betabot

General

Target

Archive.zip
Size

1.7MB
Sample

240510-v3pkwscb52
MD5

cb01b6d5f01fd0b267c10377e2b5f61f
SHA1

2c49e1625de99273058a90ce2b289bbc8700d4ed
SHA256

8e020777c713413f11c59c779bf6a2efb777f2d4c309e5dbc1e8a0b5bd27472e
SHA512

57e29318c0fb16d3774061e15243f848d3c48c48e3c634bca966f70f1d33431f86036ceb82140f92353e59a0fefd7aeabeef032e1dec85cb6048a07d03ad5ba6
SSDEEP

49152:VaQTbm6nRBSs8+3rpsINBTNDyabCssTENXsoWn3EA3:lTbJnzbH+fTENXso23EA3

Score

10^/10

Malware Config

Targets

- Target
  
  )}ì~)J0ø‰º!Ã²@x&ÚâØaßHÍôõ.exe
- Size
  
  609KB
- MD5
  
  347d7700eb4a4537df6bb7492ca21702
- SHA1
  
  983189dab4b523e19f8efd35eee4d7d43d84aca2
- SHA256
  
  a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
- SHA512
  
  5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
- SSDEEP
  
  12288:Y71ezsKspcx7aSekHeX/BoVrWyrl/XYUx58wT7tRw:IYzsDyAS/HeyWql/XYUz8wTDw
Score

10^/10

betabot modiloader backdoor botnet evasion persistence trojan
- BetaBot
  Beta Bot is a Trojan that infects computers and disables Antivirus.
  trojan backdoor botnet betabot
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies firewall policy service
  evasion
- ModiLoader Second Stage
- Sets file execution options in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  2019-09-02_22-41-10.exe
- Size
  
  251KB
- MD5
  
  924aa6c26f6f43e0893a40728eac3b32
- SHA1
  
  baa9b4c895b09d315ed747b3bd087f4583aa84fc
- SHA256
  
  30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
- SHA512
  
  3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a
- SSDEEP
  
  6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF
Score

10^/10

smokeloader backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  file (1).exe
- Size
  
  2.7MB
- MD5
  
  731ff38afbc5a664f5a458e222d91f84
- SHA1
  
  5105f89898a3d9e5b5b52ddcd7d0a3b167aaf701
- SHA256
  
  a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0
- SHA512
  
  910b1c9fb8e28c3f24d35a875ff86f3ab2e2c573797e078ece204538a3bdc6d42bc92531197e57be577ffb2e4cacdd53fec6a61843e6c69be4794e68506f68c3
- SSDEEP
  
  24576:3RoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvxB5VA0UC1dUUKj/OZ8j3g3:BoKmo4jC6TovDRUC1doj/Tg3
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral3