Solutions
By Platform
DarkArmor

Enterprise-level Prebreach Technology

ProtectMe

Research and personal security

By Industry
Retail

Customer, supply chain, and vendor access protection

Education

Protect staff and student credentials, brand, and reputation

All Solutions
Why Us
About Us
Blog
Contact

How a Bot Engine's Backdoor is Used to Deliver Nemesis Stealer

DarkArmor recently analyzed a malware dropper that dropped a malware downloader called Bot Engine, which then downloaded a recent Nemesis stealer. This report describes the Bot Engine framework and how it is used to infect users.

Written by
Nguyen Nguyen
on
April 24, 2023

The Bot Engine framework is typically used in a two-step infection process. In the first step, the malware dropper is used to deliver the Bot Engine framework to the victim’s computer. Once the Bot Engine framework is installed, it will then download various modules, which include the Nemesis stealer. The Nemesis stealer is a powerful malware that can steal a wide range of sensitive information from the victim’s computer, such as passwords, credit card numbers, and other personal data.

Bot Engine Dropper

The malware dropper we observed uses multiple stages to load the final malware, Bot Engine, in memory. The loader uses simple obfuscation techniques such as byte reorder, base64, zlib compression, and storing payload in text. Even though the method is simple, it is likely to evade detection such as entropy scanners.

File Information

DarkArmor conducted an analysis on the Bot Engine dropper, which possesses the following properties.

File name: tvdeveloper_40d.exe
MD5: 5fb7e4ddb88b99cfb88e2294f62d9078
SHA-1: b88e18a3c4926a188ed55201c5d894c4226093f8
SHA-256: c5ebdc51e607782526b087aff5e3e2bf6fd5e68fa43efe32902d3d1099138b75
Size: 12,800 bytes
File extension: exe
File MIME type: application/x-msdownload

Stage 1

The executable is named tvdeveloper_40d.exe and is a .NET application. Upon execution, the application automatically requests and downloads a resource from the following URL.

hxxps://album.moto-style[.]nl/2020/images/css/design/fabric/bo/Czdcfrl.bmp

The payload is encoded in base64 and in reverse order. Once the malware downloader decodes and reverses the byte order, it proceeds to load the second stage of the malware in memory.

The second stage payload has the following properties.

File name: Olfsmurrlsmxr.dll
MD5: 0ae02f7b9e5000abc9e3e172df298b2a
SHA1: c594fb26cf2b5ee1db12c0112e353851747d3cf3
SHA256: 64578f5f9fc969db0a16d992cb4b6601a11c74618ffec0df9d010128958dd568
Size: 3,114,496 bytes
File extension: exe
File MIME type: application/x-msdownload

Stage 2

After loading the second stage, the dropper proceeds to load the obfuscated payload stored in a JSON file located in the resource. The payload is encoded in base64, with the byte order reversed and compressed using gzip. Figure 3 illustrates the payload stored in the resource path.

The following python code decodes the payload.

import sys
import zlib
import json
import base64
import gzip

data = json.loads(open(sys.argv[1], "r").read())
decoded = base64.b64decode(data["33"])[::-1]
decompressed = gzip.decompress(decoded)
open(sys.argv[1]+"_33.decoded.bin", "wb").write(decompressed)

The second stage payload has the following properties.

File name: OneDriveTimerUI.exe
MD5: 07fc6df90bc349c094c258e7a87dee6b
SHA1: 7c1f791077006af1aedfcdd6d4d45862b2db8b91
SHA256: 26d911140d34903e94d8c310e2be8508d0a6ed7100c85a8cc58dc44f663ccfed
Size: 1,911,808 bytes
File extension: exe
File MIME type: application/x-msdownload

Stage 3

OneDriveTimerUI.exe serves as a Bot Engine loader, with the Bot Engine being compressed and stored in the resources. Once the application is loaded, it decompresses the compressed file and executes Bot Engine.

Bot Engine

The Bot Engine is a C# backdoor framework that enables cybercriminals to use and customize with ease. The framework provides a capability for developers to enhance any feature without altering the core of the malware. Below is a list of the engine’s features:

  • Flexible library that can be use and integrate with different malware module.
  • The common library provide AV detection, encryption methods, system profiling, and common protocol between the engine and the C2.

Common Modules

Below are the list of library/module included in Bot Engine framework.

Module NameDescription
BotLoaderDownload a binary from a URL and execute.
CommonlibCommon class to identify Antivirus software, encryption and decryption functions, system information gathering, and Json library.
IceLoaderAPI to inject an DLL into a process.
DeviceIDAPI to generate a system ID of the infected system.
DInvokeAPI to inject .net library.

IEngine

IEngine is a class define methods used to perform C2 communication by the Bot Engine. This allows the developer to create new method of communication such as SSH, FTP or UDP. As demonstrated by the modules included in the Bot Engine, the engine is highly flexible and capable of leveraging various platforms for C2 communication beyond the common web method.

The following are the engines included in this sample.

AzureWrapper

This is an engine wrapper that utilizes the Azure platform to retrieve commands from a specified folder within the bot and upload any extracted data executed by malware, such as stolen information. In this example, the bot continuously monitors the directory named ‘bdir’ for commands and uploads the data to the folder named ‘botshare’

OneDriveWrapper

This is an engine wrapper that utilize Microsoft’s Sharepoint to retrieve commands from the Sharepoint server. The location of the SharePoint folder are based on the account specified in the settings.

WebChannelWrapper

This engine wrapper communicates with the C2 server through web requests. The engine uses the POST method to retrieve commands from the C2.

C2 Command

The C2 commands are a list of instructions that the Bot Engine uses to communicate with the C2. These commands include the Bot ID of the infected machine and the specific command. Below is a list of these commands.

NameCommandDescription
Powershellb_<bot id>_ps.txtRetrieve the PowerShell command to execute by the Powershell module.
CMDb_<bot id>_cmd.txtRetrieve the DOS command to execute by the Powershell module.
Stealerb_<bot id>_stealer.txtRetrieve the Stealer module from the C2.
Print Screenb_<bot id>_scr.txtCommand to take the screenshot of the infected machine.
Print Screen Fileb_<bot id>_scr.jpgCommand to send the captured screenshot to the C2.
Responseb_<bot id>_resp.txtCommand specify the content is the output of a previous command.
Pingb_<bot id>_ping.txtInform the C2 the system is infected.
Pongb_<bot id>_pong.txtSpecify the command is retrieved.
Runb_<bot id>_run.txtUpload the output of the DLL execute.
Inject Shellcodeb_<bot id>_inject.txtSpecify the shellcode is injected.
Killb_<bot id>_kill.txtCommand to terminate the malware.
Messageb_<bot id>_msg.txtSend logs message to the C2

Modules

NameCommandDescription
PrintScreenm_PRINTSCREENTake a screenshot of the desktop and return the bytes of the image.
Powershellm_POWERSHELLExecute a PowerShell command.
CMDm_CMDExecute a command and return the output of the command.
Stealerm_STEALERHarvest the system and application information include credentials of the application and saved password in the browser.

Indicators of Compromise

Web Channel C2

hxxp://91.107.143[.]20/api/support

Web Channel C2

hxxp://95.217.248[.]46/api/support

Bot.dll

MD5: 5fb7e4ddb88b99cfb88e2294f62d9078
SHA1: b88e18a3c4926a188ed55201c5d894c4226093f8
SHA256: c5ebdc51e607782526b087aff5e3e2bf6fd5e68fa43efe32902d3d1099138b75

m_Bot.dll

MD5: 4d23ca54f57f2ce79afa9e1208c26ca0
SHA1: da7b74eea51a4a116cc0a3bee6a70d72b86d9ea7
SHA256: 7168a2fbd9344b1fd6d510f6a6eb414c186a719b84dc131f4b7ccd48785cb3e8

m_CMD.dll

MD5: e2912b300cca330251e519c38d68edfe
SHA1: 8303a32f6947052cc28d0b08b02ec51db60a217c
SHA256: 26041bc45cac9050cdf0270d1e33ba2706827288d319313c12d93a085da0ac21

m_POWERSHELL.dll

MD5: 87755b6d3b5024c795f02d4be412303f
SHA1: a3d1f93cd7dbbeba01261ae095fdc99278b72e4b
SHA256: 0bf00f13823860c53221d04f0b6c73a05426fc1934f46aa4963ef9ce1572cfd4

m_PRINTSCREEN.dll

MD5: 813d8765fd3fa02244633addcbbe2395
SHA1: 6b8ce38b6a36f1f377d37d2b5e41d9ebe2ce4f2f
SHA256: 8a08f32ca1cc16f4f2f675a8ef6c5452638d4debc5243d88c533269113f0b7f1

Conclusion

The Bot Engine backdoor is a straightforward backdoor that offers essential functionality, such as executing commands, dropping files, and retrieving files. What sets Bot Engine apart is the adaptability of its framework and how easily a developer can tailor the backdoor to suit a specific environment. Furthermore, since the malware resides in memory, detection of this attack must occur in memory. This backdoor is likely to remain a significant threat in the future.

About the Author

Nguyen Nguyen

Nguyen is a seasoned cybersecurity leader with over 15 years of experience in software engineering, malware research, and cyber threat intelligence.

Read More...

January 21, 2023
2022 Fraud Summary For The Financial Sector

In 2022, DarkArmor uncovered 9,573 accounts being sold on the darkweb with the sum of $683 million. These accounts were openly available for sale and the cybercriminals even provided online banking screenshots as proof.

May 8, 2025
Hacker Exploits Social Security Statement Theme to Target Over 2,000 Victims with Malware

In a recent campaign uncovered by CyberArmor analysts, cybercriminals exploited the official them of the Social Security Administration (SSA) in a convincing phishing lure that deceived over 2,000 individuals into downloading malware.

November 29, 2024
Investment Scam Playbook: From Job Recruitment To Investment Scam

Scams have evolved from basic phishing emails to sophisticated multi-stage operations that prey on individuals’ vulnerabilities. The “Investment Scam” starts with an unsuspecting job recruitment message and culminates in devastating financial loss.

HomeAbout UsFAQ
DarkArmorProtectMe
BlogContactLinkedIn