A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20930  by Xylitol
 Mon Sep 23, 2013 8:40 am
No, people should stop with the myth of decoding ioncube stuff yeah it decode.. partially variable and stuff are recovered sometime but not with the original name, and most of the recovered part are even useless, if it would be so easy to decode ioncube we would already see a bunch of hacked blackhole running.
 #20935  by patriq
 Mon Sep 23, 2013 3:18 pm
Xylitol wrote:
Thanat0S wrote:does anyone has panel src of 1.5 please
useless, panel is under ioncube.
Yep, its IonCubed.

Pulled this BetaBot 1.5 panel from

hxxp://imtheop.redirectme.net/
hxxp://winblowservice.hopto.org/
both resolve to:
207.12.89.154

directory listing..allowed? :-)
Attachments
(4.24 MiB) Downloaded 124 times
 #20936  by patriq
 Mon Sep 23, 2013 3:54 pm
r3shl4k1sh wrote:More BetaBot:

In attach Unpacked + dump of config:
MD5 c6ca1470501c1d885717104ca9ac51e2
MD5 4046fd4e5ddfc40548c2316d6cd289f4
MD5 c994461c69b02a63d0f1bbcd2a56ba54

From the config of c6ca1470501c1d885717104ca9ac51e2:
  • Owner: the sky daddy
  • Dropped File name: svchost (win)
  • C&C(s):
    Code: Select all
    gate: sentryme.com/order.php
    
    gate: stayattentive.com/order.php
    
From the config of 4046fd4e5ddfc40548c2316d6cd289f4: From the config of c994461c69b02a63d0f1bbcd2a56ba54:
  • Owner: nicksasa
  • Dropped File name: Magic Helper
  • C&C(s):
    Code: Select all
    gate: hxxp://imafaggot.pw/service/order.php
    
    gate: hxxp://winblowservice.hopto.org/service/order.php
    login: hxxp://winblowservice.hopto.org/service/login.php
    
    gate: hxxp://imtheop.redirectme.net/service/order.php
    login: hxxp://imtheop.redirectme.net/service/login.php
    

Go-Go-Gadget: Directory Listing!

samples in attachment pulled from:
hxxp://winblowservice.hopto.org
hxxp://imtheop.redirectme.net
(207.12.89.154)
Code: Select all
33ae38898f5635cd46ec4b0f78d3ad6b
b26d1aec219ce45b2e80769368310471
4295e49380f2c8dca61c38f811dff2cc
00f314fbd45d4930eedc6168453a9ad7
71d085cf6737ead3b92f61d85c9a221b
2427918e2745ae122ae9703e40bcd0f7
ffdf06fb9dd3f55df7920f7f4202653e
48889aeee32b3fd6cf1057ad008220e7
a3ccfd0aa0b17fd23aa9fd0d84b86c05
sorry nicksasa, but why would you leave this out in the open man?
$dbc = mysql_connect("localhost","root","rZkJJ7W6HJTX");
 #20943  by r3shl4k1sh
 Tue Sep 24, 2013 1:05 am
I wrote a short article on how to extract the configuration info from BetaBot samples.

In essence all you have to do is:
  • Set a breakpoint right at the start address of the function that is responsible for the decryption (offset 0x255A in the latest 1.5 versions)
  • Run the bot until breakpoint is hit
  • Inspect the memory pointed by the EDX register
  • Run until the end of the function
  • At the memory you can see the decrypted data
You get the configuration info at the second hit of the breakpoint.

Image

You can read the full tutorial here: http://www.malwaredigger.com/2013/09/ho ... -info.html
 #20950  by rinn
 Tue Sep 24, 2013 3:03 pm
Hi.
Betabot is under active development and likely author(s) are reading this forum. With respect to all RE done in this topic, I think public section isn't appropriate place to post any details about config decoding as they (author(s)) will definitely take this as a TODO to improve/change in next version.
Thanat0S wrote:I think anyone in the scene must create a builder to this shit and stop the game to this skid.
I don't think it is a good idea because of:

1. Custom malware builder will stay malware builder which mean it will be used by criminals of all kind, unless you want to help criminals and popularize this bot it is not a good idea at all. Remember this bot is not dead SpyEye, it is under active development.
2. Same applyes to webpanel. Why most of people always want this stuff? The first obvious answer - to use it for yourself. Second - yeah it panel can be useful for researchers, but I think can get it without public discussions and sharing.

From rules:
NO ILLEGAL CONTENT. This means: no posting warez, cracked software, or talking about how to write viruses and trojans. We do not create malware here.
... which implies "we do not use malware" too.

Instead of re-using this malware for your own needs and playing in actually "script-kiddie" games the right move will be producing and popularizing removal and detection instructions.


My 2 cents.

Best Regards,
-rin
 #21291  by Userbased
 Wed Oct 30, 2013 10:03 pm
betabot downloaded by p2p-zeus from
Code: Select all
hxxp://novemberspecials.ru/build.exe
MD5:
Code: Select all
01448a15955c3e865ea122a4e397e65d
Virustotal: https://www.virustotal.com/en/file/3bd8 ... /analysis/
Gate:
Code: Select all
hxxp://renterlocal.su/be/order.php
Alternate domains:
municipales.ru
wmkdi.su
dfntlk.su
captioncodes.ru
juliussdietz.ru

Bonus open formgrabber directory:
Code: Select all
hxxp://novemberspecials.ru/files/data/
Attachments
password - infected
(272.5 KiB) Downloaded 127 times