      63bc2b269ef24a08b1d103e40ab0cb275e3ac579

      SHA256

      7bfd0344485c50c7e23f7403a10dd934ed67b36e7494d35d3d9bb731de13b6e7

      SHA512

      c91761808485d8246d10c8b041721192291b8c090f0f774714ab60e037e78421d9b36d353b18d4757ac455fd238ee150a9b536e6418d7124d1466b2e03ecb895

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
      Filesize

      1.5MB

      MD5

      a35909608fdcb8c4c9fbe280af835f57

      SHA1

      6da64610041089df12e95b5cce2566e1b9ca6e56

      SHA256

      db4480ca2f78c5ed7664f05ea35e8e172e2cfeba6f318c1296d9c3738aa59a26

      SHA512

      0dfe1854f152dc01fbc7220b3ce1a4e905a20633d8bc9e96c0c005cd750eab5c2148b3e87ad3df4c826ff8c58a5ca463c0f175a6767118cd00534412231de39e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lib.dll
      Filesize

      1.4MB

      MD5

      456fa3f949e5cad9cfec4c51f61b1c4b

      SHA1

      3b303837f9042a27470c303d58a758b44daa67fa

      SHA256

      ac3d6adac8491ba52979a08a0ab02e8987befbb391eff8f4c3bddb75445c637f

      SHA512

      df47df41f5e7cbea4396b1482fe28ef9c6afe04e9d3f7a284a9ce478838352f3694bf1c121d4bf458f9bf06a20de3a862d2a91ce4eae2a8edd4601eed3b6b875

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsnC12.tmp\System.dll
      Filesize

      12KB

      MD5

      dd87a973e01c5d9f8e0fcc81a0af7c7a

      SHA1

      c9206ced48d1e5bc648b1d0f54cccc18bf643a14

      SHA256

      7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

      SHA512

      4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\cejvhaj
      Filesize

      207KB

      MD5

      38cb64fa3339058ae21850bb66b82279

      SHA1

      4ab731f54aec2b9a8c49bf5e38fe294e9745b604

      SHA256

      ef743dcfbc3b85460416d9708cd43452354c148b375ef94075aaa79207c6467b

      SHA512

      23ac1bfc8e21b879d347867e7a66af3a2b907265ce8fe415e6315ba7e1b9631c9c32d14b51e95e226661c1630f43d2d0e10e5d17705b9b6fe3200a3a1c13b3a7

      Download Submit
    • memory/128-20-0x00000000772A6000-0x00000000772A7000-memory.dmp
      Filesize

      4KB

      Download
    • memory/128-22-0x00000000028D0000-0x00000000028D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/128-21-0x00000000023D0000-0x0000000002436000-memory.dmp
      Filesize

      408KB

      Download
    • memory/128-24-0x0000000002900000-0x000000000290C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/128-25-0x00000000023D0000-0x0000000002436000-memory.dmp
      Filesize

      408KB

      Download
    • memory/128-16-0x0000000000010000-0x000000000006D000-memory.dmp
      Filesize

      372KB

      Download
    • memory/128-41-0x00000000023D0000-0x0000000002436000-memory.dmp
      Filesize

      408KB

      Download
    • memory/128-19-0x0000000000720000-0x000000000072D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/128-40-0x00000000028F0000-0x00000000028F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/128-18-0x00000000023D0000-0x0000000002436000-memory.dmp
      Filesize

      408KB

      Download
    • memory/576-38-0x00000000008D0000-0x0000000000E66000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/576-48-0x00000000008D0000-0x0000000000E66000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2104-31-0x0000000000E00000-0x0000000000EC4000-memory.dmp
      Filesize

      784KB

      Download
    • memory/2104-62-0x0000000004680000-0x0000000004682000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2104-28-0x0000000000640000-0x0000000000A6D000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/2104-36-0x0000000000E00000-0x0000000000EC4000-memory.dmp
      Filesize

      784KB

      Download
    • memory/2104-26-0x0000000000640000-0x0000000000A6D000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/2104-64-0x0000000000640000-0x0000000000A6C000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/2104-65-0x0000000000E00000-0x0000000000EC4000-memory.dmp
      Filesize

      784KB

      Download
    • memory/2256-74-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/2256-72-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/2452-1-0x0000000000780000-0x0000000000880000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2452-2-0x0000000000760000-0x0000000000769000-memory.dmp
      Filesize

      36KB

      Download
    • memory/2680-6-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/2680-3-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/2680-4-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/3188-73-0x0000000002C10000-0x0000000002C26000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3188-5-0x0000000000AA0000-0x0000000000AB6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3804-71-0x00000000007D0000-0x00000000008D0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/5060-61-0x0000000072430000-0x0000000072B47000-memory.dmp
      Filesize

      7.1MB

      Download
    • memory/5060-58-0x0000000072430000-0x0000000072B47000-memory.dmp
      Filesize

      7.1MB

      Download