A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28940  by tildedennis
 Tue Jul 26, 2016 5:38 pm
* https://www.proofpoint.com/us/threat-in ... the-market
* https://blog.fox-it.com/2016/06/07/link ... therlands/

Definitely feels Zeus-based to me. 2.2.5 is the latest version that I've seen and it started appearing in the wild in early July.

https://www.virustotal.com/en/file/cda1 ... /analysis/

Sample, decrypted config and webinjects (targeting mostly .us and .ca) from eluidess[.]pw attached. The config JSON is the real deal, but the webinject JSON is my parsing to make them Zeus formatted.
Attachments
(126.54 KiB) Downloaded 89 times
 #29205  by tildedennis
 Thu Sep 08, 2016 1:20 pm
Our malware zoo welcomed a brand new baby panda (banker) into the wild the other day, please say hi to version 2.2.6:

https://www.virustotal.com/en/file/571b ... /analysis/

A quick scan using Diaphora's "Relaxed calculations of differences ratios" shows there are very few changes compared to 2.2.5, mostly rearranged encrypted string indexes and some different API hashes.

Sample, config, webinjects attached. Mostly focusing on .ca banks.
Attachments
(180.56 KiB) Downloaded 78 times
 #29206  by ikolor
 Thu Sep 08, 2016 3:27 pm
We are not from ZOO .Some people hard work to find some malware sample .Please remember .