A forum for reverse engineering, OS internals and malware analysis 

Yet another PbBot bootkit (alias Zegost, Verconf, Backboot)

Forum for analysis and discussion about malware.

Yet another PbBot bootkit (alias Zegost, Verconf, Backboot)

 #16997  by cjbi
 Mon Dec 03, 2012 2:07 pm
Fresh yet another PbBot bootkit dropper.
Obvious Korean targeted malware is obvious.

Same purpose, but different code.
So I opened new post for this.

Dropper, payloads and MBR dump attached.

VirusTotal result(s):
mbr.bin 12/45 https://www.virustotal.com/file/259b99a ... 354543323/
KTX_1.exe.vir 14/45 https://www.virustotal.com/file/bc5a237 ... 354542280/
Attachments
pass: infected
(2.59 MiB) Downloaded 110 times

Re: Yet another PbBot bootkit (alias Zegost, Verconf, Backbo

 #19019  by cjbi
 Sat Apr 20, 2013 6:35 am
Fresh yet another PbBot bootkit dropper detected.
Droppers, payloads and MBR dump attached.

VirusTotal result(s):
Legit installer + Dropper
fastpingsetup.exe.vir 5/45 https://www.virustotal.com/en/file/3b87 ... 366438951/
FastPing_Install.exe.vir 9/46 https://www.virustotal.com/en/file/2a0a ... 366438967/

Dropper
SEVEN.exe.vir 7/46 https://www.virustotal.com/en/file/76eb ... 366438861/

Payload: MBR
mbr.bin 15/46 https://www.virustotal.com/en/file/10dc ... 366439692/

Payload: PbBot downloader DLL
DLL_decrypted.bin 23/46 https://www.virustotal.com/en/file/f3b9 ... 366439520/

Final payload: Delphi coded PbBot
K11.EXE.vir 12/46 https://www.virustotal.com/en/file/c1f9 ... 366439058/
Attachments
pass: infected
(1.2 MiB) Downloaded 71 times

YA PbBot bootkit (alias Zegost, Verconf, Backboot, Bootkor)

 #19131  by cjbi
 Wed May 01, 2013 8:37 am
Fresh & old Yet Another PbBot bootkit droppers detected.
Droppers, payloads and MBR dump attached.

VirusTotal result(s):
Legit installer + Dropper
wLauncher.exe.vir 32/46 https://www.virustotal.com/en/file/23dc ... 367397124/
ChaosOne.exe.vir 13/46 https://www.virustotal.com/en/file/036e ... 367397064/

Dropper
ADMIN18.exe.vir 35/46 https://www.virustotal.com/en/file/ab04 ... 367391587/
kogosof.exe.vir 13/46 https://www.virustotal.com/en/file/9f98 ... 367396263/

Payload: MBR
mbr.bin 15/46 https://www.virustotal.com/en/file/a099 ... 367396443/

Payload: PbBot downloader DLL
DLL_decrypted.bin
33/46 https://www.virustotal.com/en/file/91de ... 367396812/
24/46 https://www.virustotal.com/en/file/2f70 ... 367396763/

Final payload: Delphi coded PbBot
K11.exe.vir 10/46 https://www.virustotal.com/en/file/ef1f ... 367396987/
Attachments
pass: infected
(1.57 MiB) Downloaded 58 times
 Return to “Malware”