BetaBot builder v 1.7.0.1 found in the wild attached
Attachments
infected
(6.46 MiB) Downloaded 150 times
(6.46 MiB) Downloaded 150 times
String dump from stage2 of betabot loading - massive AV products blacklist and online sandboxes Windows OEM ID's.
Code: Select all
VTSoftware\Win7zip
Uuid
CF05
CF04
CF03
CF02
CF01
BK32
ULiFS
Opera/9.00 (Windows NT 5.1; U; en)
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)
Opera 9.4 (Windows NT 6.1; U; en)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)
SbieDll.dll
DbgBreakPoint
EVERYONE
Software\Classes\CLSID\%s\%08X
Software\Classes\CLSID\%s\%08X\%s
0x%08X
SB:0x%08X
G:%s_0x%08X_%c:%s_v1$
Software\Microsoft\Internet Explorer\Main
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
2500
Isolation
PMIL
Check_Associations
SOFTWARE\Microsoft\Internet Explorer\Main
IEXPLORE.EXE
SOFTWARE\Clients\StartMenuInternet
IE.HTTP
Progid
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTPS
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
IE.AssocFile.HTM
HTTP\shell\open\command
Start Page
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s
Flags
cookie:
K32GetMappedFileNameW
Psapi.dll
GetMappedFileNameW
JJ8J^QPE
JJ8J@TynQcseb
Software\JavaSoft\Java Plug-in
%s\%s
UseJava2IExplorer
Software\Adobe\Acrobat Reader\%s\Privileged
bProtectedMode
11.0
10.0
mscoree.dll
CreateProcessInternalW
HARDWARE\DESCRIPTION\System\CentralProcessor\%u
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\NET Framework Setup\NDP
jarfile\shell\open\command
Software\Microsoft
nspr4.dll
nss3.dll
CsrGetProcessId
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
ChangeWindowMessageFilter
CreateProcessWithTokenW
Urlmon.dll
ObtainUserAgentString
URLDownloadToFileW
Netapi32.dll
NetUserGetInfo
ProductId
76487-640-1457236-23837
76487-337-8429955-22614
76487-644-3177037-23510
76497-640-6308873-23835
55274-640-2673064-23950
76487-640-8834005-23195
76487-640-0716662-23535
76487-644-8648466-23106
00426-293-8170032-85146
76487-341-5883812-22420
76487-OEM-0027453-63796
TransparentEnabled
DefaultLevel
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
HideSCAHealth
TaskbarNoNotification
DisableMonitoring
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup
SeDebugPrivilege
WDStatus
WDEnable
SOFTWARE\Panda Software
Start
SYSTEM\CurrentControlSet\Services\DragonUpdater
SOFTWARE\Norman Data Defense Systems
SOFTWARE\Ikarus
system_core_version
SOFTWARE\McAfee\SystemCore
SeCreatePagefilePrivilege
SeRestorePrivilege
SeBackupPrivilege
tooltips_class32
{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}
snxhk.dll
Language
Software\Valve\Steam
MRU0
Software\Microsoft\Terminal Server Client\Default
SOFTWARE\Classes\origin
SOFTWARE\Blizzard Entertainment
Software\Skype
Software\Microsoft\VisualStudio
Software\VMware, Inc.
comctl32.dll
GetAddrInfoW
GetAddrInfoExW
ZwOpenProcess
ZwCreateFile
ZwOpenFile
ZwSetValueKey
ZwDeleteValueKey
SOFTWARE\%s
Symantec
Avira
ESET
ArcaBit
%08x
%02X
update.microsoft.com
microsoft.com
windowsupdate.microsoft.com
JOIN
PRIVMSG
USER
SeTcbPrivilege
WinVerifyTrust
.rdata
cmd_option.%s
/c %s
runas
cmd.exe
msvcrt.dll
--%08x-%04x-%04x-%04x%04x
Content-Type: multipart/form-data; boundary=%08x-%04x-%04x-%04x%04x
Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
%s?action=up&g=%s
POST
ext=
term=
filename=
exclude=
nocache=
true
RunAsInvoker
__compat_layer
xul.dll
FileZi
<Server>
<Host>
<Port>
<User>
<Pass>
yA36zA48dEhfrvghGRg57h5UlDv3
.exe
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
?pid=%d
?page=%d
?id=%u
%s=%u&%s=%s
%s=%s&%s=%u
&%s=%s
&%s%u=
&%s%hu=
&%s=_%u
%d|%s|%s|%s
.info
.org
.com
.net
x-compress; x-zip
compress;q=0.5, gzip;q=1.0
gzip, deflate
compress, gzip
image/png
image/jpeg
image/gif
image/bmp
text/plain
text/html
audio/wav
audio/mpeg
condis
httpget
slowloris
rudy
Software\Microsoft\Internet Explorer\Media\MimeTypes
text/html,
GET /%s HTTP/1.1
Host: %s
Content-Length: %d
Cache-Control: no-cache
Accept: %s
en-US
Accept-Language: %s
utf-8
utf-16
Accept-Charset: %s
Accept-Encoding: %s
User-Agent: %s
Referer: %s
Keep-Alive
Close
Connection: %s
http://
visited:
svcVersion
SOFTWARE\Microsoft\Internet Explorer
iexplore.exe
firefox.exe
tbb-firefox.exe
PR_Write
X-a: b
%s:%hu
.jar
.dll
DnsFlushResolverCache
windowsupdate
neurevt
PuTTY Private
Release 0.62
Release 0.63
SSH2_MSG_KEXINIT
SSH2_MSG_DISCONNECT
SSH2_MSG_USERAUTH_SUCCESS
SeIncreaseQuotaPrivilege
SeLoadDriverPrivilege
SeChangeNotifyPrivilege
EP91
CpuFlushInstructionCache
_wcslwr
_wcsnicmp
wcsstr
wcsncpy
memset
memcpy
ZwQueryInformationThread
ZwQueryInformationProcess
ZwClose
text
blah
http://%s%s/image.php?id=%s
RtlQueryElevationFlags
TaskDialogIndirect
http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535
OPEN
%d0x%08X
task
suac
puac
nuac
testme
l[BETA]
EVERYONE
Software\Classes\CLSID\%S
G:%S_0x%08X
OPEN
mscoree.dll
chrome.exe
firefox.exe
opera.exe
safari.exe
maxthon.exe
:Mozilla\Firefox\Profiles
cookies.sqlite
%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*
%s\winsxs\%s\comctl32.dll
cmd.exe
ProcessorNameString
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Shell_TrayWnd
%s\%s
NT AUTHORITY
SYSTEM\
Elevation:Administrator!new:
\Device\Harddisk0\Partition
\??\PHYSICALDRIVE0
6sandbox
Description
ItemData
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s
StandardProfile
EnableFirewall
PublicProfile
StandardProfile\AuthorizedApplications\List
%s:*:Enabled
wuauserv
wscsvc
BITS
MpsSvc
SharedAccess
avcuf32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
prstrui.exe
Windows Defender
MpClient.dll
%ProgramW6432%
%ProgramFiles%
Windows Defender\MSASCui.exe
MpSvc.dll
msseces.exe
MsMpEng.exe
MSASCui.exe
MpAsDesc.dll
MsMpLics.dll
AVG_UI
avgwd
avgui.exe
avgidsagent.exe
avgwdsvc.exe
avgdiagex.exe
avgmfapx.exe
avgupd.exe
avgcfgex.exe
avgnt.exe
avguard.exe
avshadow.exe
avcenter.exe
avgnt
update.dll
updaterc.dll
usrreq.exe
K*a*s*p*e*r*y*\*
ccsvchst.exe
NAVENG
symerr.exe
NIS.exe
NAV.exe
navw32.exe
avastui.exe
avast! Antivirus
AvastEmUpdate.exe
ashUpd.exe
WRSA.exe
WRSVC
zatray.exe
ForceField.exe
ZoneAlarm
updating.dll
fshoster32.exe
fshoster
fsaua.dll
PSUNMain.exe
PSUAService.exe
PSANHost.exe
PSUAMain
PSUNScan.dll
epavjobs.exe
AVENGINE.exe
Upgrader.exe
Ad-Aware Service
adaware.exe
BullGuard
BullGuard.exe.manifest
BullGuardUpdate.exe
BullGuard.exe
BullGuardScanner.exe
BullGuardBhvScanner.exe
BullGuardUpdate2.exe
BgScan.exe
BgScanEngine.dll
RsMgrSvc
.manifest
updater.exe
Backup\RSD\RSSetup\updater.exe
RsTray.exe
RavMonD.exe
RsMgrSvc.exe
rsmain.exe
installpath
SOFTWARE\rising\RAV
RsScan.dll
RsTray.dll
mbamgui.exe
mbam.exe
pctsGui.exe
pctsAuxs.exe
pctsSvc.exe
ISTray
Update.exe
UpdateHlpr.dll
SBAMTray
Definitions\vcore.dll
sbamui.exe
SBAMTray.exe
F-PROT Antivirus Tray application
updater_client_mod.dll
FProtTray.exe
FPWin.exe
Sophos AutoUpdate Monitor
Data Path
SOFTWARE\Sophos\AutoUpdate
scf.dat
ALUpdate.exe
RootPath
SOFTWARE\ArcaBit
update_tmp.exe
arcaclean.exe
Baidu Antivirus
BavUpdater.exe
DragonUpdater
rcfp.exe
CLPSLA.exe
OutpostMonitor
op_mon.exe
niu.exe
K7TSStart
K7TSUpdT.exe
sguardxup.exe
ccupdate.exe
cctray
ccupdate\
caupdate.dll
emsisoft anti-malware
a2guard.exe
a2start.exe
a2service.exe
AVKTray.exe
GDSC.exe
AVK.exe
GDFirewallTray.exe
G Data AntiVirus Tray Application
G Data AntiVirus Tray
Bka.exe
BLuPro.exe
BkavSystemServer.exe
BkavService.exe
Bkav
BLuPro
LiveUpdate.dll
LiveConnect.dll
BaseFile\Bkav\LiveUpdate.dll
V3 Application
V3Lite.exe
ASDSvc.exe
autoup.exe
Bdagent
downloader.exe
%s.config
updatesrv.exe
updatemgr.dll
egui
egui.exe
ekrn.exe
x86\ekrn.exe
Trend Micro Titanium
uWinMgr.exe
coreServiceShell.exe
uiSeAgnt.exe
uiWatchDog.exe
Trend Micro\UniClient\
plugins\plugUpdater.dll
UiFrmwrk\uiUpdateTray.exe
Trend Micro Client Framework
InstallDir
SOFTWARE\TrendMicro\AMSP
coreFrameworkHost.exe
mcagent.exe
McSvHost.exe
McUICnt.exe
McPvTray.exe
SOFTWARE\McAfee\MSC
mcui_exe
mcpltui_exe
Install Dir
Install Dir32
mcshell.exe
mcupdmgr.exe
mcupdate.exe
mcshield.exe
mcupdui.dll
McAPExe.exe
\??\
.config
Debugger
Image File Execution Options\%s
.exe
SYSTEM\CurrentControlSet\services\%s
ImagePath
%c:\ntusbdriver.sys
%c:\*p.exe
%c:\%s
%c:\
p.exe
.lnk
%WinDir%\explorer.exe
/C start /d. %s&"%s"
%COMSPEC%
%WinDir%\system32\shell32.dll
%c:\%s.lnk
VisthAux.exe
explorer.exe
njagexcache
t.minecraft
League of Legends
(unknown)
Works! PID: %d, Name: %s
Betabot (c) 2012-2014, coded by Userbased
tavast
SpIDerAgent
APVXDWIN
cmdvirth
%s%s\%08X
stratum
btcguild
tcp://
-a scrypt
http://
svchost.exe
csrss.exe
lsass.exe
smss.exe
wscript.exe
cscript.exe
vbc.exe
rundll32.exe
regsvr32.exe
%ALLUSERSPROFILE%
SOFTWARE\Microsoft\CurrentVersion\Run
SOFTWARE\Microsoft\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
System
winlogon.exe
services.exe
kernel32.dll
.ini
.sys
%s\%08x.lnk
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
desktop.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Load
wintrust.dll
chrome.dll
Applications\iexplore.exe\shell\open\command
%s_%08x%04x
%08x.zip
Navw32.exe
SysInspector.exe
avscan.exe
szInstallDir32
SOFTWARE\McAfee\SystemCore
mfefire.exe
AVKProxy
wuauclt.exe
WerFault.exe
-k NetworkService
runas
lFileZilla\sitemanager.xml
port
user
pass
FlashFXP
Sites.dat
Quick.dat
%s\3\%s
%s\4\%s
open
POST
GET
POST
Host:
Cookie:
User-Agent:
Referer:
Accept-Language:
POST *
GET *
UNKNOWN *
spoolsv.exe
iexplore.exe
steam.exe
skype.exe
origin.exe
dwm.exe
ntdll.dll
tapi3.dll
shell32.dll
Common Files
/C copy "%s" "%s"
DisableExceptionChainValidation
/%s
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
"%s"
Windows Update Service
"%s" /%s
Software\Microsoft\Windows\CurrentVersion\RunOnce
/CREATE /SC ONLOGON /TN "Windows Update Check - 0x%08X" /TR "%s" /RL HIGHEST
schtasks.exe
/DELETE /TN "Windows Update Check - 0x%08X" /F
drivers\etc\hosts
\Windows\Explorer.exe
windowsupdate
tputty.
Low_%08X
eUSERPROFILE
ALLUSERSPROFILE
APPDATA
ProgramData
PUBLIC
TEMP
%s.manifest
SYSTEM\CurrentControlSet\Control\Session Manager
PendingFileRenameOperations
%s\%08X
Windows\CurrentVersion\Run
Active Setup\Installed Components
CurrentVersion\Winlogon
Policies\Explorer\Run
CurrentVersion\Windows
Windows NT\CurrentVersion\Image File Execution Options\%s
translation_begin
translation_end
Critical Disk Error
Windows has encountered a corrupted folder on your hard drive
Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.
Show details
More details about this error
Restore files
Restore files and check disk for errors
Error details:
Corrupted folder: %s
Corrupted file count: %d
comctl32.dll
<a href=".ms">%s</a>
/c start "" "%s" /%s "%s"
&CLS
&ECHO Fixing problems ...&ECHO Problems fixed!
&EXIT
shell32,ShellExec_RunDLL "%s" /%s "%s"
You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.
Privilege Error
SSDPSRV
Windows 3.1 Update Service
%s:Zone.Identifier
%s\%08X.pif
MD5 49d8240a31f4a1c27c959272cf7dedb2
SHA1 8fdbebf23340b4b1b44cad6376b6d77cafa2a3b5
SHA256 0da182ded041b4caab164bf9e6f3655d96a018585ad3b72fcb4c572d80144d74
https://www.virustotal.com/en/file/0da1 ... /analysis/
