News on MultiBanker, features now a jabber p2p functionality

In March we have blogged about the MultiBanker gang and their operation. It turns out that earlier this year they were updating their software – hence we saw no active command & control server on the old infrastructure for some time.

New MultiBanker (2013) version

This is a very quick comparison between the old and the new MultiBanker version:

                            MultiBanker 1           MultiBanker 2
Highest known version       835                     43
Directory                   %AppData%               C:\Windows\System32
Main File                   appconf32.exe           jabcon32.exe
Main Mutex                  UpdateAppConf32         UpdateJbr32
Main activity inside        Browser process         explorer.exe

For their new version they have reset the version numbering and feature an internal version “a” and “f”. The domain generation algorithm remains the same (the first 4 chars of the domain change on every iteration).

A new feature is a potential Jabber p2p network functionality.

Spot MultiBanker domains

Finding MultiBanker domains is easy. They always use one of these 3 who-is identities for their domains:

   Andreas Rueping
   +49.1708073753 fax: +49.1708073753
   Uhlenflucht 1A
   Barth Mecklenburg-Vorpommern 18356

   Julien Michel Dumke
   +49.1772525187 fax: +49.1772525187
   Koppelweg 28A
   Gifhorn Niedersachsen 38518

   Stefan Kuehlein
   +49.17675588328 fax: +49.17675588328
   Willy Brandt Strasse 82
   Bergisch Gladbach Nordrhein-Westfalen 51469

For all their domains they were using in the past weeks the IP as their main server. Some example domains:

These domains were all just active for few hours. The criminals are actually testing their new software, hence the infection count is pretty low (for each test botnet only a handful). On our servers we can see for example these infections:

MultiBanker 2 infections

Jabber P2P botnet functionality?

Interestingly, the bot software contains a potential jabber (xmpp) p2p botnet functionality. When being hooked in the jabber chat, messages like the following appear:



We found following login information via Virus Total.

KEY: 0x000000b8\Pass01
VALUE: 515E5DC1 (successful)

KEY: 0x000000b8\jid01
VALUE: (successful)

Being logged in with the ‘’ account, these are the other contacts:

MultiBanker Jabber

Where is this going?

The MultiBanker people are actively updating their software. A comparison of the new versions showed that they are still updating it, e.g. by changing the names of registry keys.

We will continue to monitor their operation and keep the public updated on any movements that we observe.