PsiXBot Malware
PsiXBot is malware which is written in .NET this malware has recently undergone significant development. This has led to an increase in large scale distributions of the malware via spam campaigns or as part of other malware campaigns.
Once executed the malware connects to the configured command and control (C2) servers before requesting further instructions. The DNS servers used to resolve the C2 addresses are hard coded into the malware in order to resolve the non-standard .bit domains.
At present the following functionality has been observed:
- Dumping passwords and cookies from a variety of browsers
- Redirecting cryptocurrency to a configured wallet address
- Key logging
- Deploying Quasar remote access trojan
- Installing a remote desktop program
- Dumping Outlook passwords
- Creating a scheduled task for persistence
The full updated set of indicators of compromise can be found this GitHub page.
Indicators of Compromise
| 101[.]226[.]79[.]205 |
| 107[.]181[.]161[.]173 |
| 111[.]67[.]20[.]8 |
| 119[.]28[.]48[.]230 |
| 119[.]28[.]48[.]232 |
| 130[.]255[.]73[.]90 |
| 130[.]255[.]78[.]223 |
| 139[.]59[.]17[.]152 |
| 139[.]59[.]208[.]246 |
| 14[.]42[.]81[.]85 |
| 142[.]4[.]204[.]111 |
| 142[.]4[.]205[.]47 |
| 144[.]76[.]12[.]6 |
| 144[.]76[.]133[.]38 |
| 144[.]76[.]142[.]6 |
| 158[.]69[.]239[.]167 |
| 162[.]244[.]32[.]136 |
| 163[.]53[.]248[.]170 |
| 169[.]239[.]202[.]202 |
| 172[.]104[.]136[.]243 |
| 180[.]163[.]8[.]114 |
| 185[.]11[.]145[.]5 |
| 185[.]117[.]119[.]35 |
| 185[.]121[.]177[.]177 |
| 185[.]61[.]148[.]153 |
| 185[.]61[.]148[.]187 |
| 185[.]61[.]148[.]39 |
| 185[.]86[.]148[.]101 |
| 185[.]86[.]150[.]118 |
| 185[.]86[.]151[.]103 |
| 185[.]86[.]151[.]99 |
| 192[.]99[.]85[.]244 |
| 193[.]37[.]213[.]223 |
| 194[.]88[.]106[.]21 |
| 195[.]123[.]214[.]68 |
| 195[.]123[.]214[.]98 |
| 195[.]123[.]233[.]203 |
| 195[.]123[.]245[.]137 |
| 195[.]123[.]246[.]10 |
| 195[.]123[.]246[.]64 |
| 195[.]154[.]226[.]249 |
| 198[.]251[.]90[.]143 |
| 2[.]15[.]835[.]1 |
| 212[.]47[.]242[.]157 |
| 217[.]182[.]53[.]107 |
| 31[.]148[.]220[.]69 |
| 31[.]171[.]251[.]118 |
| 31[.]3[.]135[.]232 |
| 37[.]44[.]212[.]194 |
| 37[.]44[.]213[.]187 |
| 37[.]44[.]213[.]188 |
| 37[.]44[.]213[.]189 |
| 37[.]44[.]213[.]26 |
| 37[.]44[.]213[.]27 |
| 37[.]44[.]213[.]98 |
| 37[.]58[.]63[.]27 |
| 5[.]135[.]183[.]146 |
| 5[.]154[.]191[.]67 |
| 51[.]254[.]141[.]22 |
| 51[.]255[.]48[.]78 |
| 58[.]251[.]121[.]110 |
| 59[.]36[.]120[.]151 |
| 62[.]113[.]203[.]99 |
| 81[.]2[.]241[.]148 |
| 82[.]141[.]39[.]32 |
| 87[.]98[.]175[.]85 |
| 88[.]175[.]188[.]50 |
| 91[.]201[.]65[.]145 |
| 95[.]26[.]187[.]9 |
| a[.]dnspod[.]com |
| anyname[.]bit |
| b[.]dnspod[.]com |
| dns1[.]soprodns[.]ru |
| dns2[.]soprodns[.]ru |
| finka135[.]bit |
| gagaka147[.]bit |
| gikula258[.]bit |
| hellokids[.]bit |
| iliga456[.]bit |
| ilovejohnlatwc[.]bit |
| isitreal[.]bit |
| jajaga13579[.]bit |
| jujusha555[.]bit |
| jushika369[.]bit |
| jvjvjcjc6784fhc[.]bit |
| lacikuli2468[.]bit |
| learncpp[.]bit |
| mifola159[.]bit |
| minika357[.]bit |
| miskina2468[.]bit |
| myauto[.]bit |
| mygranny[.]bit |
| navi[.]ensage-forum[.]ru |
| normalnodol[.]bit |
| paulo582[.]bit |
| picaso279[.]bit |
| pipona321[.]bit |
| ponifa852[.]bit |
| pppoe[.]bit |
| radbot[.]bit |
| radcall[.]bit |
| rijina951[.]bit |
| roju[.]bit |
| rrradiusspace[.]bit |
| runisa654[.]bit |
| sellme[.]bit |
| sikola753[.]bit |
| six6[.]bit |
| sokoban[.]bit |
| spinner[.]bit |
| svetik753[.]bit |
| tusika6842[.]bit |
| viliko741[.]bit |
| vinila456[.]bit |
| weather0[.]bit |
| world9[.]bit |
| yastrebs[.]bit |
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.