KBOT C&C Malware

We just logged a new C&C bot named KBOT:

KBOT Contorl Panel

Content of the /js/ folder:

KBOT JS Path

Content of the /images/ folder:

KBOT Images Path

Content of the /css/ folder:

KBOT CSS Path

Malware activity (cb119a6b42da7bba1b6151f2e0bd6f1e):

File Created - %SAMPLE% - %Temp%\epbUex.UxO - A7A21220689BD796F6B74E5D983D810E - 2560 bytes - attr: [] - PE
Connection Established - C:\WINDOWS\system32\svchost.exe - UDP - 65.55.21.21 - 123
Process Created - %SAMPLE% - %SAMPLE% - malboxsofts - CB119A6B42DA7BBA1B6151F2E0BD6F1E - 536064 bytes
File Created - %SAMPLE% - %Temp%\EYEbMADiaiRT - NOTHING TO HASH - 0 bytes - attr: [-hidden] - -
File Created - %SAMPLE% - %Temp%\data1.dmp - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %SAMPLE% - %Temp%\data2.dmp - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %SAMPLE% - %Temp%\data.dmp - C10DBECA73F8835240E08E4511284B83 - 54 bytes - attr: [] - -
Connection Established - %SAMPLE% - TCP - 91.234.106.251 - 80
Web Request - %SAMPLE% - GET - wedontforget. ogspy. net - /poo/index.php?action=add&username=admin&password=0p0p0-0p0p0-0p0p0-0p0p0-0p0p0&app=Windows%20XP%20x86&pcname=%PCNAME%&sitename=Microsoft

Dangerous URLs:

hxxp://wedontforget.ogspy. net

Malware activity (91b13d987937c800f33458f17f320651):

Process Created - %SAMPLE% - %SAMPLE% - FileZilla Project - 91B13D987937C800F33458F17F320651 - 387584 bytes
File Modified - %SAMPLE% - %UserProfile%\crss.exe
Write Registry - %SAMPLE% - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Profile Manager2 - %UserProfile%\crss.exe
Write Registry - %SAMPLE% - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Document Explorer2 - %UserProfile%\Documents\crss.exe
Write Registry - %SAMPLE% - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Download Manager2 - %UserProfile%\Downloads\crss.exe
Process Created - %SAMPLE% - %UserProfile%\crss.exe - FileZilla Project - 91B13D987937C800F33458F17F320651 - 387584 bytes
Process Created - %UserProfile%\crss.exe - %UserProfile%\crss.exe - FileZilla Project - 91B13D987937C800F33458F17F320651 - 387584 bytes
Write Registry - %UserProfile%\crss.exe - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Profile Manager2 - %UserProfile%\crss.exe
Write Registry - %UserProfile%\crss.exe - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Document Explorer2 - %UserProfile%\Documents\crss.exe
Write Registry - %UserProfile%\crss.exe - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Download Manager2 - %UserProfile%\Downloads\crss.exe
Connection Established - %UserProfile%\crss.exe - TCP - 8.23.224.90 - 80
Web Request - %UserProfile%\crss.exe - GET - purebot2. sytes.net - /
Connection Established - %UserProfile%\crss.exe - TCP - 46.105.116.182 - 80
Web Request - %UserProfile%\crss.exe - GET - ns224291. ovh.net - /pt/gate.php
Connection Established - %UserProfile%\crss.exe - TCP - 127.0.0.1 - 1044
Connection Established - %UserProfile%\crss.exe - TCP - 68.168.119.237 - 80
Web Request - %UserProfile%\crss.exe - GET - aqwadorient .com - /xs/minchrxxx.exe

Dangerous URLs:

hxxp://purebot2. sytes.net
hxxp://aqwadorient. com/xs/minchrxxx.exe
hxxp://68.168.119.237:80
hxxp://ns224291.ovh. net/pt/gate.php

Malware activity (3c08ae8e84c87b4f5f916d3ac9f6fa07):

File Modified - %SAMPLE% - %AppData%\LOCALS~1\Temp\aut2.tmp
File Deleted - %SAMPLE% - %Temp%\aut2.tmp - 3206 bytes
Process Created - %SAMPLE% - %SAMPLE% - Unknown Publisher - 3C08AE8E84C87B4F5F916D3AC9F6FA07 - 375599 bytes
File Modified - %SAMPLE% - %UserProfile%\explorer.exe
File Created - %SAMPLE% - %AppData%\LOCALS~1\Temp\aut2.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %SAMPLE% - %AppData%\LOCALS~1\Temp\hiuhtra - NOTHING TO HASH - 0 bytes - attr: [] - -
Write Registry - %SAMPLE% - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Profile Manager - %UserProfile%\explorer.exe
Write Registry - %SAMPLE% - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Document Explorer - %UserProfile%\Documents\explorer.exe
Write Registry - %SAMPLE% - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Download Manager - %UserProfile%\Downloads\explorer.exe
Process Created - %SAMPLE% - %UserProfile%\explorer.exe - Unknown Publisher - 3C08AE8E84C87B4F5F916D3AC9F6FA07 - 375599 bytes
File Modified - %UserProfile%\explorer.exe - %AppData%\LOCALS~1\Temp\aut3.tmp
File Deleted - %UserProfile%\explorer.exe - %Temp%\aut3.tmp - 3206 bytes
Process Created - %UserProfile%\explorer.exe - %UserProfile%\explorer.exe - Unknown Publisher - 3C08AE8E84C87B4F5F916D3AC9F6FA07 - 375599 bytes
Write Registry - %UserProfile%\explorer.exe - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Profile Manager - %UserProfile%\explorer.exe
Write Registry - %UserProfile%\explorer.exe - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Document Explorer - %UserProfile%\Documents\explorer.exe
Write Registry - %UserProfile%\explorer.exe - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Download Manager - %UserProfile%\Downloads\explorer.exe
File Created - %UserProfile%\explorer.exe - %AppData%\LOCALS~1\Temp\aut3.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %UserProfile%\explorer.exe - %AppData%\LOCALS~1\Temp\qlmdfvx - NOTHING TO HASH - 0 bytes - attr: [] - -
Connection Established - %UserProfile%\explorer.exe - TCP - 8.23.224.90 - 80
Web Request - %UserProfile%\explorer.exe - GET - h4r3.hopto.org - /
Connection Established - %UserProfile%\explorer.exe - TCP - 46.105.116.182 - 80
Web Request - %UserProfile%\explorer.exe - GET - ns224291.ovh.net - /pt/gate.php
Connection Established - %UserProfile%\explorer.exe - TCP - 127.0.0.1 - 1054
Connection Established - %UserProfile%\explorer.exe - TCP - 213.186.33.87 - 80
Web Request - %UserProfile%\explorer.exe - GET - ovatec.fr - /xs/spyxxxxx.exe
File Modified - %UserProfile%\explorer.exe - %InternetCache%\Content.IE5\8YPELNXD\spyxxxxx[1].exe
File Created - %UserProfile%\explorer.exe - %UserProfile%\Cookies\%UserName%\@ovatec[1].txt - 576B13CB892DA082AEB395D43E910654 - 76 bytes - attr: [] - -
File Created - %UserProfile%\explorer.exe - %InternetCache%\Content.IE5\8YPELNXD\spyxxxxx[1].exe - E6854368B0BE650F336147351EB23C1E - 81920 bytes - attr: [] - -
File Modified - %UserProfile%\explorer.exe - %AppData%\LOCALS~1\Temp\88518.exe

Dangerous URLs:

hxxp://h4r3.hopto. org
hxxp://ns224291.ovh. net/pt/gate.php
hxxp://ovatec. fr/xs/spyxxxxx.exe

Other malware URLs (PE):

Malware PE URLs

hxxp://ovatec. fr/xs/11.exe
hxxp://ovatec. fr/xs/an26.exe
hxxp://ovatec. fr/xs/lock26.exe
hxxp://ovatec. fr/xs/min26.exe
hxxp://ovatec. fr/xs/ppi.exe
hxxp://ovatec. fr/xs/spy.exe

File 11.exe:

Size: 86016 bytes
MD5: 753E06472FF07E7620498F828E726A54
SHA1: 6EF12A9AC49ACA2BF8814CE5385FA4215395F59E
SHA256: E596583DBC0D0190DABE5965AB8C234C274089F620BA027829E6B556C2372E81
SHA384: 53B4BD628C874B7FF183A5785B45F52E246A66D91B5F2A5BB77A1D459710F9CE94E80D7EEF13C3CDFFC8209FFC619485
SHA512: 6C8EE2663D5D555B33FF34FF925AB1891C8A5C210879CDF49606117374B4A18D33D317B86C69E30C8E9B877F2DA5A1296EAB20D4B11A7596D6CFA45014DB8789

File an26.exe:

Size: 52224 bytes
MD5: D21E13CCA5BDCBB506B19118B95BFF44
SHA1: 5C8B462A7FCF4E89DAF59231F8300F13E59EE623
SHA256: BBBA88E36D374C1F431C346F006A637FAC18B491E6F12ABB609F20C2F6BCF47B
SHA384: 88058E8D833D106730D67ED3ADBC85B557216C697AB576C791C0B5BF150BB83943743BB036439702F605B5111AE78D98
SHA512: F1B95657201FE15573A6D015018E4C76F76C61F4DF780073BBF1D3BBBDE4DE596093EDFFB89A6E4942E8ABF8B399EA74BEFB936D6F4AF5E29535F5083E420B78

File lock26.exe:

Size: 77824 bytes
MD5: BE33C2C5856136E496DC1F3155533DC7
SHA1: A6CF2F278BA2F09C8BDCD6527B362267D580940C
SHA256: A488C36048A6C0F3DC0EAB6069C3C73632438BFFF902AE2722B74984ABBB7B62
SHA384: 2ECEF8AB69E06F7759A8176F68E0BE970F84D632858A6D725319A9D18448436B06C62F8178A7AF70595F87B4419C8F43
SHA512: 18CA870E0D84327916956CAC2F8B4E6763B16AC618D9C5C807075C309033DD06A52A42FF81F7AFB08DB8D6865C618331CB7013EDFE0DC0E738688D98E81775A2

File min26.exe:

Size: 81920 bytes
MD5: 145D31147D440DC42380E90C9A3375DA
SHA1: B3B30BEC507ED43F39B8A62A238CEE792BE8EEA2
SHA256: 2CA6DF7E6796D99353E8407AB5DB936250E9C446B9EB55FFE246C76C93ABFED9
SHA384: 6D9D33F6B02F500CF5B08A1DDEDE7FAF38695B4B981EE3AB89E6BDB1A8ED04297BAF05A55221945BA10808FEA573789C
SHA512: D6A3751AF18E6F85B7BED47AD2389225CD4123C1C7F99A5BF5D754E5ADC82CCA40586943DC926E6219789FFB55AF888ACA88C43E583938C545842351C67314E0

File ppi.exe:

Size: 73728 bytes
MD5: 03E5C843E2BD8339DB31ED4F8A407C1D
SHA1: 2C2F39EDE684BA2CA02597E6D9B182BBD1997DE4
SHA256: 37C30E45F4D946CBF1952EBB1D7B4D1CEA83380975849128EF729960329519A8
SHA384: 1C3CC5B1C9BB117993161EF2B1B3567C6F4B22AF91B3F99DCC911D9576366C4802E92A31C1C71710CF991925B6B4CBBB
SHA512: F869B63CE3F7781C13B6BFC70666D0BAF8F0E21AA3AD7A06C0EB4EF9061D64AEB1571B0BF3B28DED2E32B66E1E1495FAA497D8EA18E8E616D9FF92D07485E1B7

File spy.exe:

Size: 487424 bytes
MD5: 3CD58F4D27F42AEFF79C7813FF772CF9
SHA1: AFE10513E0A62AB8F327FA6963711F53AAB6DC70
SHA256: 642CF5AD05472AD2729C9C06EE7AA0CCB4E5D3E5B37A804E62CCBCCAEC902B63
SHA384: 5A73576A689C2C8F31A7E95D1916F95BA7590B7358563EC37210AC99D482A8F7F5F558C8C42FCD8AD19171D096896A93
SHA512: D6475A2BD4FFEF2A33C4DED910C76C5163E86EC45D024EA7ECA9C1A615F90AEBDC6FB2013E44AFBE39029E1DBD355B7AFF996314B86EC60224BCEE03DA42DF76

Random Posts

Previous Posts