Citadel (Zeus clone)

Forum for analysis and discussion about malware.
tildedennis
Posts: 32
Joined: Mon Jun 17, 2013 7:57 pm

Re: Citadel (Zeus clone)

Post by tildedennis » Wed Feb 05, 2014 3:00 pm

Code: Select all

Sample: https://www.virustotal.com/en/file/b68c4482be662067edef0147b2a0e4c7723458fc2f3606a2c15ab9676f3b5dd7/analysis/
Version: 1.3.5.1
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Config URL: http://shalafantasy.com/panel/file.php|file=config.dll
Config attached.
You do not have the required permissions to view the files attached to this post.

tildedennis
Posts: 32
Joined: Mon Jun 17, 2013 7:57 pm

Re: Citadel (Zeus clone)

Post by tildedennis » Wed Feb 05, 2014 3:06 pm

Code: Select all

Sample: https://www.virustotal.com/en/file/ee3222d84e9cc647e1d615cf49c3786787c582b1bed4d3a4000ec08a032e9e5c/analysis/
Version: 1.3.5.1
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Config URL: http://5.56.133.73/office/drgoody/server/file.php|file=config.dll
Config attached.
You do not have the required permissions to view the files attached to this post.

tildedennis
Posts: 32
Joined: Mon Jun 17, 2013 7:57 pm

Re: Citadel (Zeus clone)

Post by tildedennis » Thu Feb 06, 2014 6:50 pm

VirusTotal: https://www.virustotal.com/en/file/63f4 ... /analysis/
Zeus Tracker: https://zeustracker.abuse.ch/monitor.ph ... radings.ru
Version: 1.3.5.1
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Config URL: htxp://jj-tradings.ru/image/file.php|file=config.dll

Config attached.
You do not have the required permissions to view the files attached to this post.

tildedennis
Posts: 32
Joined: Mon Jun 17, 2013 7:57 pm

Re: Citadel (Zeus clone)

Post by tildedennis » Fri Feb 07, 2014 1:45 pm

Code: Select all

VirusTotal: https://www.virustotal.com/en/file/1375b480e3a7683e864433dd1bc2f886688696bfb69e6614b1cb555f113b6895/analysis/ 
Zeus Tracker: https://zeustracker.abuse.ch/monitor.php?host=www.gminalubiewo.pl
Version: 1.3.5.1
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Config URL: http://www.gminalubiewo.pl/images/files/file.php|file=config.dll

Config attached.
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Sun Feb 09, 2014 1:40 pm

Citadel targeting France.

Code: Select all

Drop: hxtp://alinaposlogger.biz/nsa/rs8.php
Update: hxtp://alinaposlogger.biz/nsa/file.php|file=boom.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: B5 D2 C7 CD C7 BD E1 0B 7C BB 8E 22 E7 FF DC 60
https://www.virustotal.com/en/file/aefa ... 391953135/
You do not have the required permissions to view the files attached to this post.

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Citadel (Zeus clone)

Post by patriq » Mon Feb 10, 2014 10:12 pm

Found this url in the logs of another Citadel server.

Attached is a binary found on there.

I'm a shitty reverser. No idea what it is, FUD. I'm guessing Citadel because thats where I found it.

https://malwr.com/analysis/ODcwY2FlYmZi ... RjNjlhNmU/
You do not have the required permissions to view the files attached to this post.

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Citadel (Zeus clone)

Post by patriq » Tue Feb 11, 2014 10:49 pm

Been working on a group of Citadel servers.

http://protectyournet.blogspot.com/2014 ... ts-nl.html

8ea39404a066258550b49d14149b3e15
474af7ac6f494a9c5ba1dcd97c72dc6a
4f33e7d127ac8e8f501df2830124da65
c7ab916ca4245e6fbfe5542b62577ec7
ebf99d36f2680c219ce14c749fadcd6b

https://malwr.com/analysis/ZTE1OGFkNTJk ... E5ODUxOTU/
https://malwr.com/analysis/NGIyNWJlMWRj ... NlYjczYjY/
https://malwr.com/analysis/YzE2MmI3MTA1 ... UyZTM2MmY/
https://malwr.com/analysis/ZjE0MzBlM2Qw ... I5MjY1YzQ/
https://malwr.com/analysis/NjlmMDliOGZm ... E0NjgyMjk/


Samples attached.
You do not have the required permissions to view the files attached to this post.

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Citadel (Zeus clone)

Post by patriq » Thu Feb 13, 2014 2:29 pm

First time I've seen "Kingtools" Citadel re-branding.

http://protectyournet.blogspot.com/2014 ... tadel.html

anyone seen any other knock offs like this?

I would guess the bins are the same as Cit v1.3.5.1.. but I couldn't find a sample for this one.

Code: Select all

C&C was at:

http://taking.no-ip.biz/ogenew/on/cp.php?m=login


g0r_
Posts: 7
Joined: Fri Apr 12, 2013 1:35 am

Re: Citadel (Zeus clone)

Post by g0r_ » Fri Feb 14, 2014 3:28 am

patriq wrote:First time I've seen "Kingtools" Citadel re-branding.

http://protectyournet.blogspot.com/2014 ... tadel.html

anyone seen any other knock offs like this?

I would guess the bins are the same as Cit v1.3.5.1.. but I couldn't find a sample for this one.

Code: Select all

C&C was at:

http://taking.no-ip.biz/ogenew/on/cp.php?m=login
hxxp://taking.no-ip.biz/ogenew/server/ has a binary that might be related.

Post Reply