A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24553  by EP_X0FF
 Tue Dec 09, 2014 7:29 am
Betabot extracted from infected computer.

String dump from stage2 of betabot loading - massive AV products blacklist and online sandboxes Windows OEM ID's.
Code: Select all
Software\Win7zip			
Uuid			
CF05			
CF04			
CF03			
CF02			
CF01			
BK32			
ULiFS			
Opera/9.00 (Windows NT 5.1; U; en)			
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)			
Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)			
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)			
Opera 9.4 (Windows NT 6.1; U; en)			
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)			
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)			
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2			
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8			
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11			
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)			
Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)			
SbieDll.dll			
DbgBreakPoint			
EVERYONE			
Software\Classes\CLSID\%s\%08X			
Software\Classes\CLSID\%s\%08X\%s			
0x%08X			
SB:0x%08X			
G:%s_0x%08X_%c:%s_v1$			
Software\Microsoft\Internet Explorer\Main			
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u			
2500			
Isolation			
PMIL			
Check_Associations			
SOFTWARE\Microsoft\Internet Explorer\Main			
IEXPLORE.EXE			
SOFTWARE\Clients\StartMenuInternet			
IE.HTTP			
Progid			
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice			
IE.HTTPS			
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice			
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice			
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice			
IE.AssocFile.HTM			
HTTP\shell\open\command			
Start Page			
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s			
Flags			
cookie:			
K32GetMappedFileNameW			
Psapi.dll			
GetMappedFileNameW			
JJ8J^QPE			
JJ8J@TynQcseb			
Software\JavaSoft\Java Plug-in			
%s\%s			
UseJava2IExplorer			
Software\Adobe\Acrobat Reader\%s\Privileged			
bProtectedMode			
11.0			
10.0			
mscoree.dll			
CreateProcessInternalW			
HARDWARE\DESCRIPTION\System\CentralProcessor\%u			
SOFTWARE\Microsoft\Windows NT\CurrentVersion			
SOFTWARE\Microsoft\NET Framework Setup\NDP			
jarfile\shell\open\command			
Software\Microsoft			
nspr4.dll			
nss3.dll			
CsrGetProcessId			
InitializeProcThreadAttributeList			
UpdateProcThreadAttribute			
ChangeWindowMessageFilter			
CreateProcessWithTokenW			
Urlmon.dll			
ObtainUserAgentString			
URLDownloadToFileW			
Netapi32.dll			
NetUserGetInfo			
ProductId			
76487-640-1457236-23837			
76487-337-8429955-22614			
76487-644-3177037-23510			
76497-640-6308873-23835			
55274-640-2673064-23950			
76487-640-8834005-23195			
76487-640-0716662-23535			
76487-644-8648466-23106			
00426-293-8170032-85146			
76487-341-5883812-22420			
76487-OEM-0027453-63796			
TransparentEnabled			
DefaultLevel			
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer			
HideSCAHealth			
TaskbarNoNotification			
DisableMonitoring			
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup			
SeDebugPrivilege			
WDStatus			
WDEnable			
SOFTWARE\Panda Software			
Start			
SYSTEM\CurrentControlSet\Services\DragonUpdater			
SOFTWARE\Norman Data Defense Systems			
SOFTWARE\Ikarus			
system_core_version			
SOFTWARE\McAfee\SystemCore			
SeCreatePagefilePrivilege			
SeRestorePrivilege			
SeBackupPrivilege			
tooltips_class32			
{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}			
snxhk.dll			
Language			
Software\Valve\Steam			
MRU0			
Software\Microsoft\Terminal Server Client\Default			
SOFTWARE\Classes\origin			
SOFTWARE\Blizzard Entertainment			
Software\Skype			
Software\Microsoft\VisualStudio			
Software\VMware, Inc.			
comctl32.dll			
GetAddrInfoW			
GetAddrInfoExW			
ZwOpenProcess			
ZwCreateFile			
ZwOpenFile			
ZwSetValueKey			
ZwDeleteValueKey			
SOFTWARE\%s			
Symantec			
Avira			
ESET			
ArcaBit			
%08x			
%02X			
update.microsoft.com			
microsoft.com			
windowsupdate.microsoft.com			
JOIN 			
PRIVMSG 			
USER 			
SeTcbPrivilege			
WinVerifyTrust			
.rdata			
cmd_option.%s			
/c %s			
runas			
cmd.exe			
msvcrt.dll			
--%08x-%04x-%04x-%04x%04x			
Content-Type: multipart/form-data; boundary=%08x-%04x-%04x-%04x%04x			
Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"			
Content-Type: application/octet-stream			
Content-Transfer-Encoding: binary			
%s?action=up&g=%s			
POST			
ext=			
term=			
filename=			
exclude=			
nocache=			
true			
RunAsInvoker			
__compat_layer			
xul.dll			
FileZi			
<Server>			
<Host>			
<Port>			
<User>			
<Pass>			
yA36zA48dEhfrvghGRg57h5UlDv3			
.exe			
Content-Type: application/x-www-form-urlencoded			
HTTP/1.1			
?pid=%d			
?page=%d			
?id=%u			
%s=%u&%s=%s			
%s=%s&%s=%u			
&%s=%s			
&%s%u=			
&%s%hu=			
&%s=_%u			
%d|%s|%s|%s			
.info			
.org			
.com			
.net			
x-compress; x-zip			
compress;q=0.5, gzip;q=1.0			
gzip, deflate			
compress, gzip			
image/png			
image/jpeg			
image/gif			
image/bmp			
text/plain			
text/html			
audio/wav			
audio/mpeg			
condis			
httpget			
slowloris			
rudy			
Software\Microsoft\Internet Explorer\Media\MimeTypes			
text/html, 			
GET /%s HTTP/1.1			
Host: %s			
Content-Length: %d			
Cache-Control: no-cache			
Accept: %s			
en-US			
Accept-Language: %s			
utf-8			
utf-16			
Accept-Charset: %s			
Accept-Encoding: %s			
User-Agent: %s			
Referer: %s			
Keep-Alive			
Close			
Connection: %s			
http://			
visited:			
svcVersion			
SOFTWARE\Microsoft\Internet Explorer			
iexplore.exe			
firefox.exe			
tbb-firefox.exe			
PR_Write			
X-a: b			
%s:%hu			
.jar			
.dll			
DnsFlushResolverCache			
windowsupdate			
neurevt			
PuTTY Private			
Release 0.62			
Release 0.63			
SSH2_MSG_KEXINIT			
SSH2_MSG_DISCONNECT			
SSH2_MSG_USERAUTH_SUCCESS			
SeIncreaseQuotaPrivilege			
SeLoadDriverPrivilege			
SeChangeNotifyPrivilege			
EP91			
CpuFlushInstructionCache			
_wcslwr			
_wcsnicmp			
wcsstr			
wcsncpy			
memset			
memcpy			
ZwQueryInformationThread			
ZwQueryInformationProcess			
ZwClose			
text			
blah			
http://%s%s/image.php?id=%s			
RtlQueryElevationFlags			
TaskDialogIndirect			
http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535			
OPEN			
%d0x%08X					
task			
suac			
puac			
nuac			
testme			
l[BETA] 			
EVERYONE			
Software\Classes\CLSID\%S			
G:%S_0x%08X			
OPEN			
mscoree.dll			
chrome.exe			
firefox.exe			
opera.exe			
safari.exe			
maxthon.exe			
:Mozilla\Firefox\Profiles			
cookies.sqlite			
%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*			
%s\winsxs\%s\comctl32.dll			
cmd.exe			
ProcessorNameString			
HARDWARE\DESCRIPTION\System\CentralProcessor\0			
Shell_TrayWnd			
%s\%s			
NT AUTHORITY			
SYSTEM\			
Elevation:Administrator!new:			
\Device\Harddisk0\Partition			
\??\PHYSICALDRIVE0			
6sandbox			
Description			
ItemData			
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s			
StandardProfile			
EnableFirewall			
PublicProfile			
StandardProfile\AuthorizedApplications\List			
%s:*:Enabled			
wuauserv			
wscsvc			
BITS			
MpsSvc			
SharedAccess			
avcuf32.dll			
SOFTWARE\Microsoft\Windows\CurrentVersion\Run			
prstrui.exe			
Windows Defender			
MpClient.dll			
%ProgramW6432%			
%ProgramFiles%			
Windows Defender\MSASCui.exe			
MpSvc.dll			
msseces.exe			
MsMpEng.exe			
MSASCui.exe			
MpAsDesc.dll			
MsMpLics.dll			
AVG_UI			
avgwd			
avgui.exe			
avgidsagent.exe			
avgwdsvc.exe			
avgdiagex.exe			
avgmfapx.exe			
avgupd.exe			
avgcfgex.exe			
avgnt.exe			
avguard.exe			
avshadow.exe			
avcenter.exe			
avgnt			
update.dll			
updaterc.dll			
usrreq.exe			
K*a*s*p*e*r*y*\*			
ccsvchst.exe			
NAVENG			
symerr.exe			
NIS.exe			
NAV.exe			
navw32.exe			
avastui.exe			
avast! Antivirus			
AvastEmUpdate.exe			
ashUpd.exe			
WRSA.exe			
WRSVC			
zatray.exe			
ForceField.exe			
ZoneAlarm			
updating.dll			
fshoster32.exe			
fshoster			
fsaua.dll			
PSUNMain.exe			
PSUAService.exe			
PSANHost.exe			
PSUAMain			
PSUNScan.dll			
epavjobs.exe			
AVENGINE.exe			
Upgrader.exe			
Ad-Aware Service			
adaware.exe			
BullGuard			
BullGuard.exe.manifest			
BullGuardUpdate.exe			
BullGuard.exe			
BullGuardScanner.exe			
BullGuardBhvScanner.exe			
BullGuardUpdate2.exe			
BgScan.exe			
BgScanEngine.dll			
RsMgrSvc			
.manifest			
updater.exe			
Backup\RSD\RSSetup\updater.exe			
RsTray.exe			
RavMonD.exe			
RsMgrSvc.exe			
rsmain.exe			
installpath			
SOFTWARE\rising\RAV			
RsScan.dll			
RsTray.dll			
mbamgui.exe			
mbam.exe			
pctsGui.exe			
pctsAuxs.exe			
pctsSvc.exe			
ISTray			
Update.exe			
UpdateHlpr.dll			
SBAMTray			
Definitions\vcore.dll			
sbamui.exe			
SBAMTray.exe			
F-PROT Antivirus Tray application			
updater_client_mod.dll			
FProtTray.exe			
FPWin.exe			
Sophos AutoUpdate Monitor			
Data Path			
SOFTWARE\Sophos\AutoUpdate			
scf.dat			
ALUpdate.exe			
RootPath			
SOFTWARE\ArcaBit			
update_tmp.exe			
arcaclean.exe			
Baidu Antivirus			
BavUpdater.exe			
DragonUpdater			
rcfp.exe			
CLPSLA.exe			
OutpostMonitor			
op_mon.exe			
niu.exe			
K7TSStart			
K7TSUpdT.exe			
sguardxup.exe			
ccupdate.exe			
cctray			
ccupdate\			
caupdate.dll			
emsisoft anti-malware			
a2guard.exe			
a2start.exe			
a2service.exe			
AVKTray.exe			
GDSC.exe			
AVK.exe			
GDFirewallTray.exe			
G Data AntiVirus Tray Application			
G Data AntiVirus Tray			
Bka.exe			
BLuPro.exe			
BkavSystemServer.exe			
BkavService.exe			
Bkav			
BLuPro			
LiveUpdate.dll			
LiveConnect.dll			
BaseFile\Bkav\LiveUpdate.dll			
V3 Application			
V3Lite.exe			
ASDSvc.exe			
autoup.exe			
Bdagent			
downloader.exe			
%s.config			
updatesrv.exe			
updatemgr.dll			
egui			
egui.exe			
ekrn.exe			
x86\ekrn.exe			
Trend Micro Titanium			
uWinMgr.exe			
coreServiceShell.exe			
uiSeAgnt.exe			
uiWatchDog.exe			
Trend Micro\UniClient\			
plugins\plugUpdater.dll			
UiFrmwrk\uiUpdateTray.exe			
Trend Micro Client Framework			
InstallDir			
SOFTWARE\TrendMicro\AMSP			
coreFrameworkHost.exe			
mcagent.exe			
McSvHost.exe			
McUICnt.exe			
McPvTray.exe			
SOFTWARE\McAfee\MSC			
mcui_exe			
mcpltui_exe			
Install Dir			
Install Dir32			
mcshell.exe			
mcupdmgr.exe			
mcupdate.exe			
mcshield.exe			
mcupdui.dll			
McAPExe.exe			
\??\			
.config			
Debugger			
Image File Execution Options\%s			
.exe			
SYSTEM\CurrentControlSet\services\%s			
ImagePath			
%c:\ntusbdriver.sys			
%c:\*p.exe			
%c:\%s			
%c:\			
p.exe			
.lnk			
%WinDir%\explorer.exe 			
/C start /d. %s&"%s"			
%COMSPEC%			
%WinDir%\system32\shell32.dll			
%c:\%s.lnk			
VisthAux.exe			
explorer.exe			
njagexcache			
t.minecraft			
League of Legends			
(unknown)			
Works! PID: %d, Name: %s			
Betabot (c) 2012-2014, coded by Userbased			
tavast			
SpIDerAgent			
APVXDWIN			
cmdvirth			
%s%s\%08X			
stratum			
btcguild			
tcp://			
-a scrypt			
http://			
svchost.exe			
csrss.exe			
lsass.exe			
smss.exe			
wscript.exe			
cscript.exe			
vbc.exe			
rundll32.exe			
regsvr32.exe			
%ALLUSERSPROFILE%			
SOFTWARE\Microsoft\CurrentVersion\Run			
SOFTWARE\Microsoft\CurrentVersion\RunOnce			
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run			
System			
winlogon.exe			
services.exe			
kernel32.dll			
.ini			
.sys			
%s\%08x.lnk			
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s			
desktop.ini			
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce			
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows			
Load			
wintrust.dll			
chrome.dll			
Applications\iexplore.exe\shell\open\command			
%s_%08x%04x			
%08x.zip			
Navw32.exe			
SysInspector.exe			
avscan.exe			
szInstallDir32			
SOFTWARE\McAfee\SystemCore			
mfefire.exe			
AVKProxy			
wuauclt.exe			
WerFault.exe			
-k NetworkService			
runas			
lFileZilla\sitemanager.xml			
port			
user			
pass			
FlashFXP			
Sites.dat			
Quick.dat			
%s\3\%s			
%s\4\%s			
open			
POST 			
GET 			
POST			
Host:			
Cookie:			
User-Agent:			
Referer:			
Accept-Language:			
POST *			
GET *			
UNKNOWN *			
spoolsv.exe			
iexplore.exe			
steam.exe			
skype.exe			
origin.exe			
dwm.exe			
ntdll.dll			
tapi3.dll			
shell32.dll			
Common Files			
/C copy "%s" "%s"			
DisableExceptionChainValidation			
/%s 			
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run			
"%s"			
Windows Update Service			
"%s" /%s			
Software\Microsoft\Windows\CurrentVersion\RunOnce			
/CREATE /SC ONLOGON /TN "Windows Update Check - 0x%08X" /TR "%s" /RL HIGHEST			
schtasks.exe			
/DELETE /TN "Windows Update Check - 0x%08X" /F			
drivers\etc\hosts			
\Windows\Explorer.exe			
windowsupdate			
tputty.			
Low_%08X			
eUSERPROFILE			
ALLUSERSPROFILE			
APPDATA			
ProgramData			
PUBLIC			
TEMP			
%s.manifest			
SYSTEM\CurrentControlSet\Control\Session Manager			
PendingFileRenameOperations			
%s\%08X			
Windows\CurrentVersion\Run			
Active Setup\Installed Components			
CurrentVersion\Winlogon			
Policies\Explorer\Run			
CurrentVersion\Windows			
Windows NT\CurrentVersion\Image File Execution Options\%s			
translation_begin			
translation_end			
Critical Disk Error			
Windows has encountered a corrupted folder on your hard drive			
Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.			
Show details			
More details about this error			
Restore files			
Restore files and check disk for errors			
Error details: 			
Corrupted folder: %s			
Corrupted file count: %d			
comctl32.dll			
<a href=".ms">%s</a>			
/c start "" "%s" /%s "%s" 			
&CLS 			
&ECHO Fixing problems ...&ECHO Problems fixed! 			
&EXIT			
shell32,ShellExec_RunDLL "%s" /%s "%s"			
You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.			
Privilege Error			
SSDPSRV			
Windows 3.1 Update Service			
%s:Zone.Identifier			
%s\%08X.pif			
VT
MD5 49d8240a31f4a1c27c959272cf7dedb2
SHA1 8fdbebf23340b4b1b44cad6376b6d77cafa2a3b5
SHA256 0da182ded041b4caab164bf9e6f3655d96a018585ad3b72fcb4c572d80144d74
https://www.virustotal.com/en/file/0da1 ... /analysis/
Attachments
pass: infected
(412.18 KiB) Downloaded 106 times
 #26811  by black_chance
 Sat Sep 26, 2015 10:33 am
i'm a begineer to malware analysis . i try to unpacked this version of Betabot (Neurevt 1.7.0.1) but cann't unpacked it .
how can i unpacked it ?? i try again .
please help me and please unpacked it that i can analysis it .
Attachments
Neurevt 1.7.0.1 pass infected
(135 KiB) Downloaded 66 times
 #26818  by EP_X0FF
 Sun Sep 27, 2015 5:40 am
black_chance wrote:i'm a begineer to malware analysis . i try to unpacked this version of Betabot (Neurevt 1.7.0.1) but cann't unpacked it .
how can i unpacked it ?? i try again .
please help me and please unpacked it that i can analysis it .
Load it in debugger. Clear PEB->BeingDebugged flag. Set BP on NtFreeVirtualMemory. Run target until BP hit. Inspect virtual memory for a decrypted body inside huge RWE region. Dump this code pornography to disk. Script-kiddie bot unpacking done.
Attachments
pass: infected
(114.81 KiB) Downloaded 70 times
 #29721  by Umb
 Wed Dec 14, 2016 2:13 pm
Anybody have a bin of the last 1.8.0.11, if so please share!!!!

I would really like to see this :cry:
 #29749  by Xylitol
 Mon Dec 19, 2016 2:15 am
i suppose you will see a lot of 1.8.0.11 soon https://www.virustotal.com/en/file/8b37 ... 482113428/
In attachment a betabot killer (https://www.virustotal.com/en/file/3b5d ... 482111051/)
Attachments
(44.71 KiB) Downloaded 55 times
 #32382  by EP_X0FF
 Mon Jan 07, 2019 5:39 am
markusg wrote: Thu Aug 03, 2017 10:50 pm SHA256:
a70b7ed2aceac7b591bd64950fda5d358bc6d64d175fff61156a3eedc3a3f629
Dateiname:
disableTrial.exe
https://virustotal.com/de/file/a70b7ed2 ... /analysis/
Ref http://www.kernelmode.info/forum/viewto ... 676#p30676 (it is hard to split posts when they contain different malware and analysis results).