A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19271  by Userbased
 Wed May 15, 2013 12:08 am
7 more Betabot/Neurevt droppers

MD5
Code: Select all
13B55725DE38FBE6647077FB8DB914BF
56EE6265872BA63A7AE020E36C5AB54D
A904BE7A50BDC94990E8BC415528DA0A
A1286FD94984FD2DE857F7B846062B5E
D1004B63D6D3CB90E6012C68E19AB453
DCA3B909741F53347F870A3CA815013F
E4855F795DE3A23820F7C7D937D33169
Also, gdata published a blogpost about the method used for UAC elevation.
http://blog.gdatasoftware.com/blog/arti ... a-bot.html
Attachments
password - infected
(1.47 MiB) Downloaded 136 times
 #19536  by Userbased
 Mon Jun 03, 2013 5:54 pm
12 more Betabot/Neurevt droppers
MD5
Code: Select all
1FB38A8392DF55BAAE02D7FD36AF4C13
7E9002D46D7CEE2259CDCDAA2B83A464
80AC8731FA69E1480719982BD527042E
09749A21FDF6EAD1E470F386ABF8EAB0
547400CDF9E9684EC4BB7285E3FF8E95
A0A66DFBDF1CE76782BA20A07A052976
B978757C9E4CD6377F8C6B14870E9108
C9B3E2C655DAD85FC0DD0554A4A38915
C749C0AF0B2F3E182D6FD2396E1B0D17
EBF466DA7B5F7ED3390F4C68F880BB68
F82534D4AD63D1A707087D52AB871563
FFC374C7B14E3539BCDD9D92ACFB6FCE
An article by SonicWall about the bot: https://www.mysonicwall.com/sonicalert/ ... cle&id=564

The coder seems to be upset about the characterization of his bot as banking malware. Apparently he coded it with skiddies mining bitcoins and stealing minecraft logins in mind, not for stealing banking info.
His friend iarkey got quite offended by some of the news coverage: http://touchmymalware.blogspot.ru/2013/ ... am-of.html
Attachments
password is infected
(3.7 MiB) Downloaded 112 times
 #19538  by EP_X0FF
 Tue Jun 04, 2013 3:59 am
SHA256: 4abd2d8cee357166c5072b992ad3fc7d30f913bfd58e9eec6e4414fe1ba09265
SHA1: 2cea22042dd80029dfa7505cd03a7413c1715e0b
MD5: 048e906b9f406c490a545bb51f6f4f1c

https://www.virustotal.com/en/file/4abd ... /analysis/

original + decrypted in attach. Sample courtesy of markusg.
Attachments
pass: infected
(341.83 KiB) Downloaded 131 times
 #19586  by Userbased
 Mon Jun 10, 2013 12:49 am
@markusg That's not Neuvret. Connects to blogs488484.serveblog.net on port 7898. Looks like darkcomet or blackshades.

Someone left the latest update for the panel and the binary on an open indexed server. The panel is ioncubed so it may be difficult to look for vulnerabilities.
Attachments
password: infected
(3.67 MiB) Downloaded 121 times
 #20175  by leeno
 Fri Jul 19, 2013 4:22 pm
Some CnC traced for BetaBot and Styx

BetaBot Live CnC Panel,

http://firecrypt.net/BetaBot/login.php
http://gamingplanet.us/codeserver/login.php
http://www.vbvx.com/remote/login.php
http://moneybooster.info/bb/login.php

Styx Exploit Kit CnC Server IP

188.40.147.234 , 192.210.223.38 , 78.83.177.246,128.204.198.33, 178.238.138.62, 198.50.215.79, 31.44.184.142,31.44.184.159, 75.75.226.52,78.46.169.163

Leeno
 #20879  by Userbased
 Fri Sep 20, 2013 6:10 pm
I have two samples of the new 1.5 version of betabot.
Code: Select all
--­---­---­---­---­---­---­---­---­---­---­---­---­---­----­---­---­---­---­---­---­---­---­---­---­---­---­---­---­---­---­---­---­---­---­--­---­---­---­--­---­---­---­-
Beta Bot - New Features and Additions
--­---­---­---­---­---­---­---­---­---­---­---­---­---­----­---­---­---­---­---­---­---­---­---­---­---­---­---­---­---­---­---­---­---­---­--­---­---­---­--­---­---­---­-

Highlights of the Update

File size is less than 140kb
Crypter Compatibility drastically increased
Full Chrome Support - The DNS Redirector and the Form Grabber now fully support Google Chrome.
64-Bit Userkit - Beta Bot's Userkit, or Ring-3 Rootkit, which previously only supported 32-Bit Machines, has been updated to support 64-Bit Machines as well.
POP3 Grabber - The POP3 Grabber delivers E-Mail login credentials as your bots log in over the network, in real time.
File Search - Search your bot's systems for specific keywords and filetypes. Files containing relevant keywords will be zipped and uploaded to the server.

Full Changelog - Sept 13 2013

Bot - Major

    64-bit userkit
    POP3 grabber
    Chrome grabber / DNS redirection support
    File search - Search all files' content for keywords and upload files containing matches to panel
    Config editor to edit builds -- Change group names
    Block installation of some bootkits (Mainly Rovnix(Carberp) - Can toggle on/off from panel)
    Enhanced bot resource protection (persistence) on some systems (around 40%~) (Much harder to remove in some cases)


Bot - Minor

    Run DLL/Jar files
    File size now less than 140kb
    Fetches UAC social engineering translations from panel
    ESET AV Killer now works on Vista+, AV Killer updated to include Ahnlab v3 Lite (XP only), BitDefender (on minimal config)
    Better support for Avast sandbox. All sandbox prompts are now automatically accepted to increase download/exec rate.
    Proactive bypasses updated (Trend Micro/McAfee now fully bypassed, BitDefender bypass finished but not 100% reliable)
    PuTTY Live login grabber now works with latest update (0.63). New code locations and improper typecasting previous caused crash in latest version (0.63)
    Improved crypter compatibility
    Added new detection techniques to botkiller and increased overall efficiency


Panel - Minor

    Enhanced search features
    TOR Blacklist
    Remove bot/other buttons on bot list
    Graphs added to statistics page / Panel settings reorganized
    Can now delete individual form/login grab entries
    Can now add lists of formgrab url masks at a time (Instead of just one at a time)
    Modify main bot list view settings (Change display order and maximum number of bots displayed per page)
    Main index now displays top 5 countries graph and world map based on bot count
    GeoIP updated


Panel - Major

    Notes system. Leave notes for single/all user(s)
    Task failure tracking
    AV Checker (s4y)
    Event logs page added in panel settings
    Bot grouping via group names
    Formgrabber filter management options increased, form search enhanced and other useful changes to formgrab feature
    Login grabber can now be toggled on/off


Fixes/Tweaks

    Fixed issue where large amounts of page numbers would take up entire webpage
    Fixed issue with formgrab filter management not properly handling some SQL queries
    Fixed issue with task processing where if bot received more than 3 tasks at once, it would only process first 3, and may sometimes crash while attempting to parse the 4th one
    Fixed crash issue related to thread creation in some processes
    Fixed rare issue in process injector where an improperly initialized structure could result in fatal crash
    Fixed a few memory leak issues
    Fixed formgrabber compatibility with Firefox versions >= 22
    Fixed issue with hook restorer not restoring system call hook
    Fixed formgrabber for Windows 8, however, userkit is still having issues
    Fixed issue where bot was not always sending stored logins for supported FTP Clients
    Tweak: Systems configured to use a proxy for internet access are now supported if bot cannot access directly after cycling through C&C list
    Tweak: HTTP Component now handles `302 Found` issues better. However, issue is considered *not* completely resolved.
    Tweak: More AVs detected and displayed on panel statistics
    Tweak: Grabbed logins exports are now in standard ftp://user:pass@domain.com -OR- type://user:pass@domain.com:port
    Tweak: UAC Social engineering trick no longer uses cmd.exe on Windows 7 systems
    Tweak: Duplicate bot issue should be *less* of a problem now. However, not completely fixed
Both samples are packed

MD5: c34e927287aacc3df09f05f09abd8271 https://www.virustotal.com/en/file/f344 ... 379700423/
MD5: e2dfeedddcad222a0edb6e4a9b5205a4 https://www.virustotal.com/en/file/bc77 ... /analysis/
Attachments
Password is "infected" without quotes
(342.28 KiB) Downloaded 109 times
 #20884  by patriq
 Fri Sep 20, 2013 8:52 pm
leeno wrote:Some CnC traced for BetaBot and Styx

BetaBot Live CnC Panel,

http://firecrypt.net/BetaBot/login.php
http://gamingplanet.us/codeserver/login.php
http://www.vbvx.com/remote/login.php
http://moneybooster.info/bb/login.php

Styx Exploit Kit CnC Server IP

188.40.147.234 , 192.210.223.38 , 78.83.177.246,128.204.198.33, 178.238.138.62, 198.50.215.79, 31.44.184.142,31.44.184.159, 75.75.226.52,78.46.169.163

Leeno
Just wanted to note this C&C:

http://moneybooster.info/login.php

Now hosting a stresser service called PokeBoot (or maybe its Pok'e..like Pokemon? Who cares. )

credentials test:test gets you in to look around.

Coded by WicKd and LiteSpeed...some HF children.

Sorry, not trying to get too far off topic...

http://www.exposedbotnets.com/2013/09/b ... orums.html

So you should be able to extract the HF username..
http://www.kernelmode.info/forum/viewto ... 879#p20879
I had a quick look at these two samples, but didn't the username strings.
 #20886  by Userbased
 Fri Sep 20, 2013 9:46 pm
I don't think the values are stored as unecrypted strings in the binary. It appears they are created as memory events when the bot is executed. I'm not sure how to extract them, but they show up in comodo sandbox.
Code: Select all
http://camas.comodo.com/cgi-bin/submit?file=29077af0932d4f5ec1810e94850c8f0e117996e6275db8347b273b2c75623de5
G:E1B4D028737BD549A811292CFF94414D_0x03570142_I:h4r3_v1$

http://camas.comodo.com/cgi-bin/submit?file=c1aecc3859836cf2606c3fde3c37e16fb5af8fd0d118068b9260b77821aecbe0
G:34C588F073C82446B64BBDC9CB9FD3A4_0x08840284_I:caerus_v1$

http://camas.comodo.com/cgi-bin/submit?file=295c5d25908d191b44c7f6fabd3316418019c76318b6a446310ff5ae589fc451
G:1CF4A6BC115049429B3711F0131AF782_0x209E04FA_I:companyatjab_v1$

http://camas.comodo.com/cgi-bin/submit?file=5a4c93a233456179ada00948e9adca51b19401b19864ca4b3bb1695e7399fac2
G:88B8994116189D418F50C1DA95A6A5E1_0x0F2A0355_I:shubhank_v1$

http://camas.comodo.com/cgi-bin/submit?file=6f101ce863f3452c08032cab3f0281c65af02858fbda9447e157fab8bcb8882e
G:A545D80973911945B2A697D00A4C230C_0x04750144_I:792476_v1$

http://camas.comodo.com/cgi-bin/submit?file=e068f68663198b02dba1fd0ea0ffafa9800df3f39b57105cfb667b7f3d23f6f4
G:7DFBB8DFC863C647827F9EA026E8192A_0x1BE003AB_I:zerod30_1111_v1$

http://camas.comodo.com/cgi-bin/submit?file=16bbf3ee58352ecd63a79cc74eb118de72538f9118c3171498ef84783455422d
G:E027D34A909F8C4194F86897797496D9_0x11440392_I:an7hraxse_v1$
	
http://camas.comodo.com/cgi-bin/submit?file=f344726f8e26a1c3972e61ebfb0c5465c61585adfa16177086ff3711aa46383a
G:AE6A7C3E03CF914489A1D0AE2844D10F_0x0B8E02B5_I:marvid1_v1$	

http://camas.comodo.com/cgi-bin/submit?file=9c8c353dace937330ebfa80ecef51c221760d7104e44095c6964742394f009c5
G:6C10CC1EFE734E40B714CEBAFB365E55_0x0C2C030C_I:shrooms_v1$

http://camas.comodo.com/cgi-bin/submit?file=9a6f2b477aded364f6d39f184dcd34a2aff36e8623c6da62181e9447ec4b0711
G:A680B010DB85B343AEC7801FF594E994_0x05B00174_I:1427399_v1$

http://camas.comodo.com/cgi-bin/submit?file=93d75af468033661fbe022cfc6ba8c81ae79ae03badd741dfdb839c21487afdc
G:2BDB7842D4F1DD46B5B577A747B4510A_0x0BC402F2_I:lavnesh_v1$

http://camas.comodo.com/cgi-bin/submit?file=fc42caf9017535fc9a3ce83c8a22b3ec3785c11becf3e1d95f1ae51356829bf7
G:A6EE4A269BA2544CBAC7BDCDECB196B4_0x177E0429_I:stringback_v1$

http://camas.comodo.com/cgi-bin/submit?file=69ed89bddeef54dbee145cba939af93da012ac773341f0dff8e75f41f52120bd
G:EE6A68C41D757F47ACF76ADC6916CA77_0x118802E4_I:jmr21900f8_v1$

http://camas.comodo.com/cgi-bin/submit?file=d0afdfe521a2c33d3f2ff533d5fccb6695112e2fc1a3833c0781c80f3309fb76
G:EBA84B97FDE9EF4A8C2E3FBB19BFDBE5_0x0F030370_I:cobraxxx_v1$

http://camas.comodo.com/cgi-bin/submit?file=235cb1872d335cf0fcfcce6cc4135023c1a7dde0fc6747db2f9fad1d81c87949
G:8BE884970091A24AAE87F7E5EABE734D_0x136203DD_I:euroroids_v1$

http://camas.comodo.com/cgi-bin/submit?file=96799d5bb54c38cc464f5b3489d760631ea43c718c84bcd52136c1105a4383c1
G:5BB484B045E0EC46A05431506D087881_0x08190264_I:Marvid_v1$

http://camas.comodo.com/cgi-bin/submit?file=50cc59085617e9b51c24e480f90188e1a363d83f1e248be6b32b877c3c183c13
G:8C7E114D6ADA7D41A8EFD24CE361AFFE_0x16F0034B_I:infin219235_v1$

http://camas.comodo.com/cgi-bin/submit?file=8a04690dbef7939826e0174073c34f73c668fa180da54a07e6e34815902702ce
G:B2F51F1F4F83824B98C712DDF127104E_0x0E8302EE_I:marvid82_v1$

http://camas.comodo.com/cgi-bin/submit?file=0f494b4e42f4bc197dc1c158c84b391f12266a4bed74b2be29ca0db43c2f0aa8
G:3F93E20360C6A548A67C16799A471F0C_0x06290210_I:boing_v1$

http://camas.comodo.com/cgi-bin/submit?file=8c673b7af36a1c0282dda9dbe26e3c45576a913c2324653843ecb03cd1759a86
G:A5DA2AB6AD12DC4EB56AEEB0B1640F4D_0x0DF402B2_I:solid006_v1$

http://camas.comodo.com/cgi-bin/submit?file=202e61bee15643236b366e2a5c457d057899b954d717c385392aa0dd0b6e5a69
G:24B2618456EB3F498CF8CCEEAF08BD74_0x04750144_I:792476_v1$

http://camas.comodo.com/cgi-bin/submit?file=cf0126e26f9f73ff8f4daf60cfe98b7b2b14fad2ab34a674b49b75ee5be63fac
G:B979EB2238BEC749A9ED0589156B0EF9_0x0E5602E0_I:shbhnk01_v1$

http://camas.comodo.com/cgi-bin/submit?file=e7a7ecca142b8904f1ce91c0fd96747399734d5947a911295f1b85942557ce4b
G:3B8D2EAF233C6A4D8E7D29C60EC6659D_0x15D10375_I:unkown1818_v1$
 #20900  by r3shl4k1sh
 Sat Sep 21, 2013 11:42 pm
Userbased wrote:I have two samples of the new 1.5 version of betabot.
Both samples are packed

MD5: c34e927287aacc3df09f05f09abd8271 https://www.virustotal.com/en/file/f344 ... 379700423/
MD5: e2dfeedddcad222a0edb6e4a9b5205a4 https://www.virustotal.com/en/file/bc77 ... /analysis/
in attach Unpacked + dump of config section:
MD5: c34e927287aacc3df09f05f09abd8271
MD5: e2dfeedddcad222a0edb6e4a9b5205a4

In the config section of (c34e927287aacc3df09f05f09abd8271) you can get the follwing info:
  • Owner name: marvid1
  • C&C address(es) + Port
    Code: Select all
    login: navega.pw/b7891/b986/vid5852/mar/360/bnav123/login.php
    gate: navega.pw/b7891/b986/vid5852/mar/360/bnav123/order.php
    
  • Dropped file name: System
  • Key(s) that encrypt & decrypt network communication

From the config of e2dfeedddcad222a0edb6e4a9b5205a4:
  • Owner: d8902659
  • Dropped File name: jhgvy76765guhb
  • C&C:
    Code: Select all
    gate: hxxp://n18b7273u1j.in/M_jsh1/order.php
    login: hxxp://n18b7273u1j.in/M_jsh1/login.php
    
    gate: hxxp://b19jdn167t.in/M_jsh1/order.php
    login: hxxp://b19jdn167t.in/M_jsh1/login.php
    
Attachments
pass: infected
(132.12 KiB) Downloaded 89 times
pass: infected
(131.76 KiB) Downloaded 88 times