Citadel (Zeus clone)

Forum for analysis and discussion about malware.
User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Sat May 26, 2012 12:25 pm

Fun

Code: Select all

00420CD8  |.  68 C0194000   PUSH 4019C0                              ; |Text = "Coded by BRIAN KREBS for personal use only. I love my job & wife."
two more C&C

Code: Select all

hxxp://inbani.com/js/res/cp.php?m=login
hxxp://inbani.com/js/res/theme/images/citadel.jpg
--
hxxp://lotosmusicfm.net/jstat/cp.php
hxxp://lotosmusicfm.net/jstat/theme/images/citadel.jpg
https://www.virustotal.com/file/6f6b5fe ... 338035569/
You do not have the required permissions to view the files attached to this post.

obnoxiousdiablo
Posts: 3
Joined: Thu May 24, 2012 9:03 am

Re: Citadel (Zeus clone)

Post by obnoxiousdiablo » Tue May 29, 2012 10:03 pm

Hi Xylitol,

Thanks a lot for sharing this info. What is the file in the zip with 140K size? Is that the cfg downloaded?

Is it possible to share the packet dump you may have?

Thank you.

Regards,

obnoxiousdiablo
Posts: 3
Joined: Thu May 24, 2012 9:03 am

Re: Citadel (Zeus clone)

Post by obnoxiousdiablo » Wed May 30, 2012 1:36 am

Never mind. I figured out it was encrypted cfg downloaded during your analysis. It is targeting mainly European banks at the moment. Will be great if you could post more citadel with cfg as they come along.

Much appreciated,

Evilcry
Posts: 135
Joined: Tue Apr 20, 2010 6:10 pm

Re: Citadel (Zeus clone)

Post by Evilcry » Mon Jun 11, 2012 6:24 am


User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Tue Oct 16, 2012 12:58 pm

Some files (php/exe) dumped from Citadel 1.3.4.5 server

Image
https://zeustracker.abuse.ch/monitor.ph ... orumin.net
There is also a bleeding life v2:

Code: Select all

hxxp://fastforumin.net:808/sp/statistics/login.php
Real gate:

Code: Select all

hxxp://5.9.62.149:50800/mainsession/gate.php
C&C:

Code: Select all

hxxp://5.9.62.149:50800/mainsession/cp.php
lulz:

Code: Select all

hxxp://5.9.62.149:50800/mainsession/install/
• [0] - Connecting to MySQL as 'joe'.
• [0] - Selecting DB 'joe_bot_db1'.
• [0] - Updating table 'botnet_list'.
• [0] - Creating table 'botnet_reports'.
• [0] - Updating table 'botnet_reports_120812'.
• [0] - Updating table 'botnet_reports_120813'.
• [0] - Updating table 'botnet_reports_120814'.
• [0] - Updating table 'botnet_reports_120815'.
• [0] - Updating table 'botnet_reports_120816'.
• [0] - Updating table 'botnet_reports_120817'.
• [0] - Updating table 'botnet_reports_120818'.
• [0] - Updating table 'botnet_reports_120819'.
• [0] - Updating table 'botnet_reports_120820'.
• [0] - Updating table 'botnet_reports_120821'.
• [0] - Updating table 'botnet_reports_120822'.
• [0] - Updating table 'botnet_reports_120823'.
• [0] - Updating table 'botnet_reports_120824'.
• [0] - Updating table 'botnet_reports_120825'.
• [0] - Updating table 'botnet_reports_120826'.
• [0] - Updating table 'botnet_reports_120827'.
• [0] - Updating table 'botnet_reports_120828'.
• [0] - Updating table 'botnet_reports_120829'.
• [0] - Updating table 'botnet_reports_120830'.
• [0] - Updating table 'botnet_reports_120831'.
• [0] - Updating table 'botnet_reports_120901'.
• [0] - Updating table 'botnet_reports_120902'.
• [0] - Updating table 'botnet_reports_120903'.
• [0] - Updating table 'botnet_reports_120904'.
• [0] - Updating table 'botnet_reports_120905'.
• [0] - Updating table 'botnet_reports_120906'.
• [0] - Updating table 'botnet_reports_120907'.
• [0] - Updating table 'botnet_reports_120908'.
• [0] - Updating table 'botnet_reports_120909'.
• [0] - Updating table 'botnet_reports_120910'.
• [0] - Updating table 'botnet_reports_120911'.
• [0] - Updating table 'botnet_reports_120912'.
• [0] - Updating table 'botnet_reports_120925'.
• [0] - Updating table 'botnet_reports_120926'.
• [0] - Updating table 'botnet_reports_120929'.
• [0] - Updating table 'botnet_reports_120930'.
• [0] - Updating table 'botnet_reports_121001'.
• [0] - Updating table 'botnet_reports_121002'.
• [0] - Updating table 'botnet_reports_121003'.
• [0] - Updating table 'botnet_reports_121004'.
• [0] - Updating table 'botnet_reports_121005'.
• [0] - Updating table 'botnet_reports_121006'.
• [0] - Updating table 'botnet_reports_121007'.
• [0] - Updating table 'botnet_reports_121011'.
• [0] - Updating table 'botnet_reports_121012'.
• [0] - Updating table 'botnet_reports_121013'.
• [0] - Updating table 'botnet_reports_121014'.
• [0] - Updating table 'botnet_reports_121015'.
• [0] - Updating table 'botnet_reports_121016'.
• [0] - Filling table 'ipv4toc'.
• [1] - Creating table 'ipv4toc'.
• [3] - Updating table 'cp_users'.
• [3] - Updating table 'botnet_scripts'.
• [3] - Updating table 'botnet_scripts_stat'.
• [3] - Updating table 'botnet_software_stat'.
• [3] - Updating table 'exe_updates'.
• [3] - Updating table 'exe_updates_crypter'.
• [3] - Updating table 'botnet_rep_domains'.
• [3] - Updating table 'botnet_rep_domainlogs'.
• [3] - Updating table 'accparse_rules'.
• [3] - Updating table 'accparse_accounts'.
• [3] - Updating table 'vnc_bot_connections'.
• [3] - Updating table 'botnet_rep_dedup'.
• [3] - Updating table 'jabber_messages'.
• [3] - Updating table 'botnet_rep_iframer'.
• [3] - Updating table 'botnet_rep_filehunter'.
• [3] - Updating table 'botnet_screenshots'.
• [3] - Updating table 'botnet_rep_favorites'.
• [3] - Updating table 'botnet_activity'.
• [3] - Creating folder '_reports102979970'.
• [3] - Writing config file
• [3] - Searching for the god particle...
• [3] - Creating folder 'system/data'.
• [3] - Creating folder 'public'.
-- Update complete! --
You do not have the required permissions to view the files attached to this post.


User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Fri Oct 19, 2012 11:55 am

Another sample in attach.

Code: Select all

Citadel C&C - hxxp://78.46.226.50/ajax/cp.php?m=login
401 - hxxp://78.46.226.50/1/
calc.exe exploit - hxxp://78.46.226.50/ajax/t/ - hxxp://78.46.226.50/ajax/t/chk.html - hxxp://78.46.226.50/ajax/t/calc.exe
log parser - hxxp://78.46.226.50/p/
pma - hxxp://78.46.226.50/phpmyadmin/setup/
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Mon Oct 22, 2012 10:57 pm

Leaked version of summer edition in attach (1.3.4.5)
https://www.virustotal.com/file/1a2e85e ... 350946598/
You do not have the required permissions to view the files attached to this post.

freezhh
Posts: 1
Joined: Sun Jan 30, 2011 8:39 am

Re: Citadel (Zeus clone)

Post by freezhh » Fri Oct 26, 2012 3:09 pm

index.php is 0 bytes?

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Fri Oct 26, 2012 3:12 pm

to hide directory index because citadel guys don't know about Options -Indexes :p

Post Reply