betabot | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
148s
max time network
139s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-09-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan/BetaBot.exe
Size

609KB
MD5

347d7700eb4a4537df6bb7492ca21702
SHA1

983189dab4b523e19f8efd35eee4d7d43d84aca2
SHA256

a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
SHA512

5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
SSDEEP

12288:Y71ezsKspcx7aSekHeX/BoVrWyrl/XYUx58wT7tRw:IYzsDyAS/HeyWql/XYUz8wTDw

Score

10^/10

betabot modiloader backdoor botnet defense_evasion discovery evasion persistence trojan

Malware Config

Signatures

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral16/memory/1296-3-0x0000000000400000-0x000000000049F000-memory.dmp	modiloader_stage2
behavioral16/memory/4188-15-0x0000000000480000-0x0000000000582000-memory.dmp	modiloader_stage2

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

BetaBot.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c5uuso9kkqkg.exe	BetaBot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c5uuso9kkqkg.exe\DisableExceptionChainValidation	BetaBot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "qjulaubio.exe"	explorer.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\c5uuso9kkqkg.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\c5uuso9kkqkg.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

BetaBot.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BetaBot.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BetaBot.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

Processes:

BetaBot.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c5uuso9kkqkg.exe\DisableExceptionChainValidation	BetaBot.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

BetaBot.exeexplorer.exe

pid	process
428	BetaBot.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

BetaBot.exe

description pid process target process

PID 1296 set thread context of 428 1296 BetaBot.exe BetaBot.exe

description	pid	process	target process
PID 1296 set thread context of 428	1296	BetaBot.exe	BetaBot.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

BetaBot.exeBetaBot.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BetaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BetaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BetaBot.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BetaBot.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BetaBot.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

explorer.exe

pid	process
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

BetaBot.exe

pid process

428 BetaBot.exe
428 BetaBot.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

BetaBot.exe

pid process

428 BetaBot.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

BetaBot.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	428	BetaBot.exe
Token: SeRestorePrivilege	428	BetaBot.exe
Token: SeBackupPrivilege	428	BetaBot.exe
Token: SeLoadDriverPrivilege	428	BetaBot.exe
Token: SeCreatePagefilePrivilege	428	BetaBot.exe
Token: SeShutdownPrivilege	428	BetaBot.exe
Token: SeTakeOwnershipPrivilege	428	BetaBot.exe
Token: SeChangeNotifyPrivilege	428	BetaBot.exe
Token: SeCreateTokenPrivilege	428	BetaBot.exe
Token: SeMachineAccountPrivilege	428	BetaBot.exe
Token: SeSecurityPrivilege	428	BetaBot.exe
Token: SeAssignPrimaryTokenPrivilege	428	BetaBot.exe
Token: SeCreateGlobalPrivilege	428	BetaBot.exe
Token: 33	428	BetaBot.exe
Token: SeDebugPrivilege	4188	explorer.exe
Token: SeRestorePrivilege	4188	explorer.exe
Token: SeBackupPrivilege	4188	explorer.exe
Token: SeLoadDriverPrivilege	4188	explorer.exe
Token: SeCreatePagefilePrivilege	4188	explorer.exe
Token: SeShutdownPrivilege	4188	explorer.exe
Token: SeTakeOwnershipPrivilege	4188	explorer.exe
Token: SeChangeNotifyPrivilege	4188	explorer.exe
Token: SeCreateTokenPrivilege	4188	explorer.exe
Token: SeMachineAccountPrivilege	4188	explorer.exe
Token: SeSecurityPrivilege	4188	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	4188	explorer.exe
Token: SeCreateGlobalPrivilege	4188	explorer.exe
Token: 33	4188	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

BetaBot.exeBetaBot.exe

description	pid	process	target process
PID 1296 wrote to memory of 428	1296	BetaBot.exe	BetaBot.exe
PID 1296 wrote to memory of 428	1296	BetaBot.exe	BetaBot.exe
PID 1296 wrote to memory of 428	1296	BetaBot.exe	BetaBot.exe
PID 1296 wrote to memory of 428	1296	BetaBot.exe	BetaBot.exe
PID 1296 wrote to memory of 428	1296	BetaBot.exe	BetaBot.exe
PID 428 wrote to memory of 4188	428	BetaBot.exe	explorer.exe
PID 428 wrote to memory of 4188	428	BetaBot.exe	explorer.exe
PID 428 wrote to memory of 4188	428	BetaBot.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Trojan\BetaBot.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan\BetaBot.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Users\Admin\AppData\Local\Temp\Trojan\BetaBot.exe
  "C:\Users\Admin\AppData\Local\Temp\Trojan\BetaBot.exe"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks whether UAC is enabled
  - Indicator Removal: Clear Persistence
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: MapViewOfSection
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies firewall policy service
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks BIOS information in registry
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-7-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/428-19-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1296-3-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4188-9-0x0000000000B00000-0x0000000000F40000-memory.dmp

Filesize
4.2MB

Download
memory/4188-11-0x0000000000B00000-0x0000000000F40000-memory.dmp

Filesize
4.2MB

Download
memory/4188-13-0x0000000000B00000-0x0000000000F40000-memory.dmp

Filesize
4.2MB

Download
memory/4188-14-0x0000000000B00000-0x0000000000F3F000-memory.dmp

Filesize
4.2MB

Download
memory/4188-15-0x0000000000480000-0x0000000000582000-memory.dmp

Filesize
1.0MB

Download