Page 28 of 29

Re: Win32/Zeus (alias Zbot)

Posted: Mon Jan 12, 2015 12:05 pm
by comak
vmzeus 2.0

Code: Select all

{'binary': u'0b8d94b28a7c91c9a3987675f170b3c0',
 'botname': u'jason',
 'cfg': 'http://brokelowhi.com/flashplayer/mod_vncY\x15\x94\x1e-\xf64e\xe7\x85\xc3\xcc\x92K\xf8q\xb3t\x87\xe6$F}I1\xb42d\x94\xed\x83\xb7\xab\x01\x1b\xba',
 'fakeurl': 'http://olpfo.com/xapwj/cfg.bin',
 'family': 'vmzeus2',
 'rc4sbox': '42950343a02d4bcdaa77c33812f88a781599a7542509fae800076f11a9eddec8229db9bb59a4c57b4648c465ac477f9edb1e3113f2b69abe3490892b20d158d43c753eb71a538cdf2faf80d5767056ce9bc7e6d3289f4f1b67b85ce51427ea556e845afd7ecaa36423d92cc97dfce1415002350bf0338561920dddc2a198722974b3069366f5febc2ec00e8897eef6081f94bd0cd66bd29cd8dcf78fa85f693fe04c821817390f7c4dba40fff4b25d30624468eb36191d736ad749e737cb6d1cf121e201d03d6379a2ecbf8d81fbae6057104a3286a6b50516cf915b71875e2a3a45ccabb1f97a8ec1046c24f3e3e483518b96ad0adab0a5b4efe93b4e5226c60000',
 'rc6sbox': 'ac956e590059249216675ff53e661eb2de573c253ec6a9e823eaca45790cf7126e8d56e1b8422f3614fd4c7c3536e232b3de3318d1bac1000b90e5baf27231f2e6877a3ac29fab69ce2874fb3121ef149e66ca9cb5e952414168b4d792562404d3ffededd921d276c56043d25947a62b7d975e20efb3725cd46bb4c13e9a599a9403d853142513a74671660884d2cbe4cdfd5f8c3a9d1d452c938e5b980f997d3794b563a781c65b8d23c0ba373f2f9e',
 'strings': ['lhttp://olpfo.com/xapwj/cfg.bin'],
 'urls': ['http://brokelowhi.com/flashplayer/mod_vncY\x15\x94\x1e-\xf64e\xe7\x85\xc3\xcc\x92K\xf8q\xb3t\x87\xe6$F}I1\xb42d\x94\xed\x83\xb7\xab\x01\x1b\xba'],
 'version': '02.00.00.00'}

apperently i have some bug in decryptor...

anyhow cfg attached

Re: Win32/Zeus (alias Zbot)

Posted: Tue Aug 25, 2015 6:32 am
by pyre08
Sphinx - new Zbot variant?

http://darkmatters.norsecorp.com/2015/0 ... ck-market/

Anyone encountered this?

Based on the article the ZBOT version is 1.0.0.0.

Re: Win32/Zeus (alias Zbot)

Posted: Thu Oct 15, 2015 10:49 am
by 0xDucky
Does anyone recognize this variant of Zeus?
https://www.virustotal.com/en/file/4bf9 ... /analysis/

It behaves like Zeus 2, But patches ntdll!NtDeviceIoControlFile instead of classic Zeus patches in order to intercept traffic

Sample attached.
4bf9426dde9c5cdb3366f4e0a23b4df6eb6a58d66f28e367c7c738b280b271f9.zip

Re: Win32/Zeus (alias Zbot)

Posted: Sun Oct 18, 2015 11:23 am
by Xylitol

Re: Malware collection

Posted: Sun Aug 14, 2016 7:06 pm
by ikolor

Re: Malware collection

Posted: Wed Sep 07, 2016 7:00 pm
by ikolor

Re: Malware collection

Posted: Wed Sep 07, 2016 10:45 pm
by xors

Re: Win32/Zeus (alias Zbot)

Posted: Tue Oct 18, 2016 4:05 pm
by tildedennis
a couple of sphinx zeus things:

* https://securityintelligence.com/brazil ... he-sphinx/

sample (attached): https://www.virustotal.com/en/file/7c73 ... /analysis/

Code: Select all

version: 1.7.1.0
config_url: http://dayspirit.at/xen2/config.bin
config_url: http://pierin.ru/xen2/config.bin
config_url: http://clork.ru/xen2/config.bin
advanced_config_url: http://labgeni0us.at/xen2/config.bin
advanced_config_url: http://dexterlabnew.at/xen2/config.bin
advanced_config_url: http://woooowarmy.at/xen2/config.bin
webinjects (attached) targeting .br 
---

* https://blogs.forcepoint.com/security-l ... dian-banks

sample (attached): https://www.virustotal.com/en/file/3c1e ... /analysis/
version: 1.5.5.0

broken/incomplete sample ? instead of an encrypted base config it contains "{BASECONFIG}"

Re: Win32/Zeus (alias Zbot)

Posted: Mon Nov 21, 2016 1:06 pm
by tildedennis
flokibot (mostly zeus 2.0.8.9 + some basic DDoS + basic track 2 memory scraper):

* https://www.flashpoint-intel.com/floki- ... lware-kit/
* https://blog.malwarebytes.com/threat-an ... y-dropper/

lastest sample that i've seen (attached): https://www.virustotal.com/en/file/4bdd ... /analysis/

Code: Select all

version: 13
config_url: https://extensivee.bid/000L7bo11Nq36ou9cfjfb0rDZ17E7ULo_4agents/gate.php

not seeing any webinjects yet, but dynamic config is attached as well. 

Re: Win32/Zeus (alias Zbot)

Posted: Fri Apr 21, 2017 1:16 pm
by tildedennis
grab another zeus variant from off the wall:

http://blog.fortinet.com/2017/03/17/gra ... -your-data

https://virustotal.com/en/file/6d8ce2d1 ... /analysis/ (attached) has a version of 1.6.8 and the following c2s:

Code: Select all

hxxp://derqdxnvis.info/wordpress/forumpost.php
hxxp://bigtoys.info/wordpress/forumpost.php
hxxp://derqdxnvis.site/wordpress/forumpost.php
hxxp://onlinegtrnc.site/wordpress/forumpost.php
hxxp://sseriubndisers.info/wordpress/forumpost.php
hxxp://geryynet.site/wordpress/forumpost.php
the lowest version i've seen of this variant is 1.5.5 active around october 2015.

seems very likely to be an update of this 2014 zeus variant known as "tarbuka" by stopmalvertising:

http://stopmalvertising.com/spam-scams/ ... pages.html