Citadel (Zeus clone)

Forum for analysis and discussion about malware.

Re: Citadel (Zeus clone)

Postby Xylitol » Sat May 26, 2012 12:25 pm

Fun
Code: Select all
00420CD8  |.  68 C0194000   PUSH 4019C0                              ; |Text = "Coded by BRIAN KREBS for personal use only. I love my job & wife."

two more C&C
Code: Select all
hxxp://inbani.com/js/res/cp.php?m=login
hxxp://inbani.com/js/res/theme/images/citadel.jpg
--
hxxp://lotosmusicfm.net/jstat/cp.php
hxxp://lotosmusicfm.net/jstat/theme/images/citadel.jpg

https://www.virustotal.com/file/6f6b5fe ... 338035569/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1620
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Citadel (Zeus clone)

Postby obnoxiousdiablo » Tue May 29, 2012 10:03 pm

Hi Xylitol,

Thanks a lot for sharing this info. What is the file in the zip with 140K size? Is that the cfg downloaded?

Is it possible to share the packet dump you may have?

Thank you.

Regards,
obnoxiousdiablo
 
Posts: 3
Joined: Thu May 24, 2012 9:03 am
Reputation point: 0

Re: Citadel (Zeus clone)

Postby obnoxiousdiablo » Wed May 30, 2012 1:36 am

Never mind. I figured out it was encrypted cfg downloaded during your analysis. It is targeting mainly European banks at the moment. Will be great if you could post more citadel with cfg as they come along.

Much appreciated,
obnoxiousdiablo
 
Posts: 3
Joined: Thu May 24, 2012 9:03 am
Reputation point: 0

Re: Citadel (Zeus clone)

Postby Evilcry » Mon Jun 11, 2012 6:24 am

Evilcry
 
Posts: 135
Joined: Tue Apr 20, 2010 6:10 pm
Reputation point: 90

Re: Citadel (Zeus clone)

Postby Xylitol » Tue Oct 16, 2012 12:58 pm

Some files (php/exe) dumped from Citadel 1.3.4.5 server

Image
https://zeustracker.abuse.ch/monitor.ph ... orumin.net
There is also a bleeding life v2:
Code: Select all
hxxp://fastforumin.net:808/sp/statistics/login.php

Real gate:
Code: Select all
hxxp://5.9.62.149:50800/mainsession/gate.php

C&C:
Code: Select all
hxxp://5.9.62.149:50800/mainsession/cp.php

lulz:
Code: Select all
hxxp://5.9.62.149:50800/mainsession/install/
• [0] - Connecting to MySQL as 'joe'.
• [0] - Selecting DB 'joe_bot_db1'.
• [0] - Updating table 'botnet_list'.
• [0] - Creating table 'botnet_reports'.
• [0] - Updating table 'botnet_reports_120812'.
• [0] - Updating table 'botnet_reports_120813'.
• [0] - Updating table 'botnet_reports_120814'.
• [0] - Updating table 'botnet_reports_120815'.
• [0] - Updating table 'botnet_reports_120816'.
• [0] - Updating table 'botnet_reports_120817'.
• [0] - Updating table 'botnet_reports_120818'.
• [0] - Updating table 'botnet_reports_120819'.
• [0] - Updating table 'botnet_reports_120820'.
• [0] - Updating table 'botnet_reports_120821'.
• [0] - Updating table 'botnet_reports_120822'.
• [0] - Updating table 'botnet_reports_120823'.
• [0] - Updating table 'botnet_reports_120824'.
• [0] - Updating table 'botnet_reports_120825'.
• [0] - Updating table 'botnet_reports_120826'.
• [0] - Updating table 'botnet_reports_120827'.
• [0] - Updating table 'botnet_reports_120828'.
• [0] - Updating table 'botnet_reports_120829'.
• [0] - Updating table 'botnet_reports_120830'.
• [0] - Updating table 'botnet_reports_120831'.
• [0] - Updating table 'botnet_reports_120901'.
• [0] - Updating table 'botnet_reports_120902'.
• [0] - Updating table 'botnet_reports_120903'.
• [0] - Updating table 'botnet_reports_120904'.
• [0] - Updating table 'botnet_reports_120905'.
• [0] - Updating table 'botnet_reports_120906'.
• [0] - Updating table 'botnet_reports_120907'.
• [0] - Updating table 'botnet_reports_120908'.
• [0] - Updating table 'botnet_reports_120909'.
• [0] - Updating table 'botnet_reports_120910'.
• [0] - Updating table 'botnet_reports_120911'.
• [0] - Updating table 'botnet_reports_120912'.
• [0] - Updating table 'botnet_reports_120925'.
• [0] - Updating table 'botnet_reports_120926'.
• [0] - Updating table 'botnet_reports_120929'.
• [0] - Updating table 'botnet_reports_120930'.
• [0] - Updating table 'botnet_reports_121001'.
• [0] - Updating table 'botnet_reports_121002'.
• [0] - Updating table 'botnet_reports_121003'.
• [0] - Updating table 'botnet_reports_121004'.
• [0] - Updating table 'botnet_reports_121005'.
• [0] - Updating table 'botnet_reports_121006'.
• [0] - Updating table 'botnet_reports_121007'.
• [0] - Updating table 'botnet_reports_121011'.
• [0] - Updating table 'botnet_reports_121012'.
• [0] - Updating table 'botnet_reports_121013'.
• [0] - Updating table 'botnet_reports_121014'.
• [0] - Updating table 'botnet_reports_121015'.
• [0] - Updating table 'botnet_reports_121016'.
• [0] - Filling table 'ipv4toc'.
• [1] - Creating table 'ipv4toc'.
• [3] - Updating table 'cp_users'.
• [3] - Updating table 'botnet_scripts'.
• [3] - Updating table 'botnet_scripts_stat'.
• [3] - Updating table 'botnet_software_stat'.
• [3] - Updating table 'exe_updates'.
• [3] - Updating table 'exe_updates_crypter'.
• [3] - Updating table 'botnet_rep_domains'.
• [3] - Updating table 'botnet_rep_domainlogs'.
• [3] - Updating table 'accparse_rules'.
• [3] - Updating table 'accparse_accounts'.
• [3] - Updating table 'vnc_bot_connections'.
• [3] - Updating table 'botnet_rep_dedup'.
• [3] - Updating table 'jabber_messages'.
• [3] - Updating table 'botnet_rep_iframer'.
• [3] - Updating table 'botnet_rep_filehunter'.
• [3] - Updating table 'botnet_screenshots'.
• [3] - Updating table 'botnet_rep_favorites'.
• [3] - Updating table 'botnet_activity'.
• [3] - Creating folder '_reports102979970'.
• [3] - Writing config file
• [3] - Searching for the god particle...
• [3] - Creating folder 'system/data'.
• [3] - Creating folder 'public'.
-- Update complete! --
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1620
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479


Re: Citadel (Zeus clone)

Postby Xylitol » Fri Oct 19, 2012 11:55 am

Another sample in attach.
Code: Select all
Citadel C&C - hxxp://78.46.226.50/ajax/cp.php?m=login
401 - hxxp://78.46.226.50/1/
calc.exe exploit - hxxp://78.46.226.50/ajax/t/ - hxxp://78.46.226.50/ajax/t/chk.html - hxxp://78.46.226.50/ajax/t/calc.exe
log parser - hxxp://78.46.226.50/p/
pma - hxxp://78.46.226.50/phpmyadmin/setup/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1620
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Citadel (Zeus clone)

Postby Xylitol » Mon Oct 22, 2012 10:57 pm

Leaked version of summer edition in attach (1.3.4.5)
https://www.virustotal.com/file/1a2e85e ... 350946598/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1620
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Citadel (Zeus clone)

Postby freezhh » Fri Oct 26, 2012 3:09 pm

index.php is 0 bytes?
freezhh
 
Posts: 1
Joined: Sun Jan 30, 2011 8:39 am
Reputation point: 0

Re: Citadel (Zeus clone)

Postby Xylitol » Fri Oct 26, 2012 3:12 pm

to hide directory index because citadel guys don't know about Options -Indexes :p
User avatar
Xylitol
Global Moderator
 
Posts: 1620
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

PreviousNext

Return to Malware

Who is online

Users browsing this forum: Yahoo [Bot] and 12 guests