Overview

overview

10

Static

static

3

67b4881f8c...36.exe

windows7-x64

10

67b4881f8c...36.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67b4881f8ca0bd13f5802262ce3ca136.exe

  • Size

    285KB

  • MD5

    67b4881f8ca0bd13f5802262ce3ca136

  • SHA1

    04bec877080609de3ed78bd4590cd3a86f3a8174

  • SHA256

    2522bb19e9b419120009d7d5224ef2dd556ba7f778e2b914b3e574a3d07df0dd

  • SHA512

    34eb7dbb0dcd18b64923fd48911d0e1c5f61fc09e734eb2e7f951da8dc8a4b91221094c5ac3c552a8954a1c6e35718631e2d23b30603fbcb3651b8e511a33cfe

  • SSDEEP

    6144:GsaPyMMOKrX/iSvLFmSimGny/6KnnNf5f:vwzMOKrX/9L8PpZKn

Score
10/10
betabotsmokeloader0904backdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

0904

Extracted

Family

smokeloader

Version

2020

C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • NSIS installer 4 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\67b4881f8ca0bd13f5802262ce3ca136.exe
    "C:\Users\Admin\AppData\Local\Temp\67b4881f8ca0bd13f5802262ce3ca136.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Users\Admin\AppData\Local\Temp\67b4881f8ca0bd13f5802262ce3ca136.exe
      "C:\Users\Admin\AppData\Local\Temp\67b4881f8ca0bd13f5802262ce3ca136.exe"
      2⤵
      • Loads dropped DLL
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4816
  • C:\Users\Admin\AppData\Local\Temp\2054.exe
    C:\Users\Admin\AppData\Local\Temp\2054.exe
    1⤵
    • Sets file execution options in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      2⤵
      • Modifies firewall policy service
      • Sets file execution options in registry
      • Checks BIOS information in registry
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      PID:1452
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1144
        3⤵
        • Program crash
        PID:3148
  • C:\Users\Admin\AppData\Local\Temp\26AE.exe
    C:\Users\Admin\AppData\Local\Temp\26AE.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2192
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1452 -ip 1452
    1⤵
      PID:4692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2054.exe
      Filesize

      360KB

      MD5

      a5a12a44f068a3ae332eabc8d24b551e

      SHA1

      bba10f454c03d83ccfadcff66366f899ca1f889f

      SHA256

      d4d6dd0ba8770b4bd114c6a5397dc8ad8ede7bd49fa1fb9f3e1a32fbba26f986

      SHA512

      f152a7428bd1030da101c4fda243f0e184b414f09b911120138a4816504684444aa094d4feee989d9558dc242619d8c21e2102a5fefbf8bd840b18c400322196

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\26AE.exe
      Filesize

      4.6MB

      MD5

      9b9ab48273378df249befae64b13677d

      SHA1

      94874fa95caf7a59b40c20037759b8802a60524c

      SHA256

      3a5c3e7c73713ff5b43d955e2bb2b33119177c1dcc3ba22cdf62257d4b50dd9b

      SHA512

      89ffab2bf889ed933e24c120909f6f07fef334ed7eac82ce9551f4bb85c30374bad3b4f0c742e5a36475ab9de0a752685a89e3bbc0fd00efd506e698bd234969

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\26AE.exe
      Filesize

      5.4MB

      MD5

      b140fdb1058a95add7a5c2ab08989614

      SHA1

      f37019747b3049e30dff0196363d3eb9b226c4ef

      SHA256

      0c1cf1904ae3d256ae173e50fea473f24a25f83181abf1d00825d21d4219b0cf

      SHA512

      b17060c3b10548523a19b811d4dc1762cd7626fc6242d4478e4b5ec6782effc1891a00106c945819f282378d160ca8aba5cf91d4c952bf3de275ebb64d435112

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AE30.tmp
      Filesize

      1.6MB

      MD5

      4f3387277ccbd6d1f21ac5c07fe4ca68

      SHA1

      e16506f662dc92023bf82def1d621497c8ab5890

      SHA256

      767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

      SHA512

      9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
      Filesize

      2.2MB

      MD5

      0badb0e573d95db49ac23c11163d9386

      SHA1

      d86dd20e4498ba5576272df07cd71dd9ed40bf8d

      SHA256

      5ebb608342d1306743d1ab56bb587b00d7e14737f5af48be3fa738a98cf29668

      SHA512

      a83d397fdcf2b749aac8f1db38a991b06a70c58d21c84d09cd8a732ee744287e7d7d58edeb817006b6ee245ed313993a3280aea32fd4c5a079b4f960ab35eff8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\lib.dll
      Filesize

      2.2MB

      MD5

      bc94fe5f3a7d234dceefa5a25c109358

      SHA1

      eefd19123cb554bd975d9848eff08f195c7794bb

      SHA256

      fdbd693e2a9eab791967e78eef8e1a3423c63b570d6fc8ccd9367be931c779c4

      SHA512

      650632899edc1bce009244cf228500c26df33c2036f774f60529c10bf7b277a49d3e635846097cf2d821a54e066a07f5f6ef2be055e1054e8c4a1a938fad9c69

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsi4C57.tmp\System.dll
      Filesize

      12KB

      MD5

      dd87a973e01c5d9f8e0fcc81a0af7c7a

      SHA1

      c9206ced48d1e5bc648b1d0f54cccc18bf643a14

      SHA256

      7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

      SHA512

      4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

      Download Submit

    • memory/1452-61-0x0000000000130000-0x00000000001F4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/1452-63-0x0000000000130000-0x00000000001F4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/1452-44-0x0000000000450000-0x0000000000884000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/1452-36-0x0000000000450000-0x0000000000884000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/1452-60-0x0000000000130000-0x00000000001F4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/1452-69-0x0000000000130000-0x00000000001F4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/1452-66-0x0000000002A50000-0x0000000002A52000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1452-65-0x0000000000450000-0x0000000000883000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/1452-64-0x0000000002820000-0x0000000002821000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2600-1-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2600-2-0x00000000005F0000-0x00000000005FC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3380-8-0x0000000002E40000-0x0000000002E57000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3964-25-0x00000000006D0000-0x0000000000C66000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3964-45-0x00000000006D0000-0x0000000000C66000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4816-4-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4816-3-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4816-9-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/5072-19-0x0000000000010000-0x000000000006D000-memory.dmp

      Filesize

      372KB

      Download

    • memory/5072-53-0x0000000074BB0000-0x0000000074C84000-memory.dmp

      Filesize

      848KB

      Download

    • memory/5072-35-0x00000000022D0000-0x0000000002336000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5072-34-0x00000000022D0000-0x0000000002336000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5072-57-0x00000000022D0000-0x0000000002336000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5072-33-0x0000000002830000-0x000000000283C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/5072-30-0x00000000022D0000-0x0000000002336000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5072-31-0x0000000002800000-0x0000000002801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5072-29-0x0000000077874000-0x0000000077875000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5072-28-0x0000000000630000-0x000000000063D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/5072-27-0x00000000022D0000-0x0000000002336000-memory.dmp

      Filesize

      408KB

      Download