Goal: Reverse engineer a packed Betabot binary and unpack the final payload of this malware.
Credit: @avman1995
Tools: ProcDOT, OllyDBG, XVI32
Original Betabot: 88048D5970AB122865986928C79FF325718B800D
Steps:
(1) Observe the malware cryptor behavior via reversing or dynamic analysis.
The original import address table contains two DLL imports: kernel32.dll and user32.dll.
(2) Observe the creation of the suspended process in OllyDBG.
(3) Locate injected buffer by placing the WriteProcessMemory breakpoint in OllyDBG. Follow Betabot’s injected payload and dump the binary.
(4) Patch and edit the binary using by searching for “MZ” header.
(5) Observe the unpacked import address table of the Betabot payload.
(6) Profit. Continue analyzing this feature-rich malware.
Some notable feature of the Betabot Trojan:
- Anti-analysis checks [sandbox.sand box.malware.maltest.test user]
- Targeted browser [chrome.exe..firefox.exe.opera.exe.safari.exe.360browser.exmaxthon.exe]
- Usermode rootkit
- Anti-VM
- [drivers.vboxvideo.sys.vboxguest.sys.vmhgfs.sys. prl_boot.sys]
- Anti-Debugger
- Bitcoin miner module
- [stratum.-u, btcguild, pool.itzod.ru, bitcoinpool.com, pool0.btcdig.com, triplemining.com, bitparking.com, mining.eligius.st., bitcoin.cz.mint,bitminter.com]
- Formgrabber and POP3/FTP stealer
- Mobile devices connections checker
- USB spreader module
- Bot killer module
- and many others
Reverse Engineering, Malware Deep Insight 
Can you show us how to get around the antidebugging and anti-vm tricks and such? I appreciate your tuts 😉
LikeLike