.: Beast 2.01 (a) :.

By Tataye
Beast 2.01 (a)

Additional Details

  • Coded by: Tataye
  • Version: Beast 2.01 (a)
  • Family: Beast
  • Category: Remote Access

MegaSecurity Notes

Client:
registry keys added:
HKEY_CLASSES_ROOT\.bad 
HKEY_CLASSES_ROOT\.bst 
HKEY_CLASSES_ROOT\BeastFile 
HKEY_CLASSES_ROOT\BeastFile\DefaultIcon 
HKEY_CLASSES_ROOT\BeastFile\shell 
HKEY_CLASSES_ROOT\BeastFile\shell\open 
HKEY_CLASSES_ROOT\BeastFile\shell\open\command 
HKEY_CLASSES_ROOT\BeastFile1 
HKEY_CLASSES_ROOT\BeastFile1\DefaultIcon 
HKEY_CLASSES_ROOT\BeastFile1\shell 
HKEY_CLASSES_ROOT\BeastFile1\shell\open 
HKEY_CLASSES_ROOT\BeastFile1\shell\open\command 



Server:
dropped files:
c:\WINDOWS\SVCHOST.EXE 
c:\WINDOWS\COMMAND\msocge.com 
c:\WINDOWS\SYSTEM\msqmqr.com 

size: 52.224 bytes

port: 6666 TCP

startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "COM Service" 
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{44CC0112-AB51-22EF-BA32-20AA12E6115C} "StubPath" 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "COM Service" 

added:
c:\WINDOWS\SYSTEM\qmqr.blf 

HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Control

URL's and mails were automatically redacted (filtered) for reader's safety. However the filter is not perfect and can't find all harmful elements. If you find something dangerous including file link, website, mail address, profanity... contact me immediately at sub7crew@protonmail.com, thank you in advance.