PsiXBot Malware

PsiXBot is malware which is written in .NET this malware has recently undergone significant development. This has led to an increase in large scale distributions of the malware via spam campaigns or as part of other malware campaigns.

Once executed the malware connects to the configured command and control (C2) servers before requesting further instructions. The DNS servers used to resolve the C2 addresses are hard coded into the malware in order to resolve the non-standard .bit domains.

At present the following functionality has been observed:

  • Dumping passwords and cookies from a variety of browsers
  • Redirecting cryptocurrency to a configured wallet address
  • Key logging
  • Deploying Quasar remote access trojan
  • Installing a remote desktop program
  • Dumping Outlook passwords
  • Creating a scheduled task for persistence

The full updated set of indicators of compromise can be found this GitHub page.

Indicators of Compromise

101[.]226[.]79[.]205
107[.]181[.]161[.]173
111[.]67[.]20[.]8
119[.]28[.]48[.]230
119[.]28[.]48[.]232
130[.]255[.]73[.]90
130[.]255[.]78[.]223
139[.]59[.]17[.]152
139[.]59[.]208[.]246
14[.]42[.]81[.]85
142[.]4[.]204[.]111
142[.]4[.]205[.]47
144[.]76[.]12[.]6
144[.]76[.]133[.]38
144[.]76[.]142[.]6
158[.]69[.]239[.]167
162[.]244[.]32[.]136
163[.]53[.]248[.]170
169[.]239[.]202[.]202
172[.]104[.]136[.]243
180[.]163[.]8[.]114
185[.]11[.]145[.]5
185[.]117[.]119[.]35
185[.]121[.]177[.]177
185[.]61[.]148[.]153
185[.]61[.]148[.]187
185[.]61[.]148[.]39
185[.]86[.]148[.]101
185[.]86[.]150[.]118
185[.]86[.]151[.]103
185[.]86[.]151[.]99
192[.]99[.]85[.]244
193[.]37[.]213[.]223
194[.]88[.]106[.]21
195[.]123[.]214[.]68
195[.]123[.]214[.]98
195[.]123[.]233[.]203
195[.]123[.]245[.]137
195[.]123[.]246[.]10
195[.]123[.]246[.]64
195[.]154[.]226[.]249
198[.]251[.]90[.]143
2[.]15[.]835[.]1
212[.]47[.]242[.]157
217[.]182[.]53[.]107
31[.]148[.]220[.]69
31[.]171[.]251[.]118
31[.]3[.]135[.]232
37[.]44[.]212[.]194
37[.]44[.]213[.]187
37[.]44[.]213[.]188
37[.]44[.]213[.]189
37[.]44[.]213[.]26
37[.]44[.]213[.]27
37[.]44[.]213[.]98
37[.]58[.]63[.]27
5[.]135[.]183[.]146
5[.]154[.]191[.]67
51[.]254[.]141[.]22
51[.]255[.]48[.]78
58[.]251[.]121[.]110
59[.]36[.]120[.]151
62[.]113[.]203[.]99
81[.]2[.]241[.]148
82[.]141[.]39[.]32
87[.]98[.]175[.]85
88[.]175[.]188[.]50
91[.]201[.]65[.]145
95[.]26[.]187[.]9
a[.]dnspod[.]com
anyname[.]bit
b[.]dnspod[.]com
dns1[.]soprodns[.]ru
dns2[.]soprodns[.]ru
finka135[.]bit
gagaka147[.]bit
gikula258[.]bit
hellokids[.]bit
iliga456[.]bit
ilovejohnlatwc[.]bit
isitreal[.]bit
jajaga13579[.]bit
jujusha555[.]bit
jushika369[.]bit
jvjvjcjc6784fhc[.]bit
lacikuli2468[.]bit
learncpp[.]bit
mifola159[.]bit
minika357[.]bit
miskina2468[.]bit
myauto[.]bit
mygranny[.]bit
navi[.]ensage-forum[.]ru
normalnodol[.]bit
paulo582[.]bit
picaso279[.]bit
pipona321[.]bit
ponifa852[.]bit
pppoe[.]bit
radbot[.]bit
radcall[.]bit
rijina951[.]bit
roju[.]bit
rrradiusspace[.]bit
runisa654[.]bit
sellme[.]bit
sikola753[.]bit
six6[.]bit
sokoban[.]bit
spinner[.]bit
svetik753[.]bit
tusika6842[.]bit
viliko741[.]bit
vinila456[.]bit
weather0[.]bit
world9[.]bit
yastrebs[.]bit

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: