Overview
overview
10Static
static
10Archive.zip
windows10-1703-x64
1Dropper/Berbew.exe
windows10-1703-x64
10Dropper/Phorphiex.exe
windows10-1703-x64
10out.exe
windows10-1703-x64
3RAT/31.exe
windows10-1703-x64
10RAT/XClient.exe
windows10-1703-x64
10RAT/file.exe
windows10-1703-x64
7Ransomware...-2.exe
windows10-1703-x64
10Ransomware...01.exe
windows10-1703-x64
10Ransomware...lt.exe
windows10-1703-x64
10Stealers/Azorult.exe
windows10-1703-x64
10Stealers/B...on.exe
windows10-1703-x64
10Stealers/Dridex.dll
windows10-1703-x64
10Stealers/M..._2.exe
windows10-1703-x64
10Stealers/lumma.exe
windows10-1703-x64
10Trojan/BetaBot.exe
windows10-1703-x64
10Trojan/Smo...er.exe
windows10-1703-x64
10Resubmissions
12-09-2024 02:23
240912-cvfznswere 1004-09-2024 00:09
240904-afvheascla 1003-09-2024 18:57
240903-xl8csavfrb 1003-09-2024 18:12
240903-ws828asgnm 10Analysis
-
max time kernel
1798s -
max time network
1786s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
04-09-2024 00:09
Behavioral task
behavioral1
Sample
Archive.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Dropper/Berbew.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Dropper/Phorphiex.exe
Resource
win10-20240611-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
RAT/31.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
RAT/XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
RAT/file.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
Ransomware/Client-2.exe
Resource
win10-20240611-en
Behavioral task
behavioral9
Sample
Ransomware/criticalupdate01.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
Ransomware/default.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
Stealers/Azorult.exe
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
Stealers/BlackMoon.exe
Resource
win10-20240611-en
Behavioral task
behavioral13
Sample
Stealers/Dridex.dll
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10-20240611-en
Behavioral task
behavioral15
Sample
Stealers/lumma.exe
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
Trojan/BetaBot.exe
Resource
win10-20240404-en
Behavioral task
behavioral17
Sample
Trojan/SmokeLoader.exe
Resource
win10-20240404-en
General
-
Target
Trojan/BetaBot.exe
-
Size
609KB
-
MD5
347d7700eb4a4537df6bb7492ca21702
-
SHA1
983189dab4b523e19f8efd35eee4d7d43d84aca2
-
SHA256
a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
-
SHA512
5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
SSDEEP
12288:Y71ezsKspcx7aSekHeX/BoVrWyrl/XYUx58wT7tRw:IYzsDyAS/HeyWql/XYUz8wTDw
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service 3 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral16/memory/1100-2-0x0000000000400000-0x000000000049F000-memory.dmp modiloader_stage2 behavioral16/memory/3412-16-0x00000000028E0000-0x00000000029E2000-memory.dmp modiloader_stage2 -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
Processes:
explorer.exeBetaBot.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "snesjybudn.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aq5w1eeo11.exe BetaBot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aq5w1eeo11.exe\DisableExceptionChainValidation BetaBot.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\aq5w1eeo11.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\aq5w1eeo11.exe\"" explorer.exe -
Processes:
BetaBot.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BetaBot.exe -
Processes:
BetaBot.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aq5w1eeo11.exe\DisableExceptionChainValidation BetaBot.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
BetaBot.exeexplorer.exepid Process 2328 BetaBot.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BetaBot.exedescription pid Process procid_target PID 1100 set thread context of 2328 1100 BetaBot.exe 74 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
BetaBot.exeBetaBot.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BetaBot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BetaBot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
BetaBot.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BetaBot.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BetaBot.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exepid Process 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe 3412 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid Process 3412 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
BetaBot.exepid Process 2328 BetaBot.exe 2328 BetaBot.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
BetaBot.exepid Process 2328 BetaBot.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
BetaBot.exeexplorer.exedescription pid Process Token: SeDebugPrivilege 2328 BetaBot.exe Token: SeRestorePrivilege 2328 BetaBot.exe Token: SeBackupPrivilege 2328 BetaBot.exe Token: SeLoadDriverPrivilege 2328 BetaBot.exe Token: SeCreatePagefilePrivilege 2328 BetaBot.exe Token: SeShutdownPrivilege 2328 BetaBot.exe Token: SeTakeOwnershipPrivilege 2328 BetaBot.exe Token: SeChangeNotifyPrivilege 2328 BetaBot.exe Token: SeCreateTokenPrivilege 2328 BetaBot.exe Token: SeMachineAccountPrivilege 2328 BetaBot.exe Token: SeSecurityPrivilege 2328 BetaBot.exe Token: SeAssignPrimaryTokenPrivilege 2328 BetaBot.exe Token: SeCreateGlobalPrivilege 2328 BetaBot.exe Token: 33 2328 BetaBot.exe Token: SeDebugPrivilege 3412 explorer.exe Token: SeRestorePrivilege 3412 explorer.exe Token: SeBackupPrivilege 3412 explorer.exe Token: SeLoadDriverPrivilege 3412 explorer.exe Token: SeCreatePagefilePrivilege 3412 explorer.exe Token: SeShutdownPrivilege 3412 explorer.exe Token: SeTakeOwnershipPrivilege 3412 explorer.exe Token: SeChangeNotifyPrivilege 3412 explorer.exe Token: SeCreateTokenPrivilege 3412 explorer.exe Token: SeMachineAccountPrivilege 3412 explorer.exe Token: SeSecurityPrivilege 3412 explorer.exe Token: SeAssignPrimaryTokenPrivilege 3412 explorer.exe Token: SeCreateGlobalPrivilege 3412 explorer.exe Token: 33 3412 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
BetaBot.exeBetaBot.exedescription pid Process procid_target PID 1100 wrote to memory of 2328 1100 BetaBot.exe 74 PID 1100 wrote to memory of 2328 1100 BetaBot.exe 74 PID 1100 wrote to memory of 2328 1100 BetaBot.exe 74 PID 1100 wrote to memory of 2328 1100 BetaBot.exe 74 PID 1100 wrote to memory of 2328 1100 BetaBot.exe 74 PID 2328 wrote to memory of 3412 2328 BetaBot.exe 75 PID 2328 wrote to memory of 3412 2328 BetaBot.exe 75 PID 2328 wrote to memory of 3412 2328 BetaBot.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan\BetaBot.exe"C:\Users\Admin\AppData\Local\Temp\Trojan\BetaBot.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\Trojan\BetaBot.exe"C:\Users\Admin\AppData\Local\Temp\Trojan\BetaBot.exe"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks whether UAC is enabled
- Indicator Removal: Clear Persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1Clear Persistence
1Modify Registry
5