A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21026  by forty-six
 Tue Oct 01, 2013 9:49 pm
Sorry Xy. No config yet. Hard to believe someone is going to waste time dropping dead Citadel. May come to life at some point tho...
 #21136  by Xylitol
 Wed Oct 09, 2013 1:32 pm
1.3.5.1:
Code: Select all
Drop: hxtp://retrospectsfacetoface3.biz/citag/gate.php
Update: hxtp://retrospectsfacetoface3.biz/citag/file.php|file=soft.exe
key: 23 FC 58 65 5F 41 C5 92 59 91 97 38 98 72 7E 30
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
https://zeustracker.abuse.ch/monitor.ph ... oface3.biz
You do not have the required permissions to view the files attached to this post.
 #21178  by Xylitol
 Wed Oct 16, 2013 10:29 am
Citadel targeting JP and DE
Code: Select all
Drop: hxtp://ermiravniebeery154.net/ppp/
Update: hxtp://ermiravniebeery154.net/ppp/file.php|file=jj03.exe
key: DD FB 2F 07 49 AB 4B C5 F6 C0 D1 22 C4 05 B0 10
Login key: D52C3A25FB86B4660219344E1BC5A755
same enc key as http://www.kernelmode.info/forum/viewto ... =60#p20700
It uses 2 external panels
Code: Select all
hxtps://combonicer100.com/jp/login
hxtps://titaniumaftersoft50.net/az_p/login
testing the mitb webinject on postbank:
Image
You do not have the required permissions to view the files attached to this post.
 #21194  by RageMachine
 Fri Oct 18, 2013 9:34 pm
Hope this is the right spot for this, pulled this off an infected server.
You do not have the required permissions to view the files attached to this post.
 #21222  by Xylitol
 Tue Oct 22, 2013 2:25 pm
Citadel targeting Japan, sample courtesy of Kafeine.
https://www.virustotal.com/en/file/4607 ... 382452490/
4 days ago sample was 2/48 on VT.
Code: Select all
Drop: hxtp://gormonnsnter105.net/ppp/
Update: hxtp://ermeentroper110.com/ppp/file.php|file=jj03.exe
key: DD FB 2F 07 49 AB 4B C5 F6 C0 D1 22 C4 05 B0 10
Login key: D52C3A25FB86B4660219344E1BC5A755
Same enc key as http://www.kernelmode.info/forum/viewto ... =60#p20700 & http://www.kernelmode.info/forum/viewto ... =80#p21178
MiTB:
Code: Select all
hxtps://combonicer200.com/jp/
Image

Previous panel combonicer100.com got nuke by abuse.ch guys and Germany isn't anymore a target:
Code: Select all
https://entry*.bk.mufg.jp/ibg/dfw/APLIN/loginib/login*
https://direct*.bk.mufg.jp/ib/dfw/APL/bnkib/banking*
https://direct*.bk.mufg.jp/ib/dfw/APL/ibp/keiyakukanri/MailAddress*
https://direct*.smbc.co.jp/*jsp
https://direct*.smbc.co.jp/*Servlet
http://www.smbc.co.jp/index.html
https://www.smbc.co.jp/index.html
https://www.netbk.co.jp/wpl/NBGate
https://www.netbk.co.jp/wpl/NBGate/*
https://net.aeonbank.co.jp/*aeonbank/bob/*.htm
http://www.aeonbank.co.jp/
https://www.aeonbank.co.jp/
https://ib.resonabank.co.jp/IB/*
http://www.resona-gr.co.jp/*
https://www.resona-gr.co.jp/*
https://ib.saitamaresona.co.jp/IB/*
http://www.resona-gr.co.jp/*
https://www.resona-gr.co.jp/*
https://ib.kinkiosakabank.co.jp/IB/*
http://www.kinkiosakabank.co.jp/*
https://www.kinkiosakabank.co.jp/*
http://www.resona-gr.co.jp/*
https://www.resona-gr.co.jp/*
https://ib.chibabank.co.jp/*
http://www.chibabank.co.jp/myaccess/link/
http://www.chibabank.co.jp/myaccess/link/
https://ib.surugabank.co.jp/*
http://www.surugabank.co.jp/surugabank/cmn/jump/j_internetbanking.html
https://direct*.82bank.co.jp/HCIK*/BankIK*
https://www.82bank.co.jp/hp/menu*
https://ib.fukuokabank.co.jp/*fukuoka/bob/*.htm
https://www.fukuokabank.co.jp/
https://www.fukuokabank.co.jp/personal/service/directbanking/iblogin/
https://www.inb.114bank.chance.co.jp/int/banking?_TRANID=*
https://www.inb.joyobank.chance.co.jp/int/banking?_TRANID=*
https://www.inb.momijibank.chance.co.jp/int/banking?_TRANID=*
https://www.inb.nantobank.chance.co.jp/int/banking?_TRANID=*
config also in attach
You do not have the required permissions to view the files attached to this post.
 #21250  by Xylitol
 Sun Oct 27, 2013 11:36 am
Citadel targeting Japan.
Code: Select all
Drop: hxtp://gromydoonye250.com/ppp/
Update: hxtp://ermxxrtroper210.com/ppp/file.php|file=jj03.exe
key: DD FB 2F 07 49 AB 4B C5 F6 C0 D1 22 C4 05 B0 10
Login key: D52C3A25FB86B4660219344E1BC5A755
Same enc key as http://www.kernelmode.info/forum/viewto ... =60#p20700 & http://www.kernelmode.info/forum/viewto ... =80#p21178 & http://www.kernelmode.info/forum/viewto ... =80#p21222
You do not have the required permissions to view the files attached to this post.
 #21252  by Xylitol
 Sun Oct 27, 2013 12:13 pm
Citadel targeting Australia, France, Spain, Italy, Germany, united kingdom, America, Bulgaria...
Code: Select all
Drop: hxtp://iae.hosei.ac.jp/tmp/configs/new/vg.php
Update: hxtp://guts.cutegirl.jp/images/g/file.php|file=v.exe
key: F7 61 91 7B E8 EE 69 27 92 80 D1 79 0E 68 9F 3B
Login key: 4DF156722347C195696567442125ACE3
Image
Code: Select all
https://internetbanking.suncorpbank.com.au*
https://ibanking.stgeorge.com.au/InternetBanking/viewAccountPortfolio.do*
https://ib.nab.com.au/nabib/acctInfo_acctBal.ctl*
https://*.anz.com/IBAU/BANKAWAYTRAN*
https://*.anz.com/IBAU/BANKAWAYTRAN*
https://*.westpac.com.au/esis/Login/SrvPage*
https://*.westpac.com.au/wtwt/startpage*
https://ibank.humebuild.com.au/login.asp*
*netaccess*.qtcu.com.au*wci=entry
https://www.pcunet2.com.au/mvppolice/Login.asp*
*.victeach.com.au*
https://netteller2.pncs.com.au/*
*necu.com.au/mvpnewengland/Login.asp*
*permonline.newcastlepermanent.com.au/IB04/NPBSPe*
*is2.cuviewpoint.net/*ogin.asp
*commbiz.commbank.com.au*
*netteller*com.au/*/ntv4*?wci=entry
teacherscreditunion.com.au/internetbanking/Login.asp*
*online.hbs.net.au*entr*
*ib.boq.com.au*
*mvp.bigsky.net.au/*ogin.asp
*citibank.com.au/AUGCB/JSO/signon/DisplayUsernameSignon.do
*membersequitybank.com.au/ME*
*secure.accu.com.au/secureaccu*
*online.savingsloans.com.au*
*secure.mystate.com.au/secure*
*online.qantascu.com.au*
*/my.ebay.com/*CurrentPage=MyeBayPersonalInfo*
*.ebay.com/*eBayISAPI.dll?*
https://www.us.hsbc.com/*
https://www.e-gold.com/acct/li.asp
https://www.e-gold.com/acct/balance.asp*
https://www.wellsfargo.com/
https://*.lloydstsb.co.uk/personal/*/logon/entermemorableinformation.jsp*
https://online.wellsfargo.com/das/cgi-bin/session.cgi*
https://www.wellsfargo.com/*
https://online.wellsfargo.com/login*
https://online.wellsfargo.com/signon*
https://www.paypal.com/*/webscr?cmd=_account
https://www.paypal.com/*/webscr?cmd=_login-done*
https://www#.usbank.com/internetBanking/LoginRouter
https://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet*
https://www#.citizensbankonline.com/*/index-wait.jsp
https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx
https://www.suntrust.com/portal/server.pt*parentname=Login*
https://www.53.com/servlet/efsonline/index.html*
https://web.da-us.citibank.com/*BS_Id=MemberHomepage*
https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary
https://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService
https://resources.chase.com/MyAccounts.aspx
https://bancaonline.openbank.es/servlet/PProxy?*
https://extranet.banesto.es/*/loginParticulares.htm
https://banesnet.banesto.es/*/loginEmpresas.htm
https://empresas.gruposantander.es/WebEmpresas/servlet/webempresas.servlets.*
https://www.gruposantander.es/bog/sbi*?ptns=acceso*
https://www.bbvanetoffice.com/local_bdno/login_bbvanetoffice.html
https://www.bancajaproximaempresas.com/ControlEmpresas*
https://www.citibank.de*
https://probanking.procreditbank.bg/main/main.asp*
https://ibank.internationalbanking.barclays.com/logon/icebapplication*
https://ibank.barclays.co.uk/olb/x/LoginMember.do
https://online-offshore.lloydstsb.com/customer.ibc
https://online-business.lloydstsb.co.uk/customer.ibc
https://www.dab-bank.com*
http://www.hsbc.co.uk/1/2/personal/internet-banking*
https://www.nwolb.com/Login.aspx*
https://home.ybonline.co.uk/login.html*
https://home.cbonline.co.uk/login.html*
https://welcome27.co-operativebank.co.uk/CBIBSWeb/start.do
https://welcome23.smile.co.uk/SmileWeb/start.do
https://www.halifax-online.co.uk/_mem_bin/formslogin.asp*
https://www2.bancopopular.es/AppBPE/servlet/servin*
https://www.bancoherrero.com/es/*
https://pastornetparticulares.bancopastor.es/SrPd*
https://intelvia.cajamurcia.es/2043/entrada/01entradaencrip.htm
https://www.caja-granada.es/cgi-bin/INclient_2031
https://www.fibancmediolanum.es/BasePage.aspx*
https://carnet.cajarioja.es/banca3/tx0011/0011.jsp
https://www.cajalaboral.com/home/acceso.asp
https://www.cajasoldirecto.es/2106/*
https://www.clavenet.net/cgi-bin/INclient_7054
https://www.cajavital.es/Appserver/vitalnet*
https://banca.cajaen.es/Jaen/INclient.jsp
https://www.cajadeavila.es/cgi-bin/INclient_6094
https://www.caixatarragona.es/esp/sec_1/oficinacodigo.jsp
http://caixasabadell.net/banca2/tx0011/0011.jsp
https://www.caixaontinyent.es/cgi-bin/INclient_2045
https://www.caixalaietana.es/cgi-bin/INclient_2042
https://www.cajacirculo.es/ISMC/Circulo/acceso.jsp
https://areasegura.banif.es/bog/bogbsn*
https://www.bgnetplus.com/niloinet/login.jsp
https://www.caixagirona.es/cgi-bin/INclient_2030*
https://www.unicaja.es/PortalServlet*
https://www.sabadellatlantico.com/es/*
https://oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login
https://www.cajabadajoz.es/cgi-bin/INclient_6010*
https://extranet.banesto.es/npage/OtrosLogin/LoginIBanesto.htm
https://montevia.elmonte.es/cgi-bin/INclient_2098*
https://www.cajacanarias.es/cgi-bin/INclient_6065
ttps://oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login/login_oie_1
https://www.gruppocarige.it/grps/vbank/jsp/login.jsp
https://bancopostaonline.poste.it/bpol/bancoposta/formslogin.asp
https://privati.internetbanking.bancaintesa.it/sm/login/IN/box_login.jsp
https://hb.quiubi.it/newSSO/x11logon.htm
https://www.iwbank.it/private/index_pub.jhtml*
https://web.secservizi.it/siteminderagent/forms/login.fcc
https://www.isideonline.it/relaxbanking/sso.Login*
https://scrigno.popso.it*
https://www.halifax-online.co.uk/MyAccounts/MyAccounts.aspx*
https://ibank.barclays.co.uk/olb/x/LoginMember.do
https://www.halifax-online.co.uk/_mem_bin/*
https://online*.lloydstsb.co.uk/logon.ibc
https://home.ybonline.co.uk/ral/loginmgr/*
https://www.mybank.alliance-leicester.co.uk/login/*
https://www.ebank.hsbc.co.uk/main/IBLogon.jsp
https://www.isbank.com.tr/Internet/ControlLoader.aspx*
https://olb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asp*
https://www*.banking.first-direct.com/1/2/*
https://cardsonline-consumer.com/RBSG_Consumer/VerifyLogin.do
https://www.rbsdigital.com/Login.asp*
https://banking*.anz.com/*
https://olb2.nationet.com/signon/signon*
https://www.nwolb.com/Login.asp*
https://home2ae.cd.citibank.ae/CappWebAppAE/producttwo/capp/action/signoncq.do
https://internetbanking.aib.ie/hb1/roi/signon
*wellsfargo.com/*
https://web.da-us.citibank.com/cgi-bin/citifi/portal/l/l.do
https://web.da-us.citibank.com/cgi-bin/citifi/portal/l/autherror.do*
https://rupay.com/index.php
*banquepopulaire.fr/*
https://www.uno-e.com/local_bdnt_unoe/Login_unoe2.html
https://www.ccm.es/cgi-bin/INclient_6105
You do not have the required permissions to view the files attached to this post.
 #21264  by Xylitol
 Tue Oct 29, 2013 10:25 am
Citadel who target japan.
Code: Select all
Drop: hxtp://gromydoonye250.com/ppp/
Update: hxtp://ermxxrtroper210.com/ppp/file.php|file=jj03.exe
key: DD FB 2F 07 49 AB 4B C5 F6 C0 D1 22 C4 05 B0 10
Login key: D52C3A25FB86B4660219344E1BC5A755
Same enc key as http://www.kernelmode.info/forum/viewto ... =60#p20700 & http://www.kernelmode.info/forum/viewto ... =80#p21178 & http://www.kernelmode.info/forum/viewto ... =80#p21222 & http://www.kernelmode.info/forum/viewto ... =80#p21250
You do not have the required permissions to view the files attached to this post.
 #21272  by Xylitol
 Tue Oct 29, 2013 6:43 pm
Citadel who target hmm well.. everything. (http*/*)
https://zeustracker.abuse.ch/monitor.ph ... 1krolik.su
Code: Select all
Drop: hxtp://bugnevadanebraska.su/shop/gate.php
Update: hxtp://bugnevadanebraska.su/shop/file.php|file=soft.exe
key: A0 09 62 D8 34 16 04 26 CD 19 97 73 C0 4D 20 EB
Login key: CA3AAA9454EDE395CAFAA9AB2C17F4AD
John Doe 25, see also this sample: http://www.kernelmode.info/forum/viewto ... =70#p20844
Code: Select all
WebInjs: hXtps://aoz.su/cc/
Login: hxtps://aoz.su/cc/money.php
Image
You do not have the required permissions to view the files attached to this post.
 #21274  by Xylitol
 Tue Oct 29, 2013 7:08 pm
Citadel who target Germany and Netherlands.
Code: Select all
Drop: hxtp://46.30.41.23/AshjkyuiHKJLuhjka/strapp.php
Update: hxtp://46.30.41.23/AshjkyuiHKJLuhjka/file.php|file=ffbuild.exe
key: E2 2B 85 99 7B F6 40 F6 E4 9D 0E 9C C7 AF 5F 0A
Login key: 5CB682C10440B2EBAF9F28C1FE438468
https://zeustracker.abuse.ch/monitor.ph ... 6.30.41.23
This login key is unknown to zeuslegalnotice
You do not have the required permissions to view the files attached to this post.
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 20