A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22008  by Xylitol
 Mon Jan 20, 2014 4:08 pm
https://www.virustotal.com/en/file/39c2 ... 390228650/ > 0/49
Code: Select all
http://fbcentral.net/software/HPmanager.exe
• dns: 1 ›› ip: 109.163.228.196 - adress: FBCENTRAL.NET
C&C login interface changed a bit since the 1.7 announcement.
Image
Attachments
infected
(228.29 KiB) Downloaded 111 times
 #22077  by tx707
 Wed Jan 29, 2014 5:48 am
Userbased wrote:I had a look at one of the C&C's Xylitol posted on cybercrime tracker.

Betabot 1.7 Panel and uncrypted binary
Code: Select all
hxxp://world-star-madness.com/pan.rar
Actually I'm interested on how Xylitol got the panel url anyways.
Damn.. forgot to remove the panel after I've downloaded it. Thanks xylitol...
 #22082  by Userbased
 Wed Jan 29, 2014 5:38 pm
The virus bulletin article is out from behind the paywall.

http://blog.fortinet.com/NEUREVT-BOT-ANALYSIS/

The samples in the article are the from versions 1.0 and 1.0.2.5, so some things have changed in the more recent versions.

Interestingly, the article shows that a Skype spreading function was complete and available in the binary, despite the fact that this was (as far as I know) never given as an option in the panel (The author had it listed as an initial feature but was then terrified by the attention it could draw to the bot).
 #22706  by Xylitol
 Mon Apr 21, 2014 7:31 am
https://www.virustotal.com/en/file/62dd ... 398065285/
> http://vxvault.siri-urz.net/ViriList.ph ... 6BC7D3963A

Image
Code: Select all
Key1=CF056C78778C0811
Key2=6E0F2D841777EF11
"-DO NOT SHARE YOUR UNCRYPTED BINARY OR EXECUTABLE. ALWAYS SHARE OR SPREAD YOUR CRYPTED FILE.
-USERS CAUGHT DISTRIBUTING UNCRYPTED BINARIES WILL NO LONGER RECEIVE UPDATES."
Fail.
Attachments
infected
(6.79 MiB) Downloaded 170 times