{ "id": "d827fef4-8f3d-414a-aafc-15b1b5ff0091", "created_at": "2026-04-06T00:15:23.559652Z", "updated_at": "2026-04-10T03:21:28.02466Z", "deleted_at": null, "sha1_hash": "7608cef65cca3f3adb79cb4456ef9ed2253c4bb9", "title": "PsiXBot: The Evolution Of A Modular .NET Bot", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 477573, "plain_text": "PsiXBot: The Evolution Of A Modular .NET Bot\r\nBy maartenvandantzigfoxit\r\nPublished: 2019-03-27 · Archived: 2026-04-05 21:22:54 UTC\r\nSummary\r\nIn this blog we will share our analysis of a modular piece of malware which is referred to by the author as PsiXBot. The\r\nmalware first surfaced in 2017 but has recently undergone significant developments of its core and modules, which include\r\nthe logging of keystrokes and stealing of Outlook and browser credentials. With these new developments done and the first\r\nlarge scale distributions observed in the wild, PsiXBot has officially made its debut in the malware ecosystem.\r\nIntroduction\r\nFox-IT actively monitors cyber criminal activity on a daily basis in order to proactively identify threats that are relevant to\r\nour customers. On the 21st of February 2019 we noticed SmokeLoader, a popular bot used to install additional malware on\r\ninfected machines for a fee, push a task in order to distribute a .NET malware sample. Further research on the sample\r\nrevealed a bot with a modular nature and capabilities, such as stealing data from infected hosts as well as receiving\r\ndownload \u0026 execute tasks. Our interest was further peaked when the Spelevo Exploit Kit started distributing the same\r\nmalware on the 16th of March at which point we decided to further investigate this piece of malware, resulting in the\r\nfindings below.\r\nHaving seen it evolve since 2017 to now getting out from beta versioning, we observe its being distributed by multiple\r\ninfection vectors, such as exploit kits and malware loaders.\r\nAnalysis\r\nDuring routine threat research activity, we stumbled upon a tweet on what seemed to be an early version of the malware\r\nknown as PsiXBot. In the same Twitter thread a link was also shared to a very early version of that same malware.\r\nAn overview of the versions are found below:\r\nMid 2017: First version spotted in the wild (SHA256:\r\nd2ee07bf04947cac64cc372123174900725525c20211e221110b9f91b7806332);\r\nAugust 2018: Updated version spotted (SHA256:\r\nce0e46fa1c5b463ed4a070a05594a79203ed2dd5df96cece9f875e2957fda4fa);\r\nEarly 2019: The latest version is now being distributed via different infection vectors (SHA256:\r\nca30c42334fcc693320772b4ce1df26fe5f1d0110bc454ec6388d79dffea4ae8).\r\nThe illustration below displays the code structure of the versions: the first version to the left and the most recent one to the\r\nright.\r\nhttps://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/\r\nPage 1 of 10\n\nNote that the name PsiX is derived from the name of the assembly. Taking a look to the PDB path, the same naming is again\r\npresent: G:\\WORK\\MONEY\\BOT\\NoName\\PsiX\\obj\\Release\\NoNameBot.pdb\r\nAdditionally, taking a look at the sample displayed in the center of the image above, the name “Radius” can be spotted as\r\nwell. Part or whole name can be also observed among the C\u0026Cs such as: radcall.bit , radbot.bit and\r\nrrradiusspace.bit .\r\nThe differences we observed across the versions are mostly:\r\nNew commands supported by adding different modules;\r\nEncryption of the strings with AES;\r\nVersion number updated from Beta 1.0.0 to 1.0.1 .\r\nhttps://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/\r\nPage 2 of 10\n\nThe analysis below is centered on the most recent version.\r\nAs you could have already seen, the malware is written in .NET and it is not obfuscated. Typically it’s distributed within a\r\ndropper which hides the main payload. Once executed the Main() function is invoked. It first verifies that it is the only\r\nrunning instance by looking to a hardcoded mutex (for the sample analyzed: gfdhfyf543543cdsdfsdf ), then it executes a\r\nloop to mimic sleep function before activating.\r\nMost of the strings are encrypted with AES by a hardcoded string key. For this sample the key is:\r\n1243hewqr8n1220g321\u0026amp;^*\u0026amp;^Tb0\r\nThe malware also checks the language settings of the victim, if the language is set to ru-RU (Russian) the malware will\r\nexit. For all other language settings the malware will continue its malicious activity.\r\nAn additional check is relating the filename to ensure it is matching the one configured. In instances where it is not, it\r\nproceeds with the installation process, which is done by invoking the CopyEx method via WMI and invoking the copied\r\nbinary again via WMI. The installation path is: Local\\Microsoft\\.exe in the %APPDATA% folder.\r\nAfter the installation the malware contacts the configured C\u0026Cs, that are initialized by the following code:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\npublic static string[] valid = new string[]\r\n{\r\n\u0026quot;pppoe.bit\u0026quot;,\r\n\u0026quot;weather0.bit\u0026quot;,\r\n\u0026quot;mygranny.bit\u0026quot;,\r\n\u0026quot;six6.bit\u0026quot;,\r\n\u0026quot;learncpp.bit\u0026quot;\r\n};\r\nIn order to communicate with the .bit domains it uses hardcoded DNS servers ( 193.37.213.223 for the sample used in this\r\nanalysis). Upon the DNS resolution, it sends a ping to the C\u0026Cs in order to identify the first one that is up.\r\nThe bot reports to its C\u0026C some information gathered from the infected host. An example of the string used in the request\r\nis:\r\n1\r\naction=call\u0026amp;user_name=john\u0026amp;bot_id=D63BAFF79F3A3504C70DC3298EE74C68\u0026amp;av=N/A\u0026amp;os_major=Microsoft\r\nWindows 7 Home Basic N \u0026amp;permissions=User\u0026amp;os_bit=64\u0026amp;cpu=Intel(R) Core(TM) i7-6820HQ CPU @\r\n2.70GHz\u0026amp;gpu=Standard VGA Graphics\r\nAdapter\u0026amp;ram=2048\u0026amp;hdd=C:12345/67890\u0026amp;version=1.0.1\u0026amp;user_group=Admin\u0026amp;pc_net=4.0\r\nThe meaning of the parameters are:\r\naction: the purpose of the request;\r\nuser_name: username of the victim’s host;\r\nhttps://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/\r\nPage 3 of 10\n\nbot_id: unique string to identify the infected host;\r\nav: name of the AntiVirus software installed;\r\nos_major: name of the OS installed;\r\npermissions: username’s permissions;\r\nos_bit: OS architecture;\r\ncpu: CPU model;\r\ngpu: GPU model;\r\nram: RAM available;\r\nhdd: HDD Serial Number;\r\nversion: version number of the malware (latest one is 1.0.1);\r\nuser_group: User group name the username is part of;\r\npc_net: version of .NET framework installed.\r\nThe data transfer is encrypted with RC4 using a hardcoded key which for this sample is\r\n63a6a2eea47f74b9d25d50879214997a . It is interesting to note that the author encrypted most of the strings, except the RC4\r\nencryption key, C\u0026Cs and DNS servers which are in plain-text.\r\nThe C\u0026C answers with a JSON string, like the following one:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n{\r\nresult_code: [\r\n{\r\n\u0026quot;result_code\u0026quot;: \u0026quot;200\u0026quot;,\r\n}\r\n]\r\n}\r\nIf the server returns a valid response, the malware sleeps for 95 seconds before requesting a new command to execute. This\r\nis done by sending the data:\r\n1 action=command\u0026amp;bot_id=D63BAFF79F3A3504C70DC3298EE74C68\r\nAn example of a response is the following one:\r\n1\r\n2\r\n3\r\n4\r\n{\r\n\u0026quot;result_code\u0026quot;: [\r\n{\r\n\u0026quot;result_code\u0026quot;: \u0026quot;200\u0026quot;\r\nhttps://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/\r\nPage 4 of 10\n\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n}\r\n],\r\n\u0026quot;commands\u0026quot;: [\r\n{\r\n\u0026quot;command_id\u0026quot;: \u0026quot;1485\u0026quot;,\r\n\u0026quot;command_action\u0026quot;: \u0026quot;GetSteallerPasswords\u0026quot;,\r\n\u0026quot;command_data\u0026quot;: \u0026quot;\u0026quot;,\r\n\u0026quot;command_arg\u0026quot;: \u0026quot;\u0026quot;\r\n},\r\n{\r\n\u0026quot;command_id\u0026quot;: \u0026quot;1486\u0026quot;,\r\n\u0026quot;command_action\u0026quot;: \u0026quot;StartSchedulerModule\u0026quot;,\r\n\u0026quot;command_data\u0026quot;: \u0026quot;\u0026quot;,\r\n\u0026quot;command_arg\u0026quot;: \u0026quot;\u0026quot;\r\n}\r\n]\r\n}\r\nIn the example above the C\u0026C asks for the execution of two commands. The command_action value is the exact name of\r\nthe method that must be invoked. The malware will resolve the method dynamically in accordance to this value. In order to\r\navoid hardcoded strings, the author implemented an easy way to upgrade the malware: if the method name sent by the C\u0026C\r\nis not present in the malware during execution, the method/call is simply ignored.\r\nFor one particular method invocation the malware uses a type named SukaBlyat, which is an offensive term used as Russian\r\nslang.\r\nThe two received commands are used in order to ask the C\u0026C server for additional modules. The data transfered requesting\r\nthe module is:\r\n1 action=module\u0026amp;bot_id=D63BAFF79F3A3504C70DC3298EE74C68\u0026amp;module_action=SchedulerModule\r\nSubsequently, the module is downloaded and executed, while sending the following command:\r\n1 action=result\u0026amp;command_id=1485\u0026amp;command_result=6E756C6C\r\nhttps://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/\r\nPage 5 of 10\n\nThe commands currently supported are:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\nDownload\r\nDownloadAndExecute\r\nExecute\r\nGetInstalledSoft\r\nGetKeylogs\r\nGetOutlook\r\nGetProcessesList\r\nGetScreenShot\r\nGetSteallerCookies\r\nGetSteallerPasswords\r\nStartAndroidModule\r\nStartBTC\r\nStartComplexModule\r\nStartKeylogger\r\nStartNewComplexModule\r\nStartSchedulerModule\r\nStopProcess\r\nModules\r\nThe modules available for this recent version of the bot are:\r\nBrowserModule (assembly name stMod.exe): used to dump passwords or cookies from a variety of browsers as well\r\nas from FileZilla FTP client. It accepts an argument to specify which is the data to be dumped: -passes for the\r\npassword or -cookies for the cookies. The program returns a string with all the stolen information. It seems to be\r\nbased on the QuasarRAT project;\r\nBTCModule (assembly name LESHI.exe): accepts an argument and a cryptocurrency address. The supported address\r\ntypes are: -btc , -ether , -ltc , -monero and -ripple . Once such an address is configured, the program\r\nproceeds to monitor the clipboard every 3 seconds and verifies if the copied text is a valid address and of which type.\r\nIf the check is successful the malware replaces the text with one of the configured wallet addresses;\r\nComplexModule (assembly name Client.exe): an old version of the open source rat QuasarRAT. In particular the\r\nxclient string (which is part of this module namespace) was present in a fork from 2016 (see\r\nhttps://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/\r\nPage 6 of 10\n\nhttps://github.com/GeekGalaxy/QuasarRAT ). Also within the decompiled source code we retrieved the type name\r\nQuasarClient;\r\nKeyLoggerModule (assembly name KeyLoggerModule.exe): uses the SetWindowsHookEx API in order to set a global\r\nhook and intercept keystrokes. The intercepted keys are saved in a file named Logger.log ;\r\nNewComplexModule (assembly name RemoteClient.exe): implements a remote desktop like program. It allows\r\nstreaming the desktop user, interacting with it and starting the browser. The code does not seem to be anything\r\npublicly available;\r\nOutlookModule (assembly name OutlookPasswordRecovery.dll): dumps the Outlook passwords and returns a string\r\nwith the information retrieved.\r\nSchedulerModule (assembly name Scheduler.exe): used to ensure persistence. It just creates a scheduled task to run\r\nthe bot each 60 seconds.\r\nDistribution\r\nTypically, there are two ways of spreading such a strain of malware: infecting new unwitting victims and leveraging existing\r\ncompromised systems. Fox-IT observes the PsiXBot actors are able to do both – delivering their malware via malspam\r\ncampaigns or exploit kits (such as the Spelevo Exploit Kit) as well as using services offered on underground markets to load\r\nmalware on (pre-infected) devices such as SmokeLoader.\r\nSmokeLoader\r\nThe SmokeLoader bot from which we received the task to distribute the PsiXBot malware was configured with the below\r\nmetadata:\r\nThe distribution URL sent by SmokeLoader‘s task is:\r\nhxxp://favoritfile.in/7-8.exe\r\nFrom the referenced distribution URL we managed to download the sample with SHA256:\r\n9b8c0c82fe79ae15e0f723d6aa267d38d359a7260613a091a2d70d770488e919\r\nThe C\u0026Cs of this sample are:\r\n1\r\n2\r\nmyauto.bit\r\nsokoban.bit\r\nSpelevo Exploit Kit\r\nWith regards to the Spelevo Exploit Kit, the sample distributed is identified by SHA256:\r\nca30c42334fcc693320772b4ce1df26fe5f1d0110bc454ec6388d79dffea4ae8\r\nThe C\u0026C servers of this sample are:\r\n1 learncpp.bit\r\nhttps://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/\r\nPage 7 of 10\n\n2\r\n3\r\n4\r\n5\r\nmygranny.bit\r\npppoe.bit\r\nsix6.bit\r\nweather0.bit\r\nAnother distribution vector observed is spam mailings. One of the spam campaigns we managed to identify is Italian\r\nthemed, with the following metadata:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\nReceiver from pecfe04.sogei.it (pecfe04.sogei.it [26.2.42.237]) by PECP-BE02 (lmtpd) with LMTP id\r\n28663.002; Tue, 8 Jan 2019 16:22:51 +0100 (CET)\r\nReceiver from PECP-FE04 ([127.0.0.1]) by pecfe04.sogei.it (Dovecot) with LMTP id\r\n474fM6e/NFysCAAAxEz/xA ; Tue, 08 Jan 2019 16:22:51 +0100\r\nReceiver from mx.pec.sogei.it (localhost [127.0.0.1]) by smtps.pec.sogei.it (Postfix) with ESMTP\r\nid 43YwxQ6pm5zgYCT for \u0026lt;protocollo@pec.agenziariscossione.gov.it\u0026gt;; Tue, 8 Jan 2019 16:22:50\r\n+0100 (CET)\r\nReceiver from smtps.pec.aruba.it (smtpecgo01.pec.aruba.it [80.88.94.21]) by mx.pec.sogei.it\r\n(Postfix) with ESMTPS for \u0026lt;protocollo@pec.agenziariscossione.gov.it\u0026gt;; Tue, 8 Jan 2019 16:22:50\r\n+0100 (CET)\r\nReceiver from avvocatismcv.com (ipvspec1.pec.ad.aruba.it [62.149.152.1]) by smtps.pec.aruba.it\r\n(Postfix) with ESMTPSA id 43YwxQ2V8Sz2L7hcc; Tue, 8 Jan 2019 16:22:50 +0100 (CET)\r\nReply-To luigi.ferrandino@avvocatismcv.com\r\nReturn-Path luigi.ferrandino@avvocatismcv.com\r\nAttachments [\u0026quot;daticert.xml\u0026quot;, \u0026quot;Nuovi_contratti_2019__145038.zip\u0026quot;,\r\n\u0026quot;smime.p7s\u0026quot;]\r\nNumber_of_attachments 3\r\nDate 2019-01-08 15:22:50 (UTC)\r\nTo [\u0026quot;luigi.ferrandino@avvocatismcv.com\u0026quot;]\r\nFrom \u0026quot;Per conto di: luigi.ferrandino@avvocatismcv.com\u0026quot; \u0026lt;posta-certificata@pec.aruba.it\u0026gt;\r\nSubject POSTA CERTIFICATA: Re: Notificazione ai sensi della legge n. 53 del 1994\r\nThe zip contained a JavaScript (SHA256: e4006cde4a96048ff25727459abfae0ffd37985d04581793be784d7cf50e32d7)\r\nwhich, once executed, tried to fetch the next stage from the following URL:\r\nhxxp://img.martatovaglieri.it/index?83836\r\nhttps://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/\r\nPage 8 of 10\n\nThe binary downloaded from this URL can be identified with SHA256:\r\ndb1f57ffd6c58e1d40823e2c8834e45a67271557ceaa1b3bcccf4feab83243a1.\r\nThe C\u0026C of this sample is:\r\n1 anyname.bit\r\nPanel\r\nThe screenshot below shows PsiXBot’s login panel:\r\nThe following noteworthy code is inside the HTML:\r\n\u003c!-- saved from url=(0043)hxxps://kyrkymalol.000webhostapp.com/admin/ --\u003e\r\nIOCs\r\nThe most relevant malware hashes can be found below:\r\n1\r\n2\r\n3\r\nPsiXBot first version: d2ee07bf04947cac64cc372123174900725525c20211e221110b9f91b7806332\r\nPsiXBot updated version: ce0e46fa1c5b463ed4a070a05594a79203ed2dd5df96cece9f875e2957fda4fa\r\nPsiXBot latest version: ca30c42334fcc693320772b4ce1df26fe5f1d0110bc454ec6388d79dffea4ae8\r\nhttps://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/\r\nPage 9 of 10\n\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\nBrowserModule: 6a9841b7e19024c4909d0a0356a2eeff6389dcc1e2ac863e7421cca88b94e7e0\r\nSchedulerModule: 6e123ce5c7c48132f057428c202638eb9d0e4daa690523619316a9f72b69d17f\r\nBTCModule: 3846fcfdc6414685efd217a88613ed3383a61f8313a0aa7ecdcde8ed99c8ebac\r\nKeyLoggerModule: 7bac9b3b5598059db770cdeee74f0b1cf3078c2cb54cc2fcd18ae811d42a5d63\r\nComplexModule: 0f931fec3fd436d974d767f84f66b44f6f2fc168d9e6d77b2aa2e9d3bf4cd604\r\nNewComplexModule: a5edab1596346358c8899b9f81ec49b0560da929327e0ef08ab51dcb277c9b70\r\nOutlookModule: b01fbb8cfeb16c4232fddea6dea53212a57e73ef32ee20056cd69d29570bf55c\r\nThe full set of indicators of compromise can be found on our GitHub page.\r\nMore information on the threat actors behind PsiXBot is available for InTELL customers on Fox-IT’s cybercrime portal.\r\nStefano Antenucci \u0026 Antonio Parata (Fox-IT InTELL)\r\nSource: https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/\r\nhttps://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/" ], "report_names": [ "psixbot-the-evolution-of-a-modular-net-bot" ], "threat_actors": [], "ts_created_at": 1775434523, "ts_updated_at": 1775791288, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7608cef65cca3f3adb79cb4456ef9ed2253c4bb9.pdf", "text": "https://archive.orkl.eu/7608cef65cca3f3adb79cb4456ef9ed2253c4bb9.txt", "img": "https://archive.orkl.eu/7608cef65cca3f3adb79cb4456ef9ed2253c4bb9.jpg" } }