Citadel (Zeus clone)

Forum for analysis and discussion about malware.
patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Citadel (Zeus clone)

Post by patriq » Fri Feb 14, 2014 2:19 pm

g0r_ wrote:
hxxp://taking.no-ip.biz/ogenew/server/ has a binary that might be related.
Thanks.

If you see something like that always grab a copy, it won't be online forever. Shouldn't assume others have it.

I just tried to look. Seems offline.

Was it this?

main_doc.zip > main_doc.exe
FUD.
https://malwr.com/analysis/ODcwY2FlYmZi ... RjNjlhNmU/

http://4.bp.blogspot.com/-2tkHIwUvvws/U ... ng_bin.png

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Citadel (Zeus clone)

Post by patriq » Sat Feb 22, 2014 3:18 pm

Attached:
8604424548a097efaf3c95dc920a3ab4
9f6795012bd8016efefca7a0b9fdb8db
36a8b8f51f1316dcbf5c66147d149dfc
96a8cb79bb8949d1d93ee706727f7fa4
2fdb148e33d21407f6a574277471d3d8
625e8b7a96cb8a1f7f59b345a3eb80d7
98bcbfff632cb5e2024494a08712e864

Taken from a Citadel server, more details here:
http://protectyournet.blogspot.com/2014 ... twork.html
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Sun Mar 09, 2014 5:12 pm

Citadel 3.1.0.0
https://www.virustotal.com/en/file/1927 ... 394385821/

Code: Select all

95186D43B4DC5BD78840D7488E315072
http://writermusicce.com/foh/file.php|file=fok.exe
http://writermusicce.com/foh/hfer.php
http://consistingsec.net/sted/file.php
--
http://heastfootnote.com/foh/file.php|file=sokr.moj
http://spottingculde.net/foh/file.php|file=sokr.moj
http://itivelyfuture.com/foh/file.php|file=sokr.moj
http://opportunitiess.su/foh/file.php|file=sokr.moj
http://raphclickable.com/foh/file.php|file=sokr.moj
http://icallyaligned.com/foh/file.php|file=sokr.moj
http://workplaceinani.su/foh/file.php|file=sokr.moj
http://pinchtozoomgr.com/foh/file.php|file=sokr.moj
http://anxpersonaliz.com/foh/file.php|file=sokr.moj
http://measuredtrick.com/foh/file.php|file=sokr.moj
http://distributeweb.com/foh/file.php|file=sokr.moj
http://unstandardclo.net/foh/file.php|file=sokr.moj
http://minivannoteta.com/foh/file.php|file=sokr.moj
You do not have the required permissions to view the files attached to this post.

sagysrael
Posts: 2
Joined: Mon Mar 10, 2014 11:30 am

Re: Citadel (Zeus clone)

Post by sagysrael » Mon Mar 10, 2014 11:56 am

I am trying to learn about zeus & spyeye...

Do you know how to decrypt the attached citadel 3.1.0.0 configuration?
Or even better, do you happen to have the decrypted version?

Thanks...

one
Posts: 11
Joined: Mon Mar 10, 2014 3:34 pm

Re: Citadel (Zeus clone)

Post by one » Mon Mar 10, 2014 3:54 pm

:o

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Mon Mar 10, 2014 4:58 pm

i have some issue for decoding 3.1.0.0 config but yeah i have it decoded.
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Citadel (Zeus clone)

Post by EP_X0FF » Tue Mar 11, 2014 12:32 am

Thread first post updated.
Ring0 - the source of inspiration

sagysrael
Posts: 2
Joined: Mon Mar 10, 2014 11:30 am

Re: Citadel (Zeus clone)

Post by sagysrael » Tue Mar 11, 2014 9:22 am

Thanks Xylitol!

The configuration you attached has 49 injection parts,
but i don't see the URLs matching the injections.

I believe in Zeus, the URL list is usually at the bottom of the encrypted configuration (i.e. not part of the injections)
could be the decryptor missed the URLs section?

do you know how can I tell the URL of each injection?

Thanks again!

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Tue Mar 11, 2014 2:57 pm

sagysrael wrote:could be the decryptor missed the URLs section?
maybe, i have no idea how it work.
sagysrael wrote:do you know how can I tell the URL of each injection?
no idea

comak
Posts: 43
Joined: Mon Oct 14, 2013 8:25 am
Contact:

Re: Citadel (Zeus clone)

Post by comak » Tue Mar 11, 2014 3:37 pm

could you provide raw decrypted config?

Post Reply