Overview

overview

10

Static

static

3

toolspab3.exe

windows7-x64

10

toolspab3.exe

windows10-1703-x64

10

toolspab3.exe

windows10-2004-x64

10

toolspab3.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    87s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-01-2024 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    toolspab3.exe

  • Size

    208KB

  • MD5

    79d36a2a84827ac86f9e30d31cf5b5dd

  • SHA1

    01432852b4c3d1d1d17d45cde7bdbab0be214fce

  • SHA256

    55424ba52333947a5827238ff2b0905a9ae90c92fb7e9f0d165cbed47dffc47b

  • SHA512

    b0364ce3ca20f32846d2a5ca89cbc92113d52406907ca1c5918bf8d14f826dfa9f738c002a4efbb5ef7bbc30bf31f59d4285b1816d3f695d69cf0f2113ec1388

  • SSDEEP

    3072:RXNxbPxb1GXDbcqUkNO5LntzXCXKX24xVad5E0OtTn7922cDD:13bJb1GzPNMntSXnEad5etTn7o26

Score
10/10
betabotsmokeloaderpub3backdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • NSIS installer 8 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\toolspab3.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspab3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Users\Admin\AppData\Local\Temp\toolspab3.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspab3.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4412
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 364
        3⤵
        • Program crash
        PID:2408
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4412 -ip 4412
    1⤵
      PID:4500
    • C:\Users\Admin\AppData\Local\Temp\AB53.exe
      C:\Users\Admin\AppData\Local\Temp\AB53.exe
      1⤵
      • Sets file execution options in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        2⤵
        • Modifies firewall policy service
        • Sets file execution options in registry
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1452
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1080
          3⤵
          • Program crash
          PID:3632
    • C:\Users\Admin\AppData\Local\Temp\AF8A.exe
      C:\Users\Admin\AppData\Local\Temp\AF8A.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3724
      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4256
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1452 -ip 1452
      1⤵
        PID:3696
      • C:\Users\Admin\AppData\Roaming\uauehch
        C:\Users\Admin\AppData\Roaming\uauehch
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Users\Admin\AppData\Roaming\uauehch
          C:\Users\Admin\AppData\Roaming\uauehch
          2⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: MapViewOfSection
          PID:4348
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 364
            3⤵
            • Program crash
            PID:2448
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4348 -ip 4348
        1⤵
          PID:980

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\AB53.exe
          Filesize

          360KB

          MD5

          80c413180b6bd0dd664adc4e0665b494

          SHA1

          e791e4a3391fc6b7bcb58399cd4fa3c52a06b940

          SHA256

          6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880

          SHA512

          347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\AF8A.exe
          Filesize

          377KB

          MD5

          8a1064468f09ee256708702c894a8d0a

          SHA1

          60fa526a6b77e8f072f235c46257cc6bcff26e32

          SHA256

          8a1904839d886cd9ec1f161bd4e5f160fa4731a7007eb8919238f74d61972bab

          SHA512

          e96b6ceae9273e079d31e1ec24352ca02f47b6142a5012599bd4e137c6c39e9e62305b39f7caa4fc7d06d842d78ca840b32133c93bfac922cee82158841832c0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\AF8A.exe
          Filesize

          566KB

          MD5

          0898a1901e6679afca4e3c2d16e7bf60

          SHA1

          bee6050ee9f4baf39f829dd275aefd43456d33bd

          SHA256

          e3b50ae1b0b5d19e439baaf5403a11fe309e8bd0b68d364e69d9ce104de437c2

          SHA512

          13b7280aa7371692aadc1a57a4f17da3f035992ba7427b5f68874ea4843001855857c802c96211e947f604c38b555820d900cb1bd98769fee401d9c0e139d6e1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          172KB

          MD5

          131d6448b2cfef15abd238adfbe81506

          SHA1

          c9b72cd0511502312510c7cff7a5d69b138e55d1

          SHA256

          b9ad319ea0cfde76308db3a536e43af6b231274779cf7be2cf8be8e22a14e72d

          SHA512

          059cd7fb5ae35bab337ace7c6d3fde02099ff344e5a66ee68a9222aa8c9d8cc924cbd0954b0aaff38afac41fea3224be532720a7bf2f81aee0c1c2e89be6598b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          221KB

          MD5

          fe6738e39183490cf4baabaffc48c6de

          SHA1

          fc4ae085f56a427f675a370167944e65d73a30a0

          SHA256

          3bcdf257313bfe0cc7040e66f930e9a0689617b3d42d136c430d94a91900fd25

          SHA512

          3d9a01fc2c4e2a4544ea9de790f52510f8a9ef16d6e61790707ea71267a0a748c78cfe286008d1d024e97c92ff0c296506e62ab9954d7c9e273a583a6a6e6f26

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          320KB

          MD5

          09a9c72faa7e131142b91700f96f3d84

          SHA1

          b4bf29f9817fb2100721242814a8d88ab1e79e93

          SHA256

          cb04b0b631c565d4cbdb35d2d0d0f52c73f2b69caed348826fa3c10657541202

          SHA512

          365821eabbc9449e10091a9161fbe16e162047e46d4e6a9998158a97e7fac93747cab9b90335b1d7b8250fe3c30619be4289f6862a57d9617cc5f5cf9169b897

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\lib.dll
          Filesize

          231KB

          MD5

          80beb65c1a8dfd83f2ea27b68a6d799d

          SHA1

          d2296c383cb4e4d163976cd5cc40bb5500873682

          SHA256

          64a5e17a8650ccc831a3102bb1390d098312c8b791c62a751cd06b26c3c42860

          SHA512

          61e9bbecd0ac008759bb4b34f253e47e32aab8c2ebb674eaf3f748f7c5598a368dc01eb59088b4f87e7751b0153572fb31c3661ad3307a4bd615908b1143814d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nswB101.tmp\System.dll
          Filesize

          12KB

          MD5

          dd87a973e01c5d9f8e0fcc81a0af7c7a

          SHA1

          c9206ced48d1e5bc648b1d0f54cccc18bf643a14

          SHA256

          7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

          SHA512

          4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\uauehch
          Filesize

          126KB

          MD5

          a87f3dd52d8ebeac4d0247e489ae0e80

          SHA1

          0149c79c0ff19f21b47dbaaea61b3f51127c1a0c

          SHA256

          c3e66dfa1db54d9575a1991b94a4119847653e4242a846d42600b1c71d567ebe

          SHA512

          9ae4dd80de15208b21ea2d44e0cb86779e49a8acd17164c9afa154ec42928657873dbf79baab16a344b7253d796b4fb72adf507d366f3f6f7a604d9b2eee4bab

          Download Submit

        • C:\Users\Admin\AppData\Roaming\uauehch
          Filesize

          147KB

          MD5

          b13607ee3045be561c62a39a74826448

          SHA1

          82480a9bb4456ebf14ac72be6e62b5ef6b4653fb

          SHA256

          fd3f76603c0d9d914a93f55980b393654bc9a61f7daa9f5d407098cdf9e8de14

          SHA512

          37a3a7cc7c5463f4d466f056369851733de7093f940365583e1039881c5b5f02e339aca3005bfa6ed8a7e7e76245ed760564e357550e853d549be47365b03652

          Download Submit

        • C:\Users\Admin\AppData\Roaming\uauehch
          Filesize

          208KB

          MD5

          79d36a2a84827ac86f9e30d31cf5b5dd

          SHA1

          01432852b4c3d1d1d17d45cde7bdbab0be214fce

          SHA256

          55424ba52333947a5827238ff2b0905a9ae90c92fb7e9f0d165cbed47dffc47b

          SHA512

          b0364ce3ca20f32846d2a5ca89cbc92113d52406907ca1c5918bf8d14f826dfa9f738c002a4efbb5ef7bbc30bf31f59d4285b1816d3f695d69cf0f2113ec1388

          Download Submit

        • memory/800-2-0x0000000000710000-0x0000000000810000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/800-3-0x00000000006A0000-0x00000000006A9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/1452-30-0x0000000000800000-0x00000000008C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/1452-33-0x0000000000800000-0x00000000008C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/1452-64-0x0000000002B90000-0x0000000002B92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1452-27-0x00000000009C0000-0x0000000000DED000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/1452-29-0x00000000009C0000-0x0000000000DED000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/1452-66-0x00000000009C0000-0x0000000000DEC000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/1452-31-0x0000000000800000-0x00000000008C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/1452-63-0x0000000000800000-0x00000000008C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/1452-67-0x0000000000800000-0x00000000008C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/2916-73-0x000000000065F000-0x0000000000670000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3300-5-0x0000000001600000-0x0000000001616000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3300-76-0x00000000033F0000-0x0000000003406000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3724-49-0x00000000009C0000-0x0000000000F56000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3724-39-0x00000000009C0000-0x0000000000F56000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4256-62-0x00000000730E0000-0x00000000737F7000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/4256-59-0x00000000730E0000-0x00000000737F7000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/4348-75-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4348-79-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4348-74-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4412-1-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4412-4-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4412-8-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4780-23-0x00000000028F0000-0x00000000028FC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4780-18-0x0000000002380000-0x00000000023E6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4780-19-0x0000000002740000-0x000000000274D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/4780-26-0x0000000002380000-0x00000000023E6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4780-24-0x0000000002380000-0x00000000023E6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4780-42-0x0000000002380000-0x00000000023E6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4780-21-0x0000000077C86000-0x0000000077C87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4780-16-0x0000000000010000-0x000000000006D000-memory.dmp

          Filesize

          372KB

          Download

        • memory/4780-20-0x0000000002380000-0x00000000023E6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4780-41-0x00000000028E0000-0x00000000028E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4780-25-0x00000000028C0000-0x00000000028C1000-memory.dmp

          Filesize

          4KB

          Download