Let’s Learn: Reversing Packed Betabot Trojan

Goal: Reverse engineer a packed Betabot binary and unpack the final payload of this malware.
Tools: ProcDOT, OllyDBG, XVI32

(1) Observe the malware cryptor behavior via reversing or dynamic analysis.

The original import address table contains two DLL imports: kernel32.dll and user32.dll.

(2) Observe the creation of the suspended process in OllyDBG.
(3) Locate injected buffer by placing the WriteProcessMemory breakpoint in OllyDBG. Follow Betabot’s injected payload and dump the binary.

(4) Patch and edit the binary using by searching for “MZ” header.

(5) Observe the unpacked import address table of the Betabot payload.
(6) Profit. Continue analyzing this feature-rich malware.
Some notable feature of the Betabot Trojan:
  • Anti-analysis checks [sandbox.sand box.malware.maltest.test user]
  • Targeted browser [chrome.exe..firefox.exe.opera.exe.safari.exe.360browser.exmaxthon.exe]
  • Usermode rootkit
  • Anti-VM
  • [drivers.vboxvideo.sys.vboxguest.sys.vmhgfs.sys. prl_boot.sys]
  • Anti-Debugger
  • Bitcoin miner module
  • [stratum.-u, btcguild, pool.itzod.ru, bitcoinpool.com, pool0.btcdig.com, triplemining.com, bitparking.com, mining.eligius.st., bitcoin.cz.mint,bitminter.com]
  • Formgrabber and POP3/FTP stealer
  • Mobile devices connections checker
  • USB spreader module
  • Bot killer module
  • and many others

One thought on “Let’s Learn: Reversing Packed Betabot Trojan”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: