[r3shl4k1sh]

More BetaBot:

In attach Unpacked + dump of config:
MD5 c6ca1470501c1d885717104ca9ac51e2
MD5 4046fd4e5ddfc40548c2316d6cd289f4
MD5 c994461c69b02a63d0f1bbcd2a56ba54

From the config of c6ca1470501c1d885717104ca9ac51e2:

• Owner: the sky daddy
• Dropped File name: svchost (win)
• C&C(s):
  Code: Select all

  gate: sentryme.com/order.php
  
  gate: stayattentive.com/order.php
  

From the config of 4046fd4e5ddfc40548c2316d6cd289f4:

• Owner: lavnesh (http://www.hackforums.net/member.php?ac ... uid=101982 ???)
• Dropped File name: Realtek (Realtek\Audio\Manager)
• C&C(s):
  Code: Select all

  gate: hxxp://lpa4u.in/radioserver/order.php
  
  

From the config of c994461c69b02a63d0f1bbcd2a56ba54:

• Owner: nicksasa
• Dropped File name: Magic Helper
• C&C(s):
  Code: Select all

  gate: hxxp://imafaggot.pw/service/order.php
  
  gate: hxxp://winblowservice.hopto.org/service/order.php
  login: hxxp://winblowservice.hopto.org/service/login.php
  
  gate: hxxp://imtheop.redirectme.net/service/order.php
  login: hxxp://imtheop.redirectme.net/service/login.php
  

[EP_X0FF]

From the inside - Betabot (c) 2012-2014, coded by Userbased.

As for super-duper stealth loading - well just changed a bit handler of NTDLL registry hook, now it is giving faked registry path representing Betabot as second copy of Explorer.exe. But this entry has randomized name which itself is suspicious by default. Malware body still in Common Files\Betabot folder + hidden attribute. While loading bot starts zombified copy of explorer.exe and injects itself inside, performs hooking of KiFastSystemCall + some winsock routines (GetAddrInfo) and start working, injecting itself in every newly started process. As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie. Adverted AntiRovnix is based on NtCreateFile handler where it monitors for DR(X) write access at boot sector.

As for removal (even considering huge AV blacklist inside with pagefile trick, image execution options etc) it should be no problem for AV if it knowns it by signature. However you can do it much faster in few clicks with WinHex. Just open disk in raw mode, navigate to malware folder and wipe MZ header. After reboot malware will be dead. This is similar to old RkU wipe file feature.

What about new "small" size. Well it is marketing trick. Betabot is now 3 staged. First - script-kiddie vbrun cryper, second is self-made Betabot pre-loader -> purpose allocate ERW memory, decrypt main bot to it and transfer control then. Main bot using function pointers obtained by hashes (see for decoding 004203AD in 3 stage). Clean 2, 3 stages in attach.

[Thanat0S]

From the inside - Betabot (c) 2012-2014, coded by Userbased.

As for super-duper stealth loading - well just changed a bit handler of NTDLL registry hook, now it is giving faked registry path representing Betabot as second copy of Explorer.exe. But this entry has randomized name which itself is suspicious by default. Malware body still in Common Files\Betabot folder + hidden attribute. While loading bot starts zombified copy of explorer.exe and injects itself inside, performs hooking of KiFastSystemCall + some winsock routines (GetAddrInfo) and start working, injecting itself in every newly started process. As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie. Adverted AntiRovnix is based on NtCreateFile handler where it monitors for DR(X) write access at boot sector.

As for removal (even considering huge AV blacklist inside with pagefile trick, image execution options etc) it should be no problem for AV if it knowns it by signature. However you can do it much faster in few clicks with WinHex. Just open disk in raw mode, navigate to malware folder and wipe MZ header. After reboot malware will be dead. This is similar to old RkU wipe file feature.

What about new "small" size. Well it is marketing trick. Betabot is now 3 staged. First - script-kiddie vbrun cryper, second is self-made Betabot pre-loader -> purpose allocate ERW memory, decrypt main bot to it and transfer control then. Main bot using function pointers obtained by hashes (see for decoding 004203AD in 3 stage). Clean 2, 3 stages in attach.

so Userbased == betamonkey, EP_X0FF? :o

[Thanat0S]

I think anyone in the scene must create a builder to this shit and stop the game to this skid. bin is compressed with 7zip algo.

[EP_X0FF]

String inside bot doesn't prove anything.

[Win32:Virut]

Detected as Trojan:Win32/Neurevt.A by Microsoft.

[TheExecuter]

As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie

it hooks 64bit processes also? if not then procexp-64 could get it.

Innovative injection technique(s) allow bypassing most antivirus HIPS solutions.

found this advert, haven't actually seen the inside. is something new or already used methods?

[EP_X0FF]

As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie

it hooks 64bit processes also? if not then procexp-64 could get it.

It has tools blacklist inside, including sysinternals. Bot just wow64 compatible, not x64.

[Thanat0S]

it contains blacklist of a lot of tools ( process monitor not process exp, RKU, tcpview )
also, In the skid forum, he (betamoneky) says it includes x64 support.

[Thanat0S]

does anyone has panel src of 1.5 please