{
	"id": "4858ecd6-f338-4dae-8759-c430bee84771",
	"created_at": "2026-04-06T01:30:42.268826Z",
	"updated_at": "2026-04-10T13:12:58.062655Z",
	"deleted_at": null,
	"sha1_hash": "581cbe0cfae11e949a892c208a78d72874219734",
	"title": "Versions of PsixBot | Types of PsixBot Behaviour",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1070206,
	"plain_text": "Versions of PsixBot | Types of PsixBot Behaviour\r\nBy Comodo\r\nPublished: 2020-03-11 · Archived: 2026-04-06 00:53:37 UTC\r\n Reading Time: 4 minutes\r\nIntroduction of PSIXBOT:\r\nPsiXBot is data-stealing trojan capable of harvesting confidential data and passwords from a victim’s computer. It can steal\r\ncookies, extract logins/passwords from applications like Firefox and Microsoft Outlook, record the victim’s keystrokes,\r\nallow criminals to remotely view/interact with the victim’s desktop, and can even add the victim’s computer to a botnet. It is\r\nmost often spread via infected email attachments, via online adverts which contain the bot, and via other social engineering\r\nmethods.\r\nThe original PsixBot malware surfaced in November 2017 but underwent significant development before arriving in beta\r\nformat in 2019.  It has since been developed further and currently stands at version 1.1.0.4 in February 2020:\r\nPsixBot was generated in .NET framework. This blog takes you through the various iterations of PsixBot to illustrate how\r\nonline criminals constantly update their malware to improve its performance and features.\r\nBehaviour of PsixBot\r\nPsixBot changes the system certificate settings, which gives it virtually unlimited user access rights on the host machine:\r\nKeys added:\r\nKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPeople\\Certificates\\636D2838EB7A7F3A8E6B6F7CD035375E7\r\nValues added:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\TrustedPeople\\Certificates\\636D2838EB7A7F3A8E6B6F7CD035375E\r\n02 00 00 ……..\r\nFiles added:\r\nC:\\Documents and Settings\\Administrator\\Application Data\\\r\nhttps://blog.comodo.com/comodo-news/versions-of-psixbot/\r\nPage 1 of 5\n\nMicrosoft\\SystemCertificates\\My\\Certificates\\636D2838EB7A7F3A8E6B6F7CD035375E7E704248\r\nBeta 1.0.0\r\nThe first version of PsixBot covered in this blog is Beta 1.0.0 with the core class 11. Each class has its individual task. The\r\nfollowing basic classes are used in all versions of PsixBot:\r\nServertalk – used to initialize the global variable, create the connection with the mothership server, and send results\r\nback and forth.\r\nRunInMemory – used to actually execute the file.\r\nSysInfo – used to obtain information about the user’s system, including antivirus name, CPU, Windows version, user\r\ntype and user permissions.\r\nCatchEndSession – used to create hidden autoruns.\r\nDeleteAttrib – used to kill the system’s antivirus software, Windows Explorer, and any system error alerts.\r\nIsAdmin – used to assume membership of the admin group.\r\nIsVm – detects the presence of any virtual machines.\r\nResolveBit – used to resolve DNS requests from the user.\r\nRC4 – the algorithm used to encrypt and decrypt data.\r\nInstall – installs the bot file and sets up the file’s security and update modules.\r\nVersion 1.0.2\r\nBeta 1.0.2 retained the basic class functionality of the first version, but renamed some of the classes as follows:\r\nServerTalk – renamed as CpWorker\r\nRunInMemory – renamed as MemoryModulesWorker\r\nSysInfo – renamed as SysHelper\r\n… and added the following class:\r\nDNSWorker – used to get the host entry and ping the host to check whether or not it is up.\r\nVersion 1.1\r\nVersion 1.1 again retained the same class structure as its predecessor but added the following task to the features list:\r\nForfg – used to obtain the path to the temp variable, set the DLL directory and write it to a .dat file:\r\nVersion 1.1.0.2\r\nVersion 1.1.0.2 saw an update whereby the FORFG feature was combined with the other feature list. All other classes and\r\nactivities remained the same.\r\nhttps://blog.comodo.com/comodo-news/versions-of-psixbot/\r\nPage 2 of 5\n\nVersion 1.1.0.4\r\nAgain, the basic classes remained the same as the previous version but with the addition of the following, important, class\r\nGzipWebClient – used to decompress any Gzip files downloaded by the bot:\r\nFeature List Updates\r\nThreader – Invoke the thread function used to run the file and run it it memory (RunInMemory).\r\nBot Key – PsixBot has a common, hard-coded key in all versions:\r\nNetwork Activities– PsixBot initially uses Google DNS then later communicates with its own DNS:\r\nhttps://blog.comodo.com/comodo-news/versions-of-psixbot/\r\nPage 3 of 5\n\nCore Modules per Version\r\nFeautersList per Version\r\nNetwork Traffic\r\nPsixBot initially connects to Google DNS then connects to its own DNS server at greentowns.hk:\r\n193.32.188.136 (greentowns.hk)\r\n185.98.87.59 (greentowns.hk)\r\nhttps://blog.comodo.com/comodo-news/versions-of-psixbot/\r\nPage 4 of 5\n\nIOC\r\na85e280e24099a2ffb5ea6efbe3fcb6fbc0c8cfa                   09-04-2019        Beta 1.0.0\r\n0956cec17f1a8801042b8e6628f54e3156d05918              26-08-2019        1.0.2\r\n4d3b1bd14ca92609fa8d1a536d814fd0d54c5666              03-02-2020        1.1\r\na16c7263a36a235db8c71477be3f2442a8a5f894              04-02-2020        1.1.0.2\r\n1e29be939667354a8fe9477179c6851622118e23             12-02-2020        1.1.0.4\r\n193.32.188.136(greentowns.hk)\r\n185.98.87.59(greentowns.hk)\r\nSTART FREE TRIAL GET YOUR INSTANT SECURITY SCORECARD FOR FREE\r\nSource: https://blog.comodo.com/comodo-news/versions-of-psixbot/\r\nhttps://blog.comodo.com/comodo-news/versions-of-psixbot/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.comodo.com/comodo-news/versions-of-psixbot/"
	],
	"report_names": [
		"versions-of-psixbot"
	],
	"threat_actors": [],
	"ts_created_at": 1775439042,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/581cbe0cfae11e949a892c208a78d72874219734.pdf",
		"text": "https://archive.orkl.eu/581cbe0cfae11e949a892c208a78d72874219734.txt",
		"img": "https://archive.orkl.eu/581cbe0cfae11e949a892c208a78d72874219734.jpg"
	}
}