Unsure about a bot? - Free Malware Analysis

If you are unsure about a new bot/auto/etc you've come across, post a link to it here and I will examine it for hidden data streams, malicious file signatures, permission elevation requests, and files/registry keys that are edited/created/deleted with the help of multiple tools/sandboxes.

Please only post here if you come with reason or suspicion that the file could be malicious.



If you would rather do some investigating on your own, here are some free tools to use. If you are confident what you found is malicious please submit your file samples here. If you are confused about scan results, please post them here and I will assist you.

Before reading on, please understand these tools are meant to assist you and are in no way a guaranteed way to know a file is 100% safe.

You can read about sandbox evasion here.

If you prefer Linux over Windows, I would suggest REMnux. It comes with an arsenal of malware analysis tools.

Download:
http://zeltser.com/remnux/

Online Automated Malware Analysis tools

http://anubis.iseclab.org/
http://www.jotti.org/
https://malwr.com/submission/
http://www.threatexpert.com/filescan.aspx
http://camas.comodo.com/
http://valkyrie.comodo.com/
http://eureka.cyber-ta.org/
http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx
https://www.vicheck.ca/
http://www.xandora.net/xangui/

Other Tools

-Cuckoo Sandbox - Offline Malware Analyst Research Toolkit-
http://www.cuckoosandbox.org/

-Zero Wine Malware Analysis Tool-
http://sourceforge.net/projects/zerowine/

-Alternative Data Stream Scanner-
http://www.pointstone.com/products/ADS-Scanner/

-OllyDbg - Debugger-
http://www.ollydbg.de/

-Pin - Dynamic Binary Instrumentation Tool-
http://www.pintool.org/

-Buster Sandbox Analyser (Sandboxie Addon)-
http://bsa.isoftware.nl/

Learn About Malware Analysis

-Understanding the limitations of automated malware analysis- Info
-Installing/Using Cuckoo Sandbox- Info

-What is a Virus Signature?- Info
-What are Alternate Data Streams (ADS)? - Info 1 - Info 2 -Info 3

-Unpacking/dissecting malware using Pintool - Info

-Intro to debugging/malware analysis with OllyDbg - Info

-Unpacking RunPE Malware- Info

Written by Wizardzgame 11/13/2013

 

Thanks for helping and keeping us safe, but I'm sure all bots will defiantly come up as false positives on lots of these scanners.

As a general rule of thumb:
Normally if a botting website has an active forum, it's legit.
Plus you can read though script threads and see if the scrips are actually downloaded and working for people, if it is, it's most likely legit.
No one would take the time to write a 100% functioning bot and then use it to hack people, they would make much more money selling it vs hacking people.

Still some useful info and links though .

 

A scanner often times tells you it's malicious, but doesn't tell you why..that's why I'm here! If I do manual analysis I can determine WHY it was flagged and what the file is actually doing. And going by the "If it works, it's clean" mentality is why so many people get infected through torrents.. I hope this post changes the way you think about it

 

Great service, thanks man.

A suggestion I have is for you to also make a list at the bottom of this post of "Bots that are confirmed malicious" also with a date determined.