A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18127  by gritland
 Sun Feb 10, 2013 9:12 am
zeus mode (maybe citadel)
cant decrypt config file
You do not have the required permissions to view the files attached to this post.
 #18311  by reverser
 Fri Feb 22, 2013 9:21 pm
I'd like to have a look at "Uknown malware" from the NBC hack mentioned here:
The attack also served an unknown malware binary, connecting to various websites:

hxxp://envirsoft.com/d.htm
hxxp://eastsidetennisassociation.com/l.htm
hxxp://magasin-shop.com/r.htm
hxxp://beautiesofcanada.com/o.htm

Some antivirus vendors identify this malware as Zbot or a rootkit (MD5: 1fa5afe1ddcd083d40b5b330fd9b3613), but it is most definitely not Zbot and it’s not a rootkit either. The malware binary has a curious filename (3S4H3S.exe) and an interesting string at the end “SadokBdi”.
 #18338  by Squirl
 Tue Feb 26, 2013 9:06 am
The compromise was serving up Citadel, according to most AV blogs. I've attached the various components of the compromise (but no Troj, sadly).
You do not have the required permissions to view the files attached to this post.
 #19229  by Xylitol
 Wed May 08, 2013 7:56 pm
Citadel 1.3.5.1 targeting french banks
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://angelescitypattaya.com/mimosa/welcome.php
Config: hxtp://angelescitypattaya.com/mimosa/file.php|file=mimosa.exe
Panel: hxtp://angelescitypattaya.com/mimosa/control.php
Reports path: /reporting/
Botnet ID: mimosa
Key: 92 A6 70 B6 CE FC A5 15 CF 1D AA 7A B1 8C EE 65
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.
 #19551  by Xylitol
 Tue Jun 04, 2013 7:50 pm
Citadel 1.3.5.1 targeting chase.com domains
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://www.gruppo-abc.it/public/mode.php
Config: hxtp://www.piszek.com/wp-includes/images/file.php|file=soft.exe
hxtp://byzantineinvestments.info/wp-content/uploads/file.php|file=tstconfig.bin
hxtp://kim.humanclay.ca/wp-content/uploads/2007/file.php|file=tstconfig.bin
Key: 15 0D 06 66 B7 3E B5 A4 5D 69 02 A3 70 2D C2 9A
login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.
 #19595  by Xylitol
 Mon Jun 10, 2013 4:27 pm
Citadel 1.3.5.1 targeting french banks
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://rivascloviso.net/caticlan/welcome.php
Update: hxtp://rivascloviso.net/caticlan/file.php
Panel: hxtp://rivascloviso.net/caticlan/control.php
Reports path: /reporting/
Botnet ID: caticlan
Key: 92 A6 70 B6 CE FC A5 15 CF 1D AA 7A B1 8C EE 65
login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.
 #19596  by Xylitol
 Mon Jun 10, 2013 6:20 pm
Citadel 1.3.5.1 targeting wellsfargo.com domains
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://64.85.233.8/hide/1355/enter.php
Update: hxtp://whitewidow.ciscofreak.com/hide/1355/file.php|file=config.bin
Key: 11 0D 57 79 BA 74 C2 E4 98 6C F6 BD 65 BC FF C1
login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 20