A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20930  by Xylitol
 Mon Sep 23, 2013 8:40 am
No, people should stop with the myth of decoding ioncube stuff yeah it decode.. partially variable and stuff are recovered sometime but not with the original name, and most of the recovered part are even useless, if it would be so easy to decode ioncube we would already see a bunch of hacked blackhole running.
 #20935  by patriq
 Mon Sep 23, 2013 3:18 pm
Xylitol wrote:
Thanat0S wrote:does anyone has panel src of 1.5 please
useless, panel is under ioncube.
Yep, its IonCubed.

Pulled this BetaBot 1.5 panel from

both resolve to:

directory listing..allowed? :-)
You do not have the required permissions to view the files attached to this post.
 #20936  by patriq
 Mon Sep 23, 2013 3:54 pm
r3shl4k1sh wrote:More BetaBot:

In attach Unpacked + dump of config:
MD5 c6ca1470501c1d885717104ca9ac51e2
MD5 4046fd4e5ddfc40548c2316d6cd289f4
MD5 c994461c69b02a63d0f1bbcd2a56ba54

From the config of c6ca1470501c1d885717104ca9ac51e2:
  • Owner: the sky daddy
  • Dropped File name: svchost (win)
  • C&C(s):
    Code: Select all
    gate: sentryme.com/order.php
    gate: stayattentive.com/order.php
From the config of 4046fd4e5ddfc40548c2316d6cd289f4: From the config of c994461c69b02a63d0f1bbcd2a56ba54:
  • Owner: nicksasa
  • Dropped File name: Magic Helper
  • C&C(s):
    Code: Select all
    gate: hxxp://imafaggot.pw/service/order.php
    gate: hxxp://winblowservice.hopto.org/service/order.php
    login: hxxp://winblowservice.hopto.org/service/login.php
    gate: hxxp://imtheop.redirectme.net/service/order.php
    login: hxxp://imtheop.redirectme.net/service/login.php

Go-Go-Gadget: Directory Listing!

samples in attachment pulled from:
Code: Select all
sorry nicksasa, but why would you leave this out in the open man?
$dbc = mysql_connect("localhost","root","rZkJJ7W6HJTX");
 #20943  by r3shl4k1sh
 Tue Sep 24, 2013 1:05 am
I wrote a short article on how to extract the configuration info from BetaBot samples.

In essence all you have to do is:
  • Set a breakpoint right at the start address of the function that is responsible for the decryption (offset 0x255A in the latest 1.5 versions)
  • Run the bot until breakpoint is hit
  • Inspect the memory pointed by the EDX register
  • Run until the end of the function
  • At the memory you can see the decrypted data
You get the configuration info at the second hit of the breakpoint.


You can read the full tutorial here: http://www.malwaredigger.com/2013/09/ho ... -info.html
 #20950  by rinn
 Tue Sep 24, 2013 3:03 pm
Betabot is under active development and likely author(s) are reading this forum. With respect to all RE done in this topic, I think public section isn't appropriate place to post any details about config decoding as they (author(s)) will definitely take this as a TODO to improve/change in next version.
Thanat0S wrote:I think anyone in the scene must create a builder to this shit and stop the game to this skid.
I don't think it is a good idea because of:

1. Custom malware builder will stay malware builder which mean it will be used by criminals of all kind, unless you want to help criminals and popularize this bot it is not a good idea at all. Remember this bot is not dead SpyEye, it is under active development.
2. Same applyes to webpanel. Why most of people always want this stuff? The first obvious answer - to use it for yourself. Second - yeah it panel can be useful for researchers, but I think can get it without public discussions and sharing.

From rules:
NO ILLEGAL CONTENT. This means: no posting warez, cracked software, or talking about how to write viruses and trojans. We do not create malware here.
... which implies "we do not use malware" too.

Instead of re-using this malware for your own needs and playing in actually "script-kiddie" games the right move will be producing and popularizing removal and detection instructions.

My 2 cents.

Best Regards,
 #21291  by Userbased
 Wed Oct 30, 2013 10:03 pm
betabot downloaded by p2p-zeus from
Code: Select all
Code: Select all
Virustotal: https://www.virustotal.com/en/file/3bd8 ... /analysis/
Code: Select all
Alternate domains:

Bonus open formgrabber directory:
Code: Select all
You do not have the required permissions to view the files attached to this post.