Win32/Zeus (alias Zbot)

Forum for analysis and discussion about malware.
comak
Posts: 43
Joined: Mon Oct 14, 2013 8:25 am
Contact:

Re: Win32/Zeus (alias Zbot)

Post by comak » Mon Jan 12, 2015 12:05 pm

vmzeus 2.0

Code: Select all

{'binary': u'0b8d94b28a7c91c9a3987675f170b3c0',
 'botname': u'jason',
 'cfg': 'http://brokelowhi.com/flashplayer/mod_vncY\x15\x94\x1e-\xf64e\xe7\x85\xc3\xcc\x92K\xf8q\xb3t\x87\xe6$F}I1\xb42d\x94\xed\x83\xb7\xab\x01\x1b\xba',
 'fakeurl': 'http://olpfo.com/xapwj/cfg.bin',
 'family': 'vmzeus2',
 'rc4sbox': '42950343a02d4bcdaa77c33812f88a781599a7542509fae800076f11a9eddec8229db9bb59a4c57b4648c465ac477f9edb1e3113f2b69abe3490892b20d158d43c753eb71a538cdf2faf80d5767056ce9bc7e6d3289f4f1b67b85ce51427ea556e845afd7ecaa36423d92cc97dfce1415002350bf0338561920dddc2a198722974b3069366f5febc2ec00e8897eef6081f94bd0cd66bd29cd8dcf78fa85f693fe04c821817390f7c4dba40fff4b25d30624468eb36191d736ad749e737cb6d1cf121e201d03d6379a2ecbf8d81fbae6057104a3286a6b50516cf915b71875e2a3a45ccabb1f97a8ec1046c24f3e3e483518b96ad0adab0a5b4efe93b4e5226c60000',
 'rc6sbox': 'ac956e590059249216675ff53e661eb2de573c253ec6a9e823eaca45790cf7126e8d56e1b8422f3614fd4c7c3536e232b3de3318d1bac1000b90e5baf27231f2e6877a3ac29fab69ce2874fb3121ef149e66ca9cb5e952414168b4d792562404d3ffededd921d276c56043d25947a62b7d975e20efb3725cd46bb4c13e9a599a9403d853142513a74671660884d2cbe4cdfd5f8c3a9d1d452c938e5b980f997d3794b563a781c65b8d23c0ba373f2f9e',
 'strings': ['lhttp://olpfo.com/xapwj/cfg.bin'],
 'urls': ['http://brokelowhi.com/flashplayer/mod_vncY\x15\x94\x1e-\xf64e\xe7\x85\xc3\xcc\x92K\xf8q\xb3t\x87\xe6$F}I1\xb42d\x94\xed\x83\xb7\xab\x01\x1b\xba'],
 'version': '02.00.00.00'}

apperently i have some bug in decryptor...

anyhow cfg attached
You do not have the required permissions to view the files attached to this post.

pyre08
Posts: 4
Joined: Mon Mar 30, 2015 12:12 pm

Re: Win32/Zeus (alias Zbot)

Post by pyre08 » Tue Aug 25, 2015 6:32 am

Sphinx - new Zbot variant?

http://darkmatters.norsecorp.com/2015/0 ... ck-market/

Anyone encountered this?

Based on the article the ZBOT version is 1.0.0.0.

0xDucky
Posts: 2
Joined: Wed Jun 11, 2014 6:40 am

Re: Win32/Zeus (alias Zbot)

Post by 0xDucky » Thu Oct 15, 2015 10:49 am

Does anyone recognize this variant of Zeus?
https://www.virustotal.com/en/file/4bf9 ... /analysis/

It behaves like Zeus 2, But patches ntdll!NtDeviceIoControlFile instead of classic Zeus patches in order to intercept traffic

Sample attached.
4bf9426dde9c5cdb3366f4e0a23b4df6eb6a58d66f28e367c7c738b280b271f9.zip
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1659
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Win32/Zeus (alias Zbot)

Post by Xylitol » Sun Oct 18, 2015 11:23 am

You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 288
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Sun Aug 14, 2016 7:06 pm

You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 288
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Wed Sep 07, 2016 7:00 pm

You do not have the required permissions to view the files attached to this post.

User avatar
xors
Posts: 148
Joined: Mon May 23, 2016 2:01 am

Re: Malware collection

Post by xors » Wed Sep 07, 2016 10:45 pm

You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

tildedennis
Posts: 32
Joined: Mon Jun 17, 2013 7:57 pm

Re: Win32/Zeus (alias Zbot)

Post by tildedennis » Tue Oct 18, 2016 4:05 pm

a couple of sphinx zeus things:

* https://securityintelligence.com/brazil ... he-sphinx/

sample (attached): https://www.virustotal.com/en/file/7c73 ... /analysis/

Code: Select all

version: 1.7.1.0
config_url: http://dayspirit.at/xen2/config.bin
config_url: http://pierin.ru/xen2/config.bin
config_url: http://clork.ru/xen2/config.bin
advanced_config_url: http://labgeni0us.at/xen2/config.bin
advanced_config_url: http://dexterlabnew.at/xen2/config.bin
advanced_config_url: http://woooowarmy.at/xen2/config.bin
webinjects (attached) targeting .br 
---

* https://blogs.forcepoint.com/security-l ... dian-banks

sample (attached): https://www.virustotal.com/en/file/3c1e ... /analysis/
version: 1.5.5.0

broken/incomplete sample ? instead of an encrypted base config it contains "{BASECONFIG}"
You do not have the required permissions to view the files attached to this post.

tildedennis
Posts: 32
Joined: Mon Jun 17, 2013 7:57 pm

Re: Win32/Zeus (alias Zbot)

Post by tildedennis » Mon Nov 21, 2016 1:06 pm

flokibot (mostly zeus 2.0.8.9 + some basic DDoS + basic track 2 memory scraper):

* https://www.flashpoint-intel.com/floki- ... lware-kit/
* https://blog.malwarebytes.com/threat-an ... y-dropper/

lastest sample that i've seen (attached): https://www.virustotal.com/en/file/4bdd ... /analysis/

Code: Select all

version: 13
config_url: https://extensivee.bid/000L7bo11Nq36ou9cfjfb0rDZ17E7ULo_4agents/gate.php

not seeing any webinjects yet, but dynamic config is attached as well. 
You do not have the required permissions to view the files attached to this post.

tildedennis
Posts: 32
Joined: Mon Jun 17, 2013 7:57 pm

Re: Win32/Zeus (alias Zbot)

Post by tildedennis » Fri Apr 21, 2017 1:16 pm

grab another zeus variant from off the wall:

http://blog.fortinet.com/2017/03/17/gra ... -your-data

https://virustotal.com/en/file/6d8ce2d1 ... /analysis/ (attached) has a version of 1.6.8 and the following c2s:

Code: Select all

hxxp://derqdxnvis.info/wordpress/forumpost.php
hxxp://bigtoys.info/wordpress/forumpost.php
hxxp://derqdxnvis.site/wordpress/forumpost.php
hxxp://onlinegtrnc.site/wordpress/forumpost.php
hxxp://sseriubndisers.info/wordpress/forumpost.php
hxxp://geryynet.site/wordpress/forumpost.php
the lowest version i've seen of this variant is 1.5.5 active around october 2015.

seems very likely to be an update of this 2014 zeus variant known as "tarbuka" by stopmalvertising:

http://stopmalvertising.com/spam-scams/ ... pages.html
You do not have the required permissions to view the files attached to this post.

Post Reply