Overview

overview

10

Static

static

3

4e58387e14...03.exe

windows7-x64

10

4e58387e14...03.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7df8edaa8a8b2412a77e89ad13496b51.bin

  • Size

    194KB

  • Sample

    240114-dqrfaabafq

  • MD5

    5b9e0092510875032ea7459e3addf4a7

  • SHA1

    6b78e84e9f1bc1db6e5b8c99555edb2cfca91d56

  • SHA256

    72cf6fb9e3fda3b2ab002bf819a3fe6c494ad3ef61995891886d3876e6c82850

  • SHA512

    8d1cc3639896a18aa4bba5c0bda56d5db2a1050d17f2c83dcf382edabcc3bcb0cbef63ea4490906e3633de61a5ae86de363826413a2736a955b3c03fba1b6ba3

  • SSDEEP

    3072:G2Ebbp6YGLVnp3uuxaPuU5HvBKOPlyZ5/H3479LGeWH3Dl4MasYY9Vt705HzucAL:WpkZn1vsFvBKf/XgUVH3pJaIVt75cAL

Score
10/10
betabotsmokeloaderpub1backdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Targets

    • Target

      4e58387e1431f77f2fb4f103f82f7e5703daa02e039e352f05384c2ea300d103.exe

    • Size

      351KB

    • MD5

      7df8edaa8a8b2412a77e89ad13496b51

    • SHA1

      ee567909d3b5862a02702870f1227e999bf1becf

    • SHA256

      4e58387e1431f77f2fb4f103f82f7e5703daa02e039e352f05384c2ea300d103

    • SHA512

      f01eed16bf3ad7912b4886a48cef58c9d0ccb34d391b77a122ed2c0f0a2e5855a6d456435c4955c9e67df619b3e1c952a4f4a06b387fb4280f790d7b942acfa4

    • SSDEEP

      3072:dJ1IpLEoO3wZ699/ddzJ2yDRForgjJqUQhM9jb26est5Fh6m5Pa6BV95j:duLhO3wZ699/PJTFqENTQhalhtC6BVX

    Score
    10/10
    betabotsmokeloaderpub1backdoorbotnetevasionpersistencetrojan

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

      trojanbackdoorbotnetbetabot

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Disables taskbar notifications via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Sets file execution options in registry

      persistence

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

8
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

7
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks