Attachments
pass: infected
(135.94 KiB) Downloaded 140 times
(135.94 KiB) Downloaded 140 times
Code: Select all
betabot.ru
A forum for reverse engineering, OS internals and malware analysis
The coder copied solarbot.net and is now advertising the bot directly from a website.
https://www.virustotal.com/en/file/39c2 ... 390228650/ > 0/49
Code: Select all
C&C login interface changed a bit since the 1.7 announcement.http://fbcentral.net/software/HPmanager.exe
• dns: 1 ›› ip: 109.163.228.196 - adress: FBCENTRAL.NETAttachments
infected
(228.29 KiB) Downloaded 110 times
(228.29 KiB) Downloaded 110 times
I had a look at one of the C&C's Xylitol posted on cybercrime tracker.
Betabot 1.7 Panel and uncrypted binary
Betabot 1.7 Panel and uncrypted binary
Code: Select all
hxxp://world-star-madness.com/pan.rarAttachments
Password is infected
(2.55 MiB) Downloaded 137 times
(2.55 MiB) Downloaded 137 times
Userbased wrote:I had a look at one of the C&C's Xylitol posted on cybercrime tracker.Actually I'm interested on how Xylitol got the panel url anyways.
Betabot 1.7 Panel and uncrypted binaryCode: Select allhxxp://world-star-madness.com/pan.rar
Damn.. forgot to remove the panel after I've downloaded it. Thanks xylitol...
The virus bulletin article is out from behind the paywall.
http://blog.fortinet.com/NEUREVT-BOT-ANALYSIS/
The samples in the article are the from versions 1.0 and 1.0.2.5, so some things have changed in the more recent versions.
Interestingly, the article shows that a Skype spreading function was complete and available in the binary, despite the fact that this was (as far as I know) never given as an option in the panel (The author had it listed as an initial feature but was then terrified by the attention it could draw to the bot).
http://blog.fortinet.com/NEUREVT-BOT-ANALYSIS/
The samples in the article are the from versions 1.0 and 1.0.2.5, so some things have changed in the more recent versions.
Interestingly, the article shows that a Skype spreading function was complete and available in the binary, despite the fact that this was (as far as I know) never given as an option in the panel (The author had it listed as an initial feature but was then terrified by the attention it could draw to the bot).
https://www.virustotal.com/en/file/62dd ... 398065285/
> http://vxvault.siri-urz.net/ViriList.ph ... 6BC7D3963A
-USERS CAUGHT DISTRIBUTING UNCRYPTED BINARIES WILL NO LONGER RECEIVE UPDATES."
Fail.
> http://vxvault.siri-urz.net/ViriList.ph ... 6BC7D3963A
Code: Select all
"-DO NOT SHARE YOUR UNCRYPTED BINARY OR EXECUTABLE. ALWAYS SHARE OR SPREAD YOUR CRYPTED FILE.Key1=CF056C78778C0811
Key2=6E0F2D841777EF11-USERS CAUGHT DISTRIBUTING UNCRYPTED BINARIES WILL NO LONGER RECEIVE UPDATES."
Fail.
Attachments
infected
(6.79 MiB) Downloaded 169 times
(6.79 MiB) Downloaded 169 times
Attachments
infected
(370.94 KiB) Downloaded 120 times
(370.94 KiB) Downloaded 120 times
