Introduction
A few weeks ago I received a PE file (MD5: 34105EF38CEA1B4B2ABADD0CB3404E69) and was asked to figure out if it is related to the Betabot malware family. It didn’t take long to figure out that this file is Betabot, but this seemed like an excellent sample to cover methods of obfuscation and code injection.
This sample was executed on a 32bit version of Windows XP SP3. For anybody following along there are going to be differences between different versions of Windows.
more here.........http://vrt-blog.snort.org/2014/05/betabot-process-injection.html
A few weeks ago I received a PE file (MD5: 34105EF38CEA1B4B2ABADD0CB3404E69) and was asked to figure out if it is related to the Betabot malware family. It didn’t take long to figure out that this file is Betabot, but this seemed like an excellent sample to cover methods of obfuscation and code injection.
This sample was executed on a 32bit version of Windows XP SP3. For anybody following along there are going to be differences between different versions of Windows.
more here.........http://vrt-blog.snort.org/2014/05/betabot-process-injection.html