Overview
overview
10Static
static
10Archive.zip
windows10-1703-x64
1Dropper/Berbew.exe
windows10-1703-x64
10Dropper/Phorphiex.exe
windows10-1703-x64
10out.exe
windows10-1703-x64
3RAT/31.exe
windows10-1703-x64
10RAT/XClient.exe
windows10-1703-x64
10RAT/file.exe
windows10-1703-x64
7Ransomware...-2.exe
windows10-1703-x64
10Ransomware...01.exe
windows10-1703-x64
10Ransomware...lt.exe
windows10-1703-x64
10Stealers/Azorult.exe
windows10-1703-x64
10Stealers/B...on.exe
windows10-1703-x64
10Stealers/Dridex.dll
windows10-1703-x64
10Stealers/M..._2.exe
windows10-1703-x64
10Stealers/lumma.exe
windows10-1703-x64
10Trojan/BetaBot.exe
windows10-1703-x64
10Trojan/Smo...er.exe
windows10-1703-x64
10Resubmissions
03-09-2024 14:02
240903-rb57sazdqf 1003-09-2024 13:51
240903-q59avszclf 1002-09-2024 19:51
240902-yk8gtsxbpd 1002-09-2024 02:27
240902-cxh7tazflg 1002-09-2024 02:26
240902-cwxc2sygll 1021-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
02-09-2024 02:27
Behavioral task
behavioral1
Sample
Archive.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Dropper/Berbew.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Dropper/Phorphiex.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10-20240611-en
Behavioral task
behavioral5
Sample
RAT/31.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
RAT/XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
RAT/file.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
Ransomware/Client-2.exe
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
Ransomware/criticalupdate01.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
Ransomware/default.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
Stealers/Azorult.exe
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
Stealers/BlackMoon.exe
Resource
win10-20240404-en
Behavioral task
behavioral13
Sample
Stealers/Dridex.dll
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10-20240611-en
Behavioral task
behavioral15
Sample
Stealers/lumma.exe
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
Trojan/BetaBot.exe
Resource
win10-20240404-en
Behavioral task
behavioral17
Sample
Trojan/SmokeLoader.exe
Resource
win10-20240404-en
General
-
Target
Trojan/BetaBot.exe
-
Size
609KB
-
MD5
347d7700eb4a4537df6bb7492ca21702
-
SHA1
983189dab4b523e19f8efd35eee4d7d43d84aca2
-
SHA256
a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
-
SHA512
5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
SSDEEP
12288:Y71ezsKspcx7aSekHeX/BoVrWyrl/XYUx58wT7tRw:IYzsDyAS/HeyWql/XYUz8wTDw
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe -
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral16/memory/1296-3-0x0000000000400000-0x000000000049F000-memory.dmp modiloader_stage2 behavioral16/memory/4188-15-0x0000000000480000-0x0000000000582000-memory.dmp modiloader_stage2 -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c5uuso9kkqkg.exe BetaBot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c5uuso9kkqkg.exe\DisableExceptionChainValidation BetaBot.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "qjulaubio.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\c5uuso9kkqkg.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\c5uuso9kkqkg.exe\"" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BetaBot.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c5uuso9kkqkg.exe\DisableExceptionChainValidation BetaBot.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 428 BetaBot.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1296 set thread context of 428 1296 BetaBot.exe 73 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BetaBot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BetaBot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BetaBot.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BetaBot.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe 4188 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 428 BetaBot.exe 428 BetaBot.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 428 BetaBot.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 428 BetaBot.exe Token: SeRestorePrivilege 428 BetaBot.exe Token: SeBackupPrivilege 428 BetaBot.exe Token: SeLoadDriverPrivilege 428 BetaBot.exe Token: SeCreatePagefilePrivilege 428 BetaBot.exe Token: SeShutdownPrivilege 428 BetaBot.exe Token: SeTakeOwnershipPrivilege 428 BetaBot.exe Token: SeChangeNotifyPrivilege 428 BetaBot.exe Token: SeCreateTokenPrivilege 428 BetaBot.exe Token: SeMachineAccountPrivilege 428 BetaBot.exe Token: SeSecurityPrivilege 428 BetaBot.exe Token: SeAssignPrimaryTokenPrivilege 428 BetaBot.exe Token: SeCreateGlobalPrivilege 428 BetaBot.exe Token: 33 428 BetaBot.exe Token: SeDebugPrivilege 4188 explorer.exe Token: SeRestorePrivilege 4188 explorer.exe Token: SeBackupPrivilege 4188 explorer.exe Token: SeLoadDriverPrivilege 4188 explorer.exe Token: SeCreatePagefilePrivilege 4188 explorer.exe Token: SeShutdownPrivilege 4188 explorer.exe Token: SeTakeOwnershipPrivilege 4188 explorer.exe Token: SeChangeNotifyPrivilege 4188 explorer.exe Token: SeCreateTokenPrivilege 4188 explorer.exe Token: SeMachineAccountPrivilege 4188 explorer.exe Token: SeSecurityPrivilege 4188 explorer.exe Token: SeAssignPrimaryTokenPrivilege 4188 explorer.exe Token: SeCreateGlobalPrivilege 4188 explorer.exe Token: 33 4188 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1296 wrote to memory of 428 1296 BetaBot.exe 73 PID 1296 wrote to memory of 428 1296 BetaBot.exe 73 PID 1296 wrote to memory of 428 1296 BetaBot.exe 73 PID 1296 wrote to memory of 428 1296 BetaBot.exe 73 PID 1296 wrote to memory of 428 1296 BetaBot.exe 73 PID 428 wrote to memory of 4188 428 BetaBot.exe 74 PID 428 wrote to memory of 4188 428 BetaBot.exe 74 PID 428 wrote to memory of 4188 428 BetaBot.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan\BetaBot.exe"C:\Users\Admin\AppData\Local\Temp\Trojan\BetaBot.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\Trojan\BetaBot.exe"C:\Users\Admin\AppData\Local\Temp\Trojan\BetaBot.exe"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks whether UAC is enabled
- Indicator Removal: Clear Persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1Clear Persistence
1Modify Registry
5