Overview

overview

10

Static

static

3

toolspab4.exe

windows7-x64

10

toolspab4.exe

windows10-1703-x64

10

toolspab4.exe

windows10-2004-x64

10

toolspab4.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231222-en
  • resource tags

    arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-01-2024 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    toolspab4.exe

  • Size

    206KB

  • MD5

    5784cb0aeb2ac45ece0689e7eecfc399

  • SHA1

    2d08f92794072432692225d06768b1b2dd37e2d5

  • SHA256

    12eb79f7104c4b5f780f5fc86145924fb81f3bc043c782328ad69c660a287670

  • SHA512

    cc2d49ee58955a3edbc08002e91caf63f9610bb4b3d34101d6025f047cc734ad0d825685114d5ae894d1c250ebd6c3fe265d8fb2120110d559cf345606fdfce1

  • SSDEEP

    3072:qXNx5tV7E7ycJc5GD5LhwrXoD6hYNRQSpPtgLE5eYoAVN:K3fV7WCGdhCoUi9pWLiZP

Score
10/10
betabotsmokeloaderpub4backdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • NSIS installer 8 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\toolspab4.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspab4.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 500
      2⤵
      • Program crash
      PID:4892
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4232 -ip 4232
    1⤵
      PID:2200
    • C:\Users\Admin\AppData\Local\Temp\A5C5.exe
      C:\Users\Admin\AppData\Local\Temp\A5C5.exe
      1⤵
      • Sets file execution options in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:728
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        2⤵
        • Modifies firewall policy service
        • Sets file execution options in registry
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        PID:4524
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1152
          3⤵
          • Program crash
          PID:4388
    • C:\Users\Admin\AppData\Local\Temp\AA0C.exe
      C:\Users\Admin\AppData\Local\Temp\AA0C.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3708
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4524 -ip 4524
      1⤵
        PID:3832
      • C:\Users\Admin\AppData\Roaming\icbutic
        C:\Users\Admin\AppData\Roaming\icbutic
        1⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: MapViewOfSection
        PID:2220
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 500
          2⤵
          • Program crash
          PID:1616
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2220 -ip 2220
        1⤵
          PID:1460

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\A5C5.exe
          Filesize

          360KB

          MD5

          80c413180b6bd0dd664adc4e0665b494

          SHA1

          e791e4a3391fc6b7bcb58399cd4fa3c52a06b940

          SHA256

          6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880

          SHA512

          347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\AA0C.exe
          Filesize

          86KB

          MD5

          3355b772b45ac3fa06147617633c40fb

          SHA1

          ca998709bf695b6d01bbd28bc1ca59c3074ccb95

          SHA256

          2fb36f16660f748bc704c168d9095ee09c204c1f278ee22295aca3d9a80030ea

          SHA512

          20ca7e1d8df9b4f97668527972bfe000ec727d0b63bc2709486a5f3e7149f56ecb1cc7385dee112947a7ac541f402bf49f08505bb5243a5b7cbb79f082ae39ca

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\AA0C.exe
          Filesize

          51KB

          MD5

          25d4c059637ebb28696ef9eb88f513b6

          SHA1

          7d20d8e7aa9d73cd08198e60428514779ace2a3e

          SHA256

          2f2237fa823cd4889f3c6d837bfe87967eec2c5f60c461c68103562194c4af40

          SHA512

          5c0af5702b8f7df651a1b2bc1d9f595d7ba48151f118549eb434703a0964a0f3aedb850c7054900ac293a9e3ece05cc93e78e6bc1e4fc3916f1fa0d72342dbc9

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          108KB

          MD5

          69bf7f2cfd373bc580e81a1a16678a68

          SHA1

          3a33fd9f6950c5dea42dc9163c927c7dfc30fd96

          SHA256

          8232c2658db357d4bd1b2a7a311b07e047b29760dd8a9275a5c42968328c114c

          SHA512

          af645286ac28e1048b26b05e259b137402084d134deaea3280e3654d7d2553c67da9a97115f762c5e005871bd4bff6c73540bb12c48196aedad359ecb6699706

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          30KB

          MD5

          827704e3950b25b8ba33b28881b18a9c

          SHA1

          ab6002a56ef216322676e04b8c82d87466fda516

          SHA256

          a0d2c1eb83bc3492c3710d2c90447d48f302766cf45a6773769ddade9412942b

          SHA512

          4326e6231e549614a85a60ff29d22551540d07899e4fd3569e5af315f16efb8b11d51ac492c4bb55469fb3f57473ef94b3f338952636d65af74fa6481f1690bb

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          39KB

          MD5

          601f3069547905e34fee1639cce124b3

          SHA1

          69fcab894694a78e0bbdeb50599c76e9ccc81f4b

          SHA256

          f7ece28517520dc728e93e17c958f982a86206d8e48522223be8c7787a0cd37f

          SHA512

          5126472ed0d60469f1bca6253503e83c7038df660b9bb79d81c1891be918716d8fe4a7eca0ab9a15acef9eb86b93341b2cf63946e7fad4abcea705354025c0d2

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\lib.dll
          Filesize

          125KB

          MD5

          98e67bd7e3ad7a58b7c1687719258698

          SHA1

          f68dd10a6a71c7b35592518ccc39a930826a48bb

          SHA256

          6e63f2c49ac98172f7ca830f2484ac10efd83d53f55cd2d520d9664eef622c4d

          SHA512

          d00fc02fd8b5c0e454dd2523dea717164e2717c291e60654208e7544d4b946bda62c1031e538c8ed26884d373ecd9bcae5099e99e882660888f911c6dc3edd95

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\nspABB2.tmp\System.dll
          Filesize

          12KB

          MD5

          dd87a973e01c5d9f8e0fcc81a0af7c7a

          SHA1

          c9206ced48d1e5bc648b1d0f54cccc18bf643a14

          SHA256

          7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

          SHA512

          4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

          Download Submit
        • C:\Users\Admin\AppData\Roaming\icbutic
          Filesize

          48KB

          MD5

          7df400a7664b6caf1ea3a9f3385d52b8

          SHA1

          aac5464425f910473e67d807fb387bb4035bb722

          SHA256

          d11b5c6f0bda54e457748a283fa146983c425d4a7c0fe5ef2cfe4201353d1a4d

          SHA512

          ffa043c8b4244081b2d613aad55f135eabb010737a309f16bc2204e7856aa5353170f0fae4f2dccc9b881c70671fa0ff0a53333ff312acc3679a55678220e75b

          Download Submit
        • C:\Users\Admin\AppData\Roaming\icbutic
          Filesize

          24KB

          MD5

          5e3d73b4bd6aabe804efcf83905ec1eb

          SHA1

          4cf40e270d11e897931aa0f4cb3686c9a765042e

          SHA256

          0cf0199028402fdd6edbc03b125cf656208400da0d9dcedd41846701920598c7

          SHA512

          eabbd51d353443c465bfce226084c8dca900f9cc4368d323004f1596a71b1bf547726ad18fb1ca9ce126b1d3853b5982761f1e27adbc30baae2ae9b6fec330f7

          Download Submit
        • memory/728-39-0x00000000023D0000-0x0000000002436000-memory.dmp
          Filesize

          408KB

          Download
        • memory/728-16-0x00000000023D0000-0x0000000002436000-memory.dmp
          Filesize

          408KB

          Download
        • memory/728-23-0x00000000023D0000-0x0000000002436000-memory.dmp
          Filesize

          408KB

          Download
        • memory/728-17-0x00000000006A0000-0x00000000006AD000-memory.dmp
          Filesize

          52KB

          Download
        • memory/728-14-0x0000000000010000-0x000000000006D000-memory.dmp
          Filesize

          372KB

          Download
        • memory/728-22-0x00000000028F0000-0x00000000028FC000-memory.dmp
          Filesize

          48KB

          Download
        • memory/728-21-0x00000000028C0000-0x00000000028C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/728-18-0x00000000023D0000-0x0000000002436000-memory.dmp
          Filesize

          408KB

          Download
        • memory/728-20-0x0000000077B26000-0x0000000077B27000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2220-74-0x0000000000400000-0x0000000000438000-memory.dmp
          Filesize

          224KB

          Download
        • memory/2220-70-0x0000000000400000-0x0000000000438000-memory.dmp
          Filesize

          224KB

          Download
        • memory/2220-69-0x00000000006F0000-0x00000000007F0000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/3296-71-0x0000000000E40000-0x0000000000E56000-memory.dmp
          Filesize

          88KB

          Download
        • memory/3296-4-0x0000000005B00000-0x0000000005B16000-memory.dmp
          Filesize

          88KB

          Download
        • memory/3708-60-0x0000000072CB0000-0x00000000733C7000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/3708-57-0x0000000072CB0000-0x00000000733C7000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/4232-1-0x0000000000600000-0x0000000000700000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/4232-3-0x0000000000400000-0x0000000000438000-memory.dmp
          Filesize

          224KB

          Download
        • memory/4232-2-0x0000000000AE0000-0x0000000000AE9000-memory.dmp
          Filesize

          36KB

          Download
        • memory/4232-7-0x0000000000400000-0x0000000000438000-memory.dmp
          Filesize

          224KB

          Download
        • memory/4524-65-0x0000000001600000-0x00000000016C4000-memory.dmp
          Filesize

          784KB

          Download
        • memory/4524-27-0x0000000001600000-0x00000000016C4000-memory.dmp
          Filesize

          784KB

          Download
        • memory/4524-33-0x0000000001600000-0x00000000016C4000-memory.dmp
          Filesize

          784KB

          Download
        • memory/4524-64-0x0000000000FB0000-0x00000000013DC000-memory.dmp
          Filesize

          4.2MB

          Download
        • memory/4524-47-0x0000000001BE0000-0x0000000001BE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4524-62-0x0000000004E80000-0x0000000004E82000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4524-61-0x0000000001600000-0x00000000016C4000-memory.dmp
          Filesize

          784KB

          Download
        • memory/4524-31-0x0000000001600000-0x00000000016C4000-memory.dmp
          Filesize

          784KB

          Download
        • memory/4524-28-0x0000000001600000-0x00000000016C4000-memory.dmp
          Filesize

          784KB

          Download
        • memory/4524-26-0x0000000000FB0000-0x00000000013DD000-memory.dmp
          Filesize

          4.2MB

          Download
        • memory/4524-24-0x0000000000FB0000-0x00000000013DD000-memory.dmp
          Filesize

          4.2MB

          Download
        • memory/4884-36-0x0000000000880000-0x0000000000E16000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/4884-46-0x0000000000880000-0x0000000000E16000-memory.dmp
          Filesize

          5.6MB

          Download