hackerbrother

Learn Penetration Testing And Ethical Hacking Online.

facebook

  • Facebook
  • Popular Posts

    Telegram SpyBot
    Telegram SpyBot
    Functions:



    - Anti Virtual Machine
    - Anti static analysis with the usage of crypted packer
    - Persistence autostart (CurrentVersion\Run) with faking lsass.exe binary
    - Camouflage process names
    - Send data to C2 via Telegram API (see C2 traffic))
    - Bot client can handle HTTPS (crypted) session
    - Clipboard capture (see decoded code)
    - Screenshot capture (see the C2 traffic)
    - Timer basis (see decoded code)
    - Fakes webapps process (w3wp.exe or aspnet_wp.exe)
    - For the c2 comm purpose: Decoding (base64) & decrypting (DES) activities, etc

    Components:
    Installer: 857faa89acdabc25969c21f340107742
    TelegramC2 Spybot: 61034e0f0da63307fb31310ae4e491b6

    In the wild spotted infection timeline:
    2019-01-26 02:10:04 France
    2019-01-25 08:39:45 Italy
    2019-01-13 13:01:20 Germany
    self-crypted










    The installer is packed with enigma packer, then also self-crypted
     enigma packer












    packer sig
    packer sig












    After depacked, which was a challenged task in radare2, the payload can be dumped, payload is a dot Net PE binary.


    The dot net is the Telegram C2 basis Trojan Spy. stealing memory(clipboard), screen capture etc from infected PC/machine, has timer, and every library in dot net supported to the functionality of the bot to connect via SSL to telegram by API.


    Anti VM to prevent behaviour test


    All traffic is in HTTPS (crypted)



    HTTPS Intercept result.

    More data in analysis and sample detail: pastebin . com/raw/BJYbhr35


    installer detection names


    the spybot detection names


    Just curious .. to check whether PeID sig is actually matched or not. Hmm..

    0 Comments