Citadel (Zeus clone)

Forum for analysis and discussion about malware.
Post Reply
gritland
Posts: 31
Joined: Tue May 11, 2010 10:57 am

Re: Citadel (Zeus clone)

Post by gritland » Sun Feb 10, 2013 9:12 am

zeus mode (maybe citadel)
cant decrypt config file
You do not have the required permissions to view the files attached to this post.

reverser
Posts: 23
Joined: Wed Jul 27, 2011 12:22 am

Requests

Post by reverser » Fri Feb 22, 2013 9:21 pm

I'd like to have a look at "Uknown malware" from the NBC hack mentioned here:
The attack also served an unknown malware binary, connecting to various websites:

hxxp://envirsoft.com/d.htm
hxxp://eastsidetennisassociation.com/l.htm
hxxp://magasin-shop.com/r.htm
hxxp://beautiesofcanada.com/o.htm

Some antivirus vendors identify this malware as Zbot or a rootkit (MD5: 1fa5afe1ddcd083d40b5b330fd9b3613), but it is most definitely not Zbot and it’s not a rootkit either. The malware binary has a curious filename (3S4H3S.exe) and an interesting string at the end “SadokBdi”.

User avatar
Squirl
Posts: 15
Joined: Sun Apr 03, 2011 11:48 pm

Re: Requests

Post by Squirl » Tue Feb 26, 2013 9:06 am

The compromise was serving up Citadel, according to most AV blogs. I've attached the various components of the compromise (but no Troj, sadly).
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Requests

Post by Xylitol » Tue Feb 26, 2013 9:13 am

attached
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Citadel (Zeus clone)

Post by rkhunter » Mon Apr 15, 2013 12:35 pm

CERT Polska take down a Citadel botnet ("plitfi") - full report incl. sinkhole statistics published

http://www.cert.pl/news/6900/langswitch_lang/en
http://www.cert.pl/PDF/Report_Citadel_plitfi_EN.pdf

User avatar
Xylitol
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Wed May 08, 2013 7:56 pm

Citadel 1.3.5.1 targeting french banks
In attach config and decoded + plugins and sample.

Code: Select all

Drop: hxtp://angelescitypattaya.com/mimosa/welcome.php
Config: hxtp://angelescitypattaya.com/mimosa/file.php|file=mimosa.exe
Panel: hxtp://angelescitypattaya.com/mimosa/control.php
Reports path: /reporting/
Botnet ID: mimosa
Key: 92 A6 70 B6 CE FC A5 15 CF 1D AA 7A B1 8C EE 65
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Tue Jun 04, 2013 7:50 pm

Citadel 1.3.5.1 targeting chase.com domains
In attach config and decoded + plugins and sample.

Code: Select all

Drop: hxtp://www.gruppo-abc.it/public/mode.php
Config: hxtp://www.piszek.com/wp-includes/images/file.php|file=soft.exe
hxtp://byzantineinvestments.info/wp-content/uploads/file.php|file=tstconfig.bin
hxtp://kim.humanclay.ca/wp-content/uploads/2007/file.php|file=tstconfig.bin
Key: 15 0D 06 66 B7 3E B5 A4 5D 69 02 A3 70 2D C2 9A
login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Fri Jun 07, 2013 10:15 am


User avatar
Xylitol
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Mon Jun 10, 2013 4:27 pm

Citadel 1.3.5.1 targeting french banks
In attach config and decoded + plugins and sample.

Code: Select all

Drop: hxtp://rivascloviso.net/caticlan/welcome.php
Update: hxtp://rivascloviso.net/caticlan/file.php
Panel: hxtp://rivascloviso.net/caticlan/control.php
Reports path: /reporting/
Botnet ID: caticlan
Key: 92 A6 70 B6 CE FC A5 15 CF 1D AA 7A B1 8C EE 65
login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Citadel (Zeus clone)

Post by Xylitol » Mon Jun 10, 2013 6:20 pm

Citadel 1.3.5.1 targeting wellsfargo.com domains
In attach config and decoded + plugins and sample.

Code: Select all

Drop: hxtp://64.85.233.8/hide/1355/enter.php
Update: hxtp://whitewidow.ciscofreak.com/hide/1355/file.php|file=config.bin
Key: 11 0D 57 79 BA 74 C2 E4 98 6C F6 BD 65 BC FF C1
login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.

Post Reply