betabot | 70a61b9f583b7f4837211571603cf791b334e139d2138b217e2b3af33c565a43 | Triage

Submit
Reports

Overview

overview

Static

static

1

69db660126...18.rtf

windows7-x64

69db660126...18.rtf

windows10-2004-x64

1

Sharing

General

Target

69db660126843cc9ca7092394735c351_JaffaCakes118
Size

756KB
Sample

240523-fz37jsfa49
MD5

69db660126843cc9ca7092394735c351
SHA1

37d4cceb2766ca0ef6d747d5188b96475892c277
SHA256

70a61b9f583b7f4837211571603cf791b334e139d2138b217e2b3af33c565a43
SHA512

86cce32c0fa5289783f1449fa51087297a6cd93c56aefd9e5357610bc2b48e2300f874b1e58b717ce92b29faeeb7b0d9feef852434030b7583b0ed70da0ae0f8
SSDEEP

12288:X+WhWEyIuRalv7sa2beX41VWIr3cTGeIif82GgrMs7JjMt8RdZtz4lTMSQ/skLoB:XIRIGST8iX41oITACitXr7J5RdclT6di

Score

10^/10

betabot backdoor botnet evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

69db660126843cc9ca7092394735c351_JaffaCakes118.rtf

Resource

win7-20231129-en

betabot backdoor botnet evasion persistence trojan

windows7-x64

27 signatures

150 seconds

Behavioral task

behavioral2

Sample

69db660126843cc9ca7092394735c351_JaffaCakes118.rtf

Resource

win10v2004-20240508-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Targets

- Target
  
  69db660126843cc9ca7092394735c351_JaffaCakes118
- Size
  
  756KB
- MD5
  
  69db660126843cc9ca7092394735c351
- SHA1
  
  37d4cceb2766ca0ef6d747d5188b96475892c277
- SHA256
  
  70a61b9f583b7f4837211571603cf791b334e139d2138b217e2b3af33c565a43
- SHA512
  
  86cce32c0fa5289783f1449fa51087297a6cd93c56aefd9e5357610bc2b48e2300f874b1e58b717ce92b29faeeb7b0d9feef852434030b7583b0ed70da0ae0f8
- SSDEEP
  
  12288:X+WhWEyIuRalv7sa2beX41VWIr3cTGeIif82GgrMs7JjMt8RdZtz4lTMSQ/skLoB:XIRIGST8iX41oITACitXr7J5RdclT6di
Score

10^/10

betabot backdoor botnet evasion persistence trojan
- BetaBot
  Beta Bot is a Trojan that infects computers and disables Antivirus.
  trojan backdoor botnet betabot
- Modifies firewall policy service
  evasion
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Sets file execution options in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

betabotbackdoorbotnetevasionpersistencetrojan

behavioral2

© 2018-2024

Terms | Privacy