Citadel (Zeus clone)

Forum for analysis and discussion about malware.

Re: Citadel (Zeus clone)

Postby gritland » Sun Feb 10, 2013 9:12 am

zeus mode (maybe citadel)
cant decrypt config file
You do not have the required permissions to view the files attached to this post.
gritland
 
Posts: 31
Joined: Tue May 11, 2010 10:57 am
Reputation point: 5

Requests

Postby reverser » Fri Feb 22, 2013 9:21 pm

I'd like to have a look at "Uknown malware" from the NBC hack mentioned here:
The attack also served an unknown malware binary, connecting to various websites:

hxxp://envirsoft.com/d.htm
hxxp://eastsidetennisassociation.com/l.htm
hxxp://magasin-shop.com/r.htm
hxxp://beautiesofcanada.com/o.htm

Some antivirus vendors identify this malware as Zbot or a rootkit (MD5: 1fa5afe1ddcd083d40b5b330fd9b3613), but it is most definitely not Zbot and it’s not a rootkit either. The malware binary has a curious filename (3S4H3S.exe) and an interesting string at the end “SadokBdi”.
reverser
 
Posts: 22
Joined: Wed Jul 27, 2011 12:22 am
Reputation point: 19

Re: Requests

Postby Squirl » Tue Feb 26, 2013 9:06 am

The compromise was serving up Citadel, according to most AV blogs. I've attached the various components of the compromise (but no Troj, sadly).
You do not have the required permissions to view the files attached to this post.
User avatar
Squirl
 
Posts: 15
Joined: Sun Apr 03, 2011 11:48 pm
Reputation point: 14

Re: Requests

Postby Xylitol » Tue Feb 26, 2013 9:13 am

attached
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1626
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 485

Re: Citadel (Zeus clone)

Postby rkhunter » Mon Apr 15, 2013 12:35 pm

CERT Polska take down a Citadel botnet ("plitfi") - full report incl. sinkhole statistics published

http://www.cert.pl/news/6900/langswitch_lang/en
http://www.cert.pl/PDF/Report_Citadel_plitfi_EN.pdf
User avatar
rkhunter
 
Posts: 1144
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Citadel (Zeus clone)

Postby Xylitol » Wed May 08, 2013 7:56 pm

Citadel 1.3.5.1 targeting french banks
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://angelescitypattaya.com/mimosa/welcome.php
Config: hxtp://angelescitypattaya.com/mimosa/file.php|file=mimosa.exe
Panel: hxtp://angelescitypattaya.com/mimosa/control.php
Reports path: /reporting/
Botnet ID: mimosa
Key: 92 A6 70 B6 CE FC A5 15 CF 1D AA 7A B1 8C EE 65
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1626
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 485

Re: Citadel (Zeus clone)

Postby Xylitol » Tue Jun 04, 2013 7:50 pm

Citadel 1.3.5.1 targeting chase.com domains
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://www.gruppo-abc.it/public/mode.php
Config: hxtp://www.piszek.com/wp-includes/images/file.php|file=soft.exe
hxtp://byzantineinvestments.info/wp-content/uploads/file.php|file=tstconfig.bin
hxtp://kim.humanclay.ca/wp-content/uploads/2007/file.php|file=tstconfig.bin
Key: 15 0D 06 66 B7 3E B5 A4 5D 69 02 A3 70 2D C2 9A
login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1626
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 485

Re: Citadel (Zeus clone)

Postby Xylitol » Fri Jun 07, 2013 10:15 am

User avatar
Xylitol
Global Moderator
 
Posts: 1626
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 485

Re: Citadel (Zeus clone)

Postby Xylitol » Mon Jun 10, 2013 4:27 pm

Citadel 1.3.5.1 targeting french banks
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://rivascloviso.net/caticlan/welcome.php
Update: hxtp://rivascloviso.net/caticlan/file.php
Panel: hxtp://rivascloviso.net/caticlan/control.php
Reports path: /reporting/
Botnet ID: caticlan
Key: 92 A6 70 B6 CE FC A5 15 CF 1D AA 7A B1 8C EE 65
login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1626
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 485

Re: Citadel (Zeus clone)

Postby Xylitol » Mon Jun 10, 2013 6:20 pm

Citadel 1.3.5.1 targeting wellsfargo.com domains
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://64.85.233.8/hide/1355/enter.php
Update: hxtp://whitewidow.ciscofreak.com/hide/1355/file.php|file=config.bin
Key: 11 0D 57 79 BA 74 C2 E4 98 6C F6 BD 65 BC FF C1
login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1626
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 485

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests