Win32/Betabot (alias Neurevt)

Forum for analysis and discussion about malware.
User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by Xylitol » Mon Sep 23, 2013 7:55 am

Thanat0S wrote:does anyone has panel src of 1.5 please
useless, panel is under ioncube.

Thanat0S
Posts: 19
Joined: Tue Aug 21, 2012 10:24 pm

Re: Win32/Betabot (alias Neurevt)

Post by Thanat0S » Mon Sep 23, 2013 8:03 am

Xylitol wrote:
Thanat0S wrote:does anyone has panel src of 1.5 please
useless, panel is under ioncube.
ya, i know, this may work:
http://ioncubedecoder2013.blogspot.com/ ... coder.html

User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by Xylitol » Mon Sep 23, 2013 8:40 am

No, people should stop with the myth of decoding ioncube stuff yeah it decode.. partially variable and stuff are recovered sometime but not with the original name, and most of the recovered part are even useless, if it would be so easy to decode ioncube we would already see a bunch of hacked blackhole running.

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by patriq » Mon Sep 23, 2013 3:18 pm

Xylitol wrote:
Thanat0S wrote:does anyone has panel src of 1.5 please
useless, panel is under ioncube.
Yep, its IonCubed.

Pulled this BetaBot 1.5 panel from

hxxp://imtheop.redirectme.net/
hxxp://winblowservice.hopto.org/
both resolve to:
207.12.89.154

directory listing..allowed? :-)
You do not have the required permissions to view the files attached to this post.

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by patriq » Mon Sep 23, 2013 3:54 pm

r3shl4k1sh wrote:More BetaBot:

In attach Unpacked + dump of config:
MD5 c6ca1470501c1d885717104ca9ac51e2
MD5 4046fd4e5ddfc40548c2316d6cd289f4
MD5 c994461c69b02a63d0f1bbcd2a56ba54

From the config of c6ca1470501c1d885717104ca9ac51e2:
  • Owner: the sky daddy
  • Dropped File name: svchost (win)
  • C&C(s):

    Code: Select all

    gate: sentryme.com/order.php
    
    gate: stayattentive.com/order.php
    
From the config of 4046fd4e5ddfc40548c2316d6cd289f4: From the config of c994461c69b02a63d0f1bbcd2a56ba54:
  • Owner: nicksasa
  • Dropped File name: Magic Helper
  • C&C(s):

    Code: Select all

    gate: hxxp://imafaggot.pw/service/order.php
    
    gate: hxxp://winblowservice.hopto.org/service/order.php
    login: hxxp://winblowservice.hopto.org/service/login.php
    
    gate: hxxp://imtheop.redirectme.net/service/order.php
    login: hxxp://imtheop.redirectme.net/service/login.php
    

Go-Go-Gadget: Directory Listing!

samples in attachment pulled from:
hxxp://winblowservice.hopto.org
hxxp://imtheop.redirectme.net
(207.12.89.154)

Code: Select all

33ae38898f5635cd46ec4b0f78d3ad6b
b26d1aec219ce45b2e80769368310471
4295e49380f2c8dca61c38f811dff2cc
00f314fbd45d4930eedc6168453a9ad7
71d085cf6737ead3b92f61d85c9a221b
2427918e2745ae122ae9703e40bcd0f7
ffdf06fb9dd3f55df7920f7f4202653e
48889aeee32b3fd6cf1057ad008220e7
a3ccfd0aa0b17fd23aa9fd0d84b86c05
sorry nicksasa, but why would you leave this out in the open man?
$dbc = mysql_connect("localhost","root","rZkJJ7W6HJTX");

User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by r3shl4k1sh » Tue Sep 24, 2013 1:05 am

I wrote a short article on how to extract the configuration info from BetaBot samples.

In essence all you have to do is:
  • Set a breakpoint right at the start address of the function that is responsible for the decryption (offset 0x255A in the latest 1.5 versions)
  • Run the bot until breakpoint is hit
  • Inspect the memory pointed by the EDX register
  • Run until the end of the function
  • At the memory you can see the decrypted data
You get the configuration info at the second hit of the breakpoint.

Image

You can read the full tutorial here: http://www.malwaredigger.com/2013/09/ho ... -info.html

rinn
Posts: 91
Joined: Thu Nov 15, 2012 6:14 am
Location: Japan

Re: Win32/Betabot (alias Neurevt)

Post by rinn » Tue Sep 24, 2013 3:03 pm

Hi.
Betabot is under active development and likely author(s) are reading this forum. With respect to all RE done in this topic, I think public section isn't appropriate place to post any details about config decoding as they (author(s)) will definitely take this as a TODO to improve/change in next version.
Thanat0S wrote:I think anyone in the scene must create a builder to this shit and stop the game to this skid.
I don't think it is a good idea because of:

1. Custom malware builder will stay malware builder which mean it will be used by criminals of all kind, unless you want to help criminals and popularize this bot it is not a good idea at all. Remember this bot is not dead SpyEye, it is under active development.
2. Same applyes to webpanel. Why most of people always want this stuff? The first obvious answer - to use it for yourself. Second - yeah it panel can be useful for researchers, but I think can get it without public discussions and sharing.

From rules:
NO ILLEGAL CONTENT. This means: no posting warez, cracked software, or talking about how to write viruses and trojans. We do not create malware here.
... which implies "we do not use malware" too.

Instead of re-using this malware for your own needs and playing in actually "script-kiddie" games the right move will be producing and popularizing removal and detection instructions.


My 2 cents.

Best Regards,
-rin

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Win32/Betabot (alias Neurevt)

Post by Win32:Virut » Fri Oct 04, 2013 3:18 pm

You do not have the required permissions to view the files attached to this post.

Userbased
Posts: 21
Joined: Tue Oct 09, 2012 11:38 pm

Re: Win32/Betabot (alias Neurevt)

Post by Userbased » Wed Oct 30, 2013 10:03 pm

betabot downloaded by p2p-zeus from

Code: Select all

hxxp://novemberspecials.ru/build.exe
MD5:

Code: Select all

01448a15955c3e865ea122a4e397e65d
Virustotal: https://www.virustotal.com/en/file/3bd8 ... /analysis/
Gate:

Code: Select all

hxxp://renterlocal.su/be/order.php
Alternate domains:
municipales.ru
wmkdi.su
dfntlk.su
captioncodes.ru
juliussdietz.ru

Bonus open formgrabber directory:

Code: Select all

hxxp://novemberspecials.ru/files/data/
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by Xylitol » Wed Nov 13, 2013 11:49 am


Post Reply