{
	"id": "1bad5c76-bb01-4dc1-87f9-9a087cb956b9",
	"created_at": "2026-04-06T00:18:39.74912Z",
	"updated_at": "2026-04-10T03:20:47.004685Z",
	"deleted_at": null,
	"sha1_hash": "ad6a5081bc29d9d23c632b76de20339831990f2d",
	"title": "Inside Neutrino botnet builder | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 643810,
	"plain_text": "Inside Neutrino botnet builder | Malwarebytes Labs\r\nBy hasherezade\r\nPublished: 2015-08-18 · Archived: 2026-04-05 12:35:46 UTC\r\nIt is common practice among cybercriminals to sell their products in the form of packages, consisting of:\r\na malicious payload – a frontend of the malware that is used for infecting users\r\na C\u0026C panel – a backend of the malware, usually designed as a web-application, often dedicated to\r\nLAMP environment\r\na builder – an application used for packing the payload and embedding in it information specific for the\r\ninterest of the particular distributor (the C\u0026C address, some configuration, etc)\r\nSuch packages are commercial products sold on the black market. However, from time to time it happens that the\r\nproduct leaks into mainstream media. It gives researchers a precious opportunity to take a closer look on the used\r\ntechniques.\r\nRecently, I found a leaked package containing the builder for the Neutrino botnet.  It is not the newest version (as\r\nusually the case), but it still provides lot of useful information that can help in comparative analysis with the\r\nsamples that are nowadays actively distributed.\r\nElements involved\r\n– Neutrino Builder – 32 bit PE, written in VS2013, packed with Safengine Shielden v2.3.6.0\r\n(md5=80660973563d13dfa57748bacc4f7758) – panel (written in PHP) – stub (payload) – 32 bit PE, written in\r\nMS Visual C++ (md5=55612860c7bf1425c939815a9867b560, section .text\r\nmd5=07d78519904f1e2806dda92b7c046d71)\r\nFunctionality\r\nNeutrino Builder v3.9.4\r\nThe builder has been written in Visual Studio 2013, and it requires the appropriate redistributable package to run.\r\nThe provided version is cracked (as the banner states: “Cracked and coded by 0x22”).\r\nThe functionality of this tool is very simple – it just asks a user for the C\u0026C address and writes it inside the\r\npayload:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/\r\nPage 1 of 10\n\nComparing 2 payloads – the original one, and the one edited by the Builder, we can see that changes made by the\r\nbuilder are really small – it simply encrypts the supplied URL and stores it in the dedicated section.\r\nBelow: left (stub) – original payload, right (test_stub.exe) – edited payload.\r\nPanel\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/\r\nPage 2 of 10\n\nThe package contains full instructions written in Russian (readme.txt), where we can find many interesting details\r\nabout the functionality (examples below).\r\nThe requirements for the panel installation:\r\nPHP\r\nMySQL not lower than 5.6 (for the full functionality)\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/\r\nPage 3 of 10\n\nDefault login and password to the panel: admin, admin\r\nTasks performed by the infected client on demand:\r\nvarious types of DDoS attacks\r\nkeylogging (enable/disable), including – trace text in a defined window\r\nfind file of the defined type\r\nupdate bot\r\nremove bot\r\nDNS spoofing (redirect address X to address Y)\r\nFormgrabbing, stealing FTP credentials\r\ndownload and execute a file one of the following types (EXE, DLL, bat, vbs)\r\nadd defined entry into the Windows Registry\r\n[code language=”php” title=”functions.php” firstline=”266″] function EncodeCommand($command) { switch\r\n(strtolower($command)) { case “ddos”: return “http”; break; case “https ddos”: return “https”; break; case\r\n“slowloris ddos”: return “slow”; break; case “smart http ddos”: return “smart”; break; case “download flood”:\r\nreturn “dwflood”; break; case “udp ddos”: return “udp”; break; case “tcp ddos”: return “tcp”; break; case “find\r\nfile”: return “findfile”; break; case “cmd shell”: return “cmd”; break; case “keylogger”: return “keylogger”; break;\r\ncase “spreading”: return “spread”; break; case “update”: return “update”; break; case “loader”: return “loader”;\r\nbreak; case “visit url”: return “visit”; break; case “bot killer”: return “botkiller”; break; case “infection”: return\r\n“infect”; break; case “dns spoofing”: return “dns”; break; } return “failed”; } [/code]\r\nC\u0026C is very sensitive for illegitimate requests and reacts by blacklisting the IP of the source:\r\n[code language=”php” title=”functions.php” firstline=”93″ highlight=”97,100,104″] function\r\nCheckBotUserAgent($ip) { $bot_user_agent = “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0)\r\nGecko/20100101 Firefox/35.0”; if ($_SERVER[‘HTTP_USER_AGENT’] != $bot_user_agent) { AddBan($ip); }\r\nif (!isset($_COOKIE[‘authkeys’])) { AddBan($ip); } $cookie_check = $_COOKIE[‘authkeys’]; if ($cookie_check\r\n!= “21232f297a57a5a743894a0e4a801fc3”) { /* md5(admin) */ AddBan($ip); } } [/code]\r\nLooking at install.php we can also see what are the formgrabbing targets. The list includes the most popular e-mails and social networking sites (facebook, linkedin, twitter and others).\r\n[code language=\"php\" title=\"install.php\" firstline=\"103\"] $ff_sett = \"INSERT INTO `formgrabber_host` (`hostname\r\nThe main file used for communication with the bot is tasks.php. Only POST requests are accepted. Below: adding\r\ninformation sent by a bot into the database:\r\n[code language=\"php\" title=\"tasks.php\" firstline=\"20\"] if ($_SERVER[\"REQUEST_METHOD\"] != \"POST\") { AddBan($real\r\nOpening index.php causes adding client’s IP into a blacklist (unconditional):\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/\r\nPage 4 of 10\n\n[code language=”php” title=”index.php” firstline=”18″ highlight=”20″] ConnectMySQL($db_host, $db_login,\r\n$db_password, $db_database); CheckBan($real_ip); AddBan($real_ip); [/code]\r\nStub\r\nAll the commands that can be found in the backend are reflected in the frontend. We can see it clearly, because the\r\npayload is not obfuscated!\r\nHard-coded authkey, that is checked in by the C\u0026C occurs in every request sent by the bot:\r\nBot is registering itself to C\u0026C, reporting its version and environment:\r\nImplementation of the commands requested by the C\u0026C (selected examples):\r\nDownloading specified payload form the C\u0026C:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/\r\nPage 5 of 10\n\nKeylogger (fragment)\r\nFramegrabber (fragment)\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/\r\nPage 6 of 10\n\nSteal Clipboard content (fragment):\r\nThe stolen content (i.e. logged keys) is saved in a file(logs.rar). Further, the file is read and uploaded to the C\u0026C:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/\r\nPage 7 of 10\n\nWrapping the file in a POST request:\r\nAlso, success and failure of every task requested by the C\u0026C is reported by the bot:\r\nThis malware is a threat not only for a local computer. It also scans LAN searching for shared resources and steals\r\nthem:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/\r\nPage 8 of 10\n\nSteal shared (fragment):\r\nDefensive techniques\r\nThe payload also contains an extensive set of various defensive functions.\r\nIn addition to the well-known checks – like isDebuggerPresent, we can find some that are less spread – like\r\nchecking the user name against names used by known sandboxes: “maltest”, “tequilaboomboom”,”sandbox”,\r\n“virus”, “malware”. Full set explained below:\r\nis debugger present, via: IsDebuggerPresent\r\nis remote debugger present, via: CheckRemoteDebuggerPresent(GetCurrentProcess(),\r\npDebuggerPresent)\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/\r\nPage 9 of 10\n\ncheck if running under Wine, via: GetProcAddress(GetModuleHandleW(“kernel32.dll”),\r\n“wine_get_unix_file_name”)\r\nCheck presence of blacklisted substrings (ignore case):\r\nusername via: GetUserNameW vs {“MALTEST“, “TEQUILABOOMBOOM“, “SANDBOX“,\r\n“VIRUS“,”MALWARE“}\r\ncurrent module name, via: GetModuleNameW vs {“SAMPLE“, “VIRUS“, “SANDBOX” }\r\nBIOS version, via registry key: “HARDWARE\\Description\\System“, value “SystemBiosVersion” against:\r\n{“VBOX“, “QEMU“, “BOCHS“}\r\nBIOS version, via registry key: “HARDWARE\\Description\\System“, value “VideoBiosVersion” against:\r\n“VIRTUALBOX“\r\nSCSI : via registry key: “HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id“, value\r\n“Identifier“), against {“VMWARE“, “VBOX“, “QEMU“}\r\nCheck presence of:\r\nVMWareTools, via registry key: SOFTWARE\\VMware, Inc.\\VMware Tools\r\nVBoxGuestAdditions, via registry key: SOFTWARE\\Oracle\\VirtualBox Guest Additions\r\nConclusion\r\nMalware analysts usually deal with just one piece of the puzzle from the following set – the malicious payload.\r\nHaving a look at full packages, like the one described above, helps to see the bigger picture.\r\nIt also gives a good overview on how the actions of distributing malware are coordinated. As we can see,\r\ncriminals are provided with a very easy way to bootstrap their own malicious C\u0026C. It doesn’t really require\r\nadvanced technical skills to become a botnet owner. We live in age when malware is a weapon available to the\r\nmasses  – that’s why it is so crucial for everyone to have a solid and layered protection.\r\nAbout the author\r\nUnpacks malware with as much joy as a kid unpacking candies.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/"
	],
	"report_names": [
		"inside-neutrino-botnet-builder"
	],
	"threat_actors": [],
	"ts_created_at": 1775434719,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ad6a5081bc29d9d23c632b76de20339831990f2d.pdf",
		"text": "https://archive.orkl.eu/ad6a5081bc29d9d23c632b76de20339831990f2d.txt",
		"img": "https://archive.orkl.eu/ad6a5081bc29d9d23c632b76de20339831990f2d.jpg"
	}
}