Win32/Zeus (alias Zbot)

Forum for analysis and discussion about malware.

Re: Win32/Zeus (alias Zbot)

Postby forty-six » Wed Sep 10, 2014 3:51 pm

unixfreaxjp wrote:Few hours ago this campaign via spam was spotted:
Image
The attachment (downloader part): https://www.virustotal.com/en/file/595b ... /analysis/
It downloads the set: https://www.virustotal.com/en/file/d45e ... 410358503/
Details distribution and CNC information I wrote in VT & the pictures, pls bear the hurry pace...


You work on linux too much lately. :D This is "dridex" variant of Feodo.
forty-six
 
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm
Reputation point: 30

Re: Win32/Zeus (alias Zbot)

Postby unixfreaxjp » Wed Sep 10, 2014 4:10 pm

[REVOKED BY THE WRITER]Wow, hold on, the attachment is Zbot yes? You mean the downloaded one? [/REVOKED]
I made a mistake! I am sorry. This is not a Zeus at all. Please kindly move the previous post to the proper malware threat.
forty-six wrote:You work on linux too much lately. :D This is "dridex" variant of Feodo.

Haha, Ouch! yes, :) too much ELF recently. But I think I'll focus on this platform for the future.
I know is a pws (the downloaded one) , poc: https://twitter.com/MalwareMustDie/stat ... 1030629378 but first time seeing this type..
Well..That explains the 8080 gates called. How old this "D"ridex variant started?
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Win32/Zeus (alias Zbot)

Postby comak » Fri Oct 24, 2014 4:28 pm

from http://malware.dontneedcoffee.com/2014/ ... -0569.html
sample: 831098a9d8db43bebf3d6ee67914888d

it looks like strange/old kins - with out aes and other stuff...
any way:
Code: Select all
version: 02.00.04.00
botnet: fruit
cc:
http://chmaghotpipe.com/www/
http://micagentudate14.com/www/
http://reportcollecsysdump.com/www/

rc4key: 4032af8d61035123906e58e067140cc5  - md5(0123456789abcdef)
UserAgent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2)

You do not have the required permissions to view the files attached to this post.
comak
 
Posts: 43
Joined: Mon Oct 14, 2013 8:25 am
Reputation point: 31

Re: Win32/Zeus (alias Zbot)

Postby NoSense » Sun Oct 26, 2014 6:45 pm

Can someone help me to find the active C&C of the following Zeus botnet used to launch paid DDoS attacks?
http://www.nuccioirc.altervista.org/
You do not have the required permissions to view the files attached to this post.
User avatar
NoSense
 
Posts: 11
Joined: Fri Dec 28, 2012 11:38 am
Reputation point: 4

Re: Win32/Zeus (alias Zbot)

Postby SomeUnusedName » Mon Oct 27, 2014 3:23 pm

Does not look like Zeus:

..:: TierBlackout IRC Bot v2.7 {Registered To:****Anonymous-IT****} ::..


This could be the CnC:

nucciowebseason.pw
SomeUnusedName
 
Posts: 46
Joined: Fri Oct 07, 2011 1:17 pm
Reputation point: 8

Re: Win32/Zeus (alias Zbot)

Postby Xylitol » Mon Nov 10, 2014 11:32 am

Lame zeus 2.1.0.1 with cowboy theme targeting germany, italia, spain, usa...
Image
https://zeustracker.abuse.ch/monitor.ph ... smalta.com
Code: Select all
http://kihsmalta.com/secure.php
http://kihsmalta.com/ppptp.jpg
21 DB 88 B0 13 FF 66 61 79 97 A9 90 F0 83 DF 91 AC 73 27 B6 42 87 56 9A 37 6A 5A 63 EE 4A BF 23 4D A4 3D 2E 75 86 44 C9 19 78 8B C0 92 00 95 7D 7B 04 08 4F A6 DC 15 03 E7 53 F5 02 57 F1 0B 12 1C AE A2 54 C5 BE 6D 55 FB AA 07 D2 1B 77 7E 2A 67 10 0F F2 7C 60 72 D3 43 CA 9D BC 80 EB 2F 2C CD 52 93 71 1A E6 D9 C3 65 B5 F8 F3 DD D8 35 50 18 9C 3A 41 8A 8C 94 06 B9 6B CE 25 CB 38 D4 D0 69 5F 89 99 E8 D7 FA 0C 01 3C 28 33 E5 A5 CF CC 5E 14 C6 1E 81 6C A0 4B B2 C1 BA C7 76 17 0A DA F4 51 32 2D 40 E9 E2 EF 3E A3 BB 11 45 6F E1 D5 29 4E 0E EA 1D FC 85 B3 8D F9 D6 59 39 31 74 26 34 47 B4 EC 5B 84 F7 0D 58 DE B8 5C A7 98 C8 48 C2 8E 05 F6 7A E3 9B ED 9F 64 70 62 E4 7F 68 2B 20 96 09 C4 FE 6E B1 1F 4C AF 8F 22 D1 A1 82 A8 AB B7 3F 3B 16 24 FD 36 46 5D BD AD 30 9E E0 49
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1615
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 476

Re: Win32/Zeus (alias Zbot)

Postby granit12 » Wed Nov 12, 2014 11:37 pm

Can any person stop it?

Code: Select all
http://www.learninginstitute.co.uk/rewind/cp.php?m=login
http://menumaterno.com.br/skins/tango/_labe/cp.php?m=login
http://ansfitness.com/system/engine/paypal/cp.php?m=login
http://nk-slaven-belupo.hr/images/jss/cp.php?m=login
http://motoecarro.com.br/images/cp.php?m=login
http://sonbachtuyet.net/htc/cp.php?m=login
http://agrupacionestrella.net/plugins/system/php/cp.php?m=login
http://www.onenewmanthailand.com/wp-blog/cp.php?letter=login
http://arabiaholding.com/bin/adm/index.php?m=login
http://www.impm.upel.edu.ve/Imagenes/cp.php?letter=login
http://www.jeanbas.com/fonts/cp.php?letter=login
http://www.ipb.upel.edu.ve/personal/cp.php?letter=login
http://puresoccer.com/info/adm/index.php?m=login
http://guruofnew.com/images/adm/index.php?m=login
granit12
 
Posts: 7
Joined: Thu Feb 13, 2014 3:08 pm
Reputation point: 0

Re: Win32/Zeus (alias Zbot)

Postby comak » Mon Dec 01, 2014 3:27 pm

i got kins in memory thats looks like a version i dumped before
Code: Select all
version: 02.00.07.00
urls:
['http://bruonlinearchive.com/',
 'http://mostusefullthingsvoting.com/',
 'http://hoplessmaincatalogue.com/',
 'http://herbonlineshop.com/']

botname: fish
rc4key: 8733af628b9b2f189bec5c67ce615312 -- md5(MicroProductions)
UserAgent:  Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.2; SV1)

comak
 
Posts: 43
Joined: Mon Oct 14, 2013 8:25 am
Reputation point: 31

Re: Win32/Zeus (alias Zbot)

Postby EP_X0FF » Sun Dec 21, 2014 2:22 pm

Split. New Zeus with Andromeda code moved to separate thread.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4742
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 555

Re: Win32/Zeus (alias Zbot)

Postby sysopfb » Sun Jan 11, 2015 1:18 am

kins
both exe and jpg are in attached

certomenom.ru/BRaxz7sN92BjcNzK/jason.exe

config
certomenom.ru/BRaxz7sN92BjcNzK/jason.jpg
adenosdere.ru/BRaxz7sN92BjcNzK/jason.jpg

Post config taffic
yandex.ru
certomenom.ru/invests.php -- was down for me

other domains/urls in memory
evennoterom.ru/BRaxz7sN92BjcNzK/jason.exe
brokelowi.com/flashplayer/mod_vnc.bin
heromeftet.ru/BRaxz7sN92BjcNzK/jason.jpg

Ip at the time is 188.127.249.224
You do not have the required permissions to view the files attached to this post.
sysopfb
 
Posts: 87
Joined: Thu Oct 23, 2014 1:22 am
Reputation point: 49

PreviousNext

Return to Malware

Who is online

Users browsing this forum: Google [Bot], p4r4n0id and 11 guests