A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26190  by Xylitol
 Fri Jun 26, 2015 9:52 am
Attachments
infected
(2.18 MiB) Downloaded 131 times
 #26238  by Xylitol
 Mon Jul 06, 2015 2:38 pm
Attachments
infected
(180.13 KiB) Downloaded 73 times
 #26245  by comak
 Tue Jul 07, 2015 9:30 am
new keys...
Code: Select all
{
  "binary": "7552f5e44684c5c0789d9fbab20eb8df",
  "family": "vmzeus2",
  "rc4sbox": "7776daaf5f6e5281ee6f68e52f46c4296233203ac53b09ade34d955b4b8e0e1bca98f78d51487513ce6c6728d87c7aa6150ab93c07fa166bdd60268038ae7b41e08f7de10f972a1d24085adc181a4afcffe23ebe44db54cf378b113fb18c662ba4d3bbeb83585ccbf5b7885d35c772bd739c1fb202dfd979f0c8221e9b0571f8019f59f1ed40c1a1a89d27874ecc19890da29e146a9082a036d045f49250b357c0c2aa94de93063db5569934a739315eef96f2850023b6d647420bb469d27ff674acbf30cd4325914c9a030c53f917637010d52cbaea2164d4b0fe0484a32d1cd7abbcc9d12e7886fbf312a9ece8e9e7e4fd49614fe67e328a55656da5c6b8c30000",
  "cfg-key": "rc6sbox",
  "cfg": "http://kendra.fr/walex/files/config.jpg",
  "alive": true,
  "botname": "\u00fb",
  "version": "02.00.00.00",
  "cnc": "kendra.fr",
  "urls": [
    "http://kendra.fr/walex/files/config.jpg"
  ],
  "fakeurl": "http://bzfdcp.com/cfg.bin",
  "rc6sbox": "93ff4027e90d6b8819814dd2f1ea2f3700c15b1b09665822794a07485490261778074aec55e5272f934470718c4e01b162f3e7bc1e758c6ec214c4f0113fb4895d61a62eaa13392368554424f966b37cbfac6600cfa6ba7a5ec3a26b8d06c5e09b165f9736328b0b3218c0f29a49863a613180c10e0ad96fb8e0e67e662efc02d0c04edcbb6b06a00a57678144254cd48c7bc4bff6289dff90773046f060a051065bf713cfb5bb40864c8e51da7a60b7",
  "strings": [
    "&;\"http://bzfdcp.com/cfg.bin"
  ]
}
Attachments
(1.89 KiB) Downloaded 54 times
 #26296  by supahal
 Wed Jul 15, 2015 10:45 am
Can you help to decrypt this file.
331e2d405c928baeb47e5d67a98195532c63c0a3

I believe this is KINS2
 #26299  by comak
 Wed Jul 15, 2015 2:27 pm
i believe you are right ;]
Code: Select all
{
  "binary": "54f5ffd397b156782a177dfe85c3c8ea",
  "family": "vmzeus2",
  "rc4sbox": "561f0493246b664cc022f9ed609fe5f673ce447800135215bade1435bc746340aef15db7691a09e4d50fc14e8562c34d8c8a024f7145bdfafba7b6e9965ee35541c73ee65cd16e7261d237e15319c4862d3f58a0c2b56a31c53df0bef2ad9805b4ea834ab920aa1bac81f7df8e9e958470876c9a0bab775f3aff8d497d82cd8bb38f512e7f54b2345a292ac632909d887ae265e039ee89a37ca8bb7567d9c81c9b382c26082106fd174b07c930f5e8d3ddcadbf3d71642a6a27b47d40ca194d810f443eb9112b8fe33cb80250123361e48d0e73b5b99921d9c3c0df8dcdaccbf79a56db1270eec686f597e46cf1864fc2f280a11af502bd6a9977603a4ef57b00000",
  "cfg-key": "rc6sbox",
  "cfg": "https://vanilladed.com/server1/jf75qw.jpg",
  "botname": "botnet2",
  "version": "02.00.00.00",
  "cnc": "vanilladed.com",
  "urls": [
    "https://golfedxx.com/ktest/mod_vnc.bin",
    "https://vanilladed.com/server1/jf75qw.jpg"
  ],
  "fakeurl": "http://olpfo.com/xapwj/cfg.bin",
  "rc6sbox": "64be7c34431523a8665bd22839c72014c8bc17e6749898e2b744be04cb73dab87c8d2806b397647e057b3c3781857553bc604bc9651dbc10f0be2a3c1d33a99a5408c01e4a79b175f165ca640b14627ea1776681b3ed1fd938ac7c5befc3e1d367080476a8399c6095605577997c6b5c4d4d0f2c8991f38df2645d500026068604d45137e0451e8b9436f08416eadf717e19912906239a8cd88f9c5ca89b2f3cd30f767098698e82191e60bac20018d4",
  "strings": [
    "lhttp://olpfo.com/xapwj/cfg.bin"
  ]
}
domain seems to be dead?
 #26300  by EP_X0FF
 Wed Jul 15, 2015 4:23 pm
supahal wrote:Can you help to decrypt this file.
331e2d405c928baeb47e5d67a98195532c63c0a3

I believe this is KINS2
Maybe, as first step, you will attach your file?
 #26401  by EP_X0FF
 Wed Jul 29, 2015 5:26 am
According to GLOBAL_BOT_MAPPING_NAME it is Zberp. Moved.
 #26577  by patriq
 Sat Aug 22, 2015 2:03 pm
c2a29d45ea88ad254fd5daa7ee06cc59b61a87e2dad00fd5e106d9445b9ba965
https://www.virustotal.com/en/file/c2a2 ... /analysis/

8d576415b55ae49328ded87284c3e45d0f2bf3de2633c6538740e86e92a8558f
https://www.virustotal.com/en/file/8d57 ... /analysis/

01ce3d452c67346ebb8546de48b43705c49e6ea3417a61d1318f247d0e760fea
https://www.virustotal.com/en/file/01ce ... /analysis/


C2 still active
https://zeustracker.abuse.ch/monitor.ph ... stkoko.com
justkoko.png
justkoko.png (78.13 KiB) Viewed 515 times

imports MSVBVM60.dll, which would make it a ZeusVM

samples and config attached.
Attachments
infected
(593.64 KiB) Downloaded 58 times