A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19681  by Xylitol
 Tue Jun 18, 2013 6:53 am
https://www.virustotal.com/en/file/5455 ... 371536716/

As this one seem seriously modded i've took the liberty to create a new thread
Zeus thread can be found here: http://www.kernelmode.info/forum/viewto ... f=16&t=474

hxxp://95.169.184.178/amob/a1/admin/exe.exe
Code: Select all
Version   : 4.3.3.3
URL loader: hxtp://systemme.epac.to/exe.exe
URL server: hxtp://tools.travestieurope.biz/amob/a1/gate.php
[ADVANCEDCONFIGS]
hxtp://securewebnet.biz/amob/a1/sys.php
[WEBFILTERS]
!*.microsoft.com/*
!http://*
Code: Select all
vol -f xp\ sp3-174fa25c.vmem zeusscan2
**************************************************
Process                        : explorer.exe
Pid                            : 1480
Address                        : 39845888
URL 0                          : http://tools.travestieurope.biz/amob/a1/cfg/config.php
Identifier                     : ADMIN-E21F5B160_7875768F3101841F
Mutant key                     : 159752132
XOR key                        : 1908723210
Registry                       : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Onybku
 Value 1                       : Ustel
 Value 2                       : Ceebutcyi
 Value 3                       : Lafel
Executable                     : Ikimu\yraf.exe
Data file                      : Uxvi\ybyg.hee
Config RC4 key                 : 
0x02600000  39 84 42 5f 44 82 2b cf 66 7a 68 28 c9 e7 10 6e   9.B_D.+.fzh(...n
0x02600010  9f 1e 20 74 62 90 70 98 6f a6 81 f5 0f a8 da 7b   ...tb.p.o......{
0x02600020  c5 f3 09 b2 3f fb 9e e5 7d b4 a7 c2 4e a1 80 7c   ....?...}...N..|
0x02600030  14 55 8f 48 a2 1f e9 24 f7 05 49 d0 40 b0 a3 61   .U.H...$..I.@..a
0x02600040  95 75 29 53 d1 15 00 6b 7e 45 ee 4f d3 31 8a 9d   .u)S...k~E.O.1..
0x02600050  35 32 26 b8 11 67 f1 2d 0e 38 d8 18 79 d2 0a fa   52&..g.-.8..y...
0x02600060  93 25 db 2a a9 71 df 88 56 72 b5 91 2e 46 58 4c   .%.*.q..Vr...FXL
0x02600070  d4 ec 3a e6 9a 87 63 c0 b7 ae 13 e3 a4 2c d9 9c   ..:...c......,..
0x02600080  ad 50 bc 8b 17 de 89 ff b6 fd bf ed 1c 96 b9 be   .P..............
0x02600090  5d ea 76 aa 73 94 08 65 23 30 12 5b cc 22 01 ac   ].v.s..e#0.[."..
0x026000a0  69 77 e2 a5 1b 4b bb 0c fc 37 03 c3 33 c6 3b 52   iw...K...7..3.;R
0x026000b0  6d 3e a0 ba 8c 4a ef fe 3c 57 51 21 85 16 e1 43   m>...J..<WQ!...C
0x026000c0  0d dd 47 f9 d7 f2 cd 78 c7 4d b3 bd cb 86 f4 c8   ..G....x.M......
0x026000d0  02 64 e4 ab 06 5a 92 54 19 04 36 dc 8e 41 f0 c4   .d...Z.T..6..A..
0x026000e0  1a 0b 59 af d5 e0 6a ca 07 99 eb c1 9b 97 27 7f   ..Y...j.......'.
0x026000f0  b1 6c e8 d6 ce 83 f8 5c 34 8d 2f 3d 1d 5e 60 f6   .l.....\4./=.^`.
0x02600100  00 00                                             ..
Credential RC4 key             : 
0x02600000  9e 40 37 d6 57 5c c2 ec 1f 31 98 3b a6 74 2b 50   .@7.W\...1.;.t+P
0x02600010  fc 4b 5a a7 10 69 32 c1 5f 1c 33 6f 36 45 c3 a3   .KZ..i2._.3o6E..
0x02600020  ff 19 cb f5 27 b2 b4 ac 47 d2 18 0f a0 c8 db e7   ....'...G.......
0x02600030  26 48 80 21 b6 d4 1a ae e1 87 76 52 5e 68 f2 c0   &H.!......vR^h..
0x02600040  3f ee aa 01 fd 20 2e 1b 43 b7 9f 6c 17 f9 df 0b   ?.......C..l....
0x02600050  8a 25 d1 fb b5 67 03 0d 3d b0 a2 46 54 79 d9 34   .%...g..=..FTy.4
0x02600060  a8 88 c7 07 2c 84 94 8c 4d f8 71 00 93 8d e3 5d   ....,...M.q....]
0x02600070  89 fe a1 23 9d 60 75 bb 41 1e 04 2d ba 83 91 de   ...#.`u.A..-....
0x02600080  ca a9 4e ab a4 73 8e 13 d5 72 da bf 7a f1 92 44   ..N..s...r..z..D
0x02600090  0c 02 29 82 9b 4a 1d 4f 99 53 06 cd 12 af 64 f4   ..)..J.O.S....d.
0x026000a0  f0 ef e8 b1 bd d0 9c dd e5 ad f7 0e 97 4c 3c 96   .............L<.
0x026000b0  8f 05 58 24 59 e0 be ed f3 a5 11 16 0a 5b 66 78   ..X$Y........[fx
0x026000c0  49 c5 08 39 bc 14 e2 ce 90 7b c6 95 62 d8 6a e9   I..9.....{..b.j.
0x026000d0  e6 b8 51 81 7f 6e fa cc d7 e4 c4 d3 ea eb 42 61   ..Q..n........Ba
0x026000e0  55 63 6d 85 56 2a 3a f6 b9 28 3e dc 65 7e b3 6b   Ucm.V*:..(>.e~.k
0x026000f0  15 30 86 77 7c 7d 70 09 22 c9 8b 2f 35 38 9a cf   .0.w|}p."../58..
0x02600100  00 00                                             ..
**************************************************
Process                        : vmtoolsd.exe
Pid                            : 1720
Address                        : 33554432
URL 0                          : http://tools.travestieurope.biz/amob/a1/cfg/config.php
Identifier                     : ADMIN-E21F5B160_7875768F3101841F
Mutant key                     : 159752132
XOR key                        : 1908723210
Registry                       : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Onybku
 Value 1                       : Ustel
 Value 2                       : Ceebutcyi
 Value 3                       : Lafel
Executable                     : Ikimu\yraf.exe
Data file                      : Uxvi\ybyg.hee
Config RC4 key                 : 
0x02000000  39 84 42 5f 44 82 2b cf 66 7a 68 28 c9 e7 10 6e   9.B_D.+.fzh(...n
0x02000010  9f 1e 20 74 62 90 70 98 6f a6 81 f5 0f a8 da 7b   ...tb.p.o......{
0x02000020  c5 f3 09 b2 3f fb 9e e5 7d b4 a7 c2 4e a1 80 7c   ....?...}...N..|
0x02000030  14 55 8f 48 a2 1f e9 24 f7 05 49 d0 40 b0 a3 61   .U.H...$..I.@..a
0x02000040  95 75 29 53 d1 15 00 6b 7e 45 ee 4f d3 31 8a 9d   .u)S...k~E.O.1..
0x02000050  35 32 26 b8 11 67 f1 2d 0e 38 d8 18 79 d2 0a fa   52&..g.-.8..y...
0x02000060  93 25 db 2a a9 71 df 88 56 72 b5 91 2e 46 58 4c   .%.*.q..Vr...FXL
0x02000070  d4 ec 3a e6 9a 87 63 c0 b7 ae 13 e3 a4 2c d9 9c   ..:...c......,..
0x02000080  ad 50 bc 8b 17 de 89 ff b6 fd bf ed 1c 96 b9 be   .P..............
0x02000090  5d ea 76 aa 73 94 08 65 23 30 12 5b cc 22 01 ac   ].v.s..e#0.[."..
0x020000a0  69 77 e2 a5 1b 4b bb 0c fc 37 03 c3 33 c6 3b 52   iw...K...7..3.;R
0x020000b0  6d 3e a0 ba 8c 4a ef fe 3c 57 51 21 85 16 e1 43   m>...J..<WQ!...C
0x020000c0  0d dd 47 f9 d7 f2 cd 78 c7 4d b3 bd cb 86 f4 c8   ..G....x.M......
0x020000d0  02 64 e4 ab 06 5a 92 54 19 04 36 dc 8e 41 f0 c4   .d...Z.T..6..A..
0x020000e0  1a 0b 59 af d5 e0 6a ca 07 99 eb c1 9b 97 27 7f   ..Y...j.......'.
0x020000f0  b1 6c e8 d6 ce 83 f8 5c 34 8d 2f 3d 1d 5e 60 f6   .l.....\4./=.^`.
0x02000100  00 00                                             ..
Credential RC4 key             : 
0x02000000  9e 40 37 d6 57 5c c2 ec 1f 31 98 3b a6 74 2b 50   .@7.W\...1.;.t+P
0x02000010  fc 4b 5a a7 10 69 32 c1 5f 1c 33 6f 36 45 c3 a3   .KZ..i2._.3o6E..
0x02000020  ff 19 cb f5 27 b2 b4 ac 47 d2 18 0f a0 c8 db e7   ....'...G.......
0x02000030  26 48 80 21 b6 d4 1a ae e1 87 76 52 5e 68 f2 c0   &H.!......vR^h..
0x02000040  3f ee aa 01 fd 20 2e 1b 43 b7 9f 6c 17 f9 df 0b   ?.......C..l....
0x02000050  8a 25 d1 fb b5 67 03 0d 3d b0 a2 46 54 79 d9 34   .%...g..=..FTy.4
0x02000060  a8 88 c7 07 2c 84 94 8c 4d f8 71 00 93 8d e3 5d   ....,...M.q....]
0x02000070  89 fe a1 23 9d 60 75 bb 41 1e 04 2d ba 83 91 de   ...#.`u.A..-....
0x02000080  ca a9 4e ab a4 73 8e 13 d5 72 da bf 7a f1 92 44   ..N..s...r..z..D
0x02000090  0c 02 29 82 9b 4a 1d 4f 99 53 06 cd 12 af 64 f4   ..)..J.O.S....d.
0x020000a0  f0 ef e8 b1 bd d0 9c dd e5 ad f7 0e 97 4c 3c 96   .............L<.
0x020000b0  8f 05 58 24 59 e0 be ed f3 a5 11 16 0a 5b 66 78   ..X$Y........[fx
0x020000c0  49 c5 08 39 bc 14 e2 ce 90 7b c6 95 62 d8 6a e9   I..9.....{..b.j.
0x020000d0  e6 b8 51 81 7f 6e fa cc d7 e4 c4 d3 ea eb 42 61   ..Q..n........Ba
0x020000e0  55 63 6d 85 56 2a 3a f6 b9 28 3e dc 65 7e b3 6b   Ucm.V*:..(>.e~.k
0x020000f0  15 30 86 77 7c 7d 70 09 22 c9 8b 2f 35 38 9a cf   .0.w|}p."../58..
0x02000100  00 00                                             ..
**************************************************
Process                        : ctfmon.exe
Pid                            : 1440
Address                        : 12058624
URL 0                          : http://tools.travestieurope.biz/amob/a1/cfg/config.php
Identifier                     : ADMIN-E21F5B160_7875768F3101841F
Mutant key                     : 159752132
XOR key                        : 1908723210
Registry                       : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Onybku
 Value 1                       : Ustel
 Value 2                       : Ceebutcyi
 Value 3                       : Lafel
Executable                     : Ikimu\yraf.exe
Data file                      : Uxvi\ybyg.hee
Config RC4 key                 : 
0x00b80000  39 84 42 5f 44 82 2b cf 66 7a 68 28 c9 e7 10 6e   9.B_D.+.fzh(...n
0x00b80010  9f 1e 20 74 62 90 70 98 6f a6 81 f5 0f a8 da 7b   ...tb.p.o......{
0x00b80020  c5 f3 09 b2 3f fb 9e e5 7d b4 a7 c2 4e a1 80 7c   ....?...}...N..|
0x00b80030  14 55 8f 48 a2 1f e9 24 f7 05 49 d0 40 b0 a3 61   .U.H...$..I.@..a
0x00b80040  95 75 29 53 d1 15 00 6b 7e 45 ee 4f d3 31 8a 9d   .u)S...k~E.O.1..
0x00b80050  35 32 26 b8 11 67 f1 2d 0e 38 d8 18 79 d2 0a fa   52&..g.-.8..y...
0x00b80060  93 25 db 2a a9 71 df 88 56 72 b5 91 2e 46 58 4c   .%.*.q..Vr...FXL
0x00b80070  d4 ec 3a e6 9a 87 63 c0 b7 ae 13 e3 a4 2c d9 9c   ..:...c......,..
0x00b80080  ad 50 bc 8b 17 de 89 ff b6 fd bf ed 1c 96 b9 be   .P..............
0x00b80090  5d ea 76 aa 73 94 08 65 23 30 12 5b cc 22 01 ac   ].v.s..e#0.[."..
0x00b800a0  69 77 e2 a5 1b 4b bb 0c fc 37 03 c3 33 c6 3b 52   iw...K...7..3.;R
0x00b800b0  6d 3e a0 ba 8c 4a ef fe 3c 57 51 21 85 16 e1 43   m>...J..<WQ!...C
0x00b800c0  0d dd 47 f9 d7 f2 cd 78 c7 4d b3 bd cb 86 f4 c8   ..G....x.M......
0x00b800d0  02 64 e4 ab 06 5a 92 54 19 04 36 dc 8e 41 f0 c4   .d...Z.T..6..A..
0x00b800e0  1a 0b 59 af d5 e0 6a ca 07 99 eb c1 9b 97 27 7f   ..Y...j.......'.
0x00b800f0  b1 6c e8 d6 ce 83 f8 5c 34 8d 2f 3d 1d 5e 60 f6   .l.....\4./=.^`.
0x00b80100  00 00                                             ..
Credential RC4 key             : 
0x00b80000  9e 40 37 d6 57 5c c2 ec 1f 31 98 3b a6 74 2b 50   .@7.W\...1.;.t+P
0x00b80010  fc 4b 5a a7 10 69 32 c1 5f 1c 33 6f 36 45 c3 a3   .KZ..i2._.3o6E..
0x00b80020  ff 19 cb f5 27 b2 b4 ac 47 d2 18 0f a0 c8 db e7   ....'...G.......
0x00b80030  26 48 80 21 b6 d4 1a ae e1 87 76 52 5e 68 f2 c0   &H.!......vR^h..
0x00b80040  3f ee aa 01 fd 20 2e 1b 43 b7 9f 6c 17 f9 df 0b   ?.......C..l....
0x00b80050  8a 25 d1 fb b5 67 03 0d 3d b0 a2 46 54 79 d9 34   .%...g..=..FTy.4
0x00b80060  a8 88 c7 07 2c 84 94 8c 4d f8 71 00 93 8d e3 5d   ....,...M.q....]
0x00b80070  89 fe a1 23 9d 60 75 bb 41 1e 04 2d ba 83 91 de   ...#.`u.A..-....
0x00b80080  ca a9 4e ab a4 73 8e 13 d5 72 da bf 7a f1 92 44   ..N..s...r..z..D
0x00b80090  0c 02 29 82 9b 4a 1d 4f 99 53 06 cd 12 af 64 f4   ..)..J.O.S....d.
0x00b800a0  f0 ef e8 b1 bd d0 9c dd e5 ad f7 0e 97 4c 3c 96   .............L<.
0x00b800b0  8f 05 58 24 59 e0 be ed f3 a5 11 16 0a 5b 66 78   ..X$Y........[fx
0x00b800c0  49 c5 08 39 bc 14 e2 ce 90 7b c6 95 62 d8 6a e9   I..9.....{..b.j.
0x00b800d0  e6 b8 51 81 7f 6e fa cc d7 e4 c4 d3 ea eb 42 61   ..Q..n........Ba
0x00b800e0  55 63 6d 85 56 2a 3a f6 b9 28 3e dc 65 7e b3 6b   Ucm.V*:..(>.e~.k
0x00b800f0  15 30 86 77 7c 7d 70 09 22 c9 8b 2f 35 38 9a cf   .0.w|}p."../58..
0x00b80100  00 00                                             ..
**************************************************
Process                        : wscntfy.exe
Pid                            : 1136
Address                        : 11730944
URL 0                          : http://tools.travestieurope.biz/amob/a1/cfg/config.php
Identifier                     : ADMIN-E21F5B160_7875768F3101841F
Mutant key                     : 159752132
XOR key                        : 1908723210
Registry                       : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Onybku
 Value 1                       : Ustel
 Value 2                       : Ceebutcyi
 Value 3                       : Lafel
Executable                     : Ikimu\yraf.exe
Data file                      : Uxvi\ybyg.hee
Config RC4 key                 : 
0x00b30000  39 84 42 5f 44 82 2b cf 66 7a 68 28 c9 e7 10 6e   9.B_D.+.fzh(...n
0x00b30010  9f 1e 20 74 62 90 70 98 6f a6 81 f5 0f a8 da 7b   ...tb.p.o......{
0x00b30020  c5 f3 09 b2 3f fb 9e e5 7d b4 a7 c2 4e a1 80 7c   ....?...}...N..|
0x00b30030  14 55 8f 48 a2 1f e9 24 f7 05 49 d0 40 b0 a3 61   .U.H...$..I.@..a
0x00b30040  95 75 29 53 d1 15 00 6b 7e 45 ee 4f d3 31 8a 9d   .u)S...k~E.O.1..
0x00b30050  35 32 26 b8 11 67 f1 2d 0e 38 d8 18 79 d2 0a fa   52&..g.-.8..y...
0x00b30060  93 25 db 2a a9 71 df 88 56 72 b5 91 2e 46 58 4c   .%.*.q..Vr...FXL
0x00b30070  d4 ec 3a e6 9a 87 63 c0 b7 ae 13 e3 a4 2c d9 9c   ..:...c......,..
0x00b30080  ad 50 bc 8b 17 de 89 ff b6 fd bf ed 1c 96 b9 be   .P..............
0x00b30090  5d ea 76 aa 73 94 08 65 23 30 12 5b cc 22 01 ac   ].v.s..e#0.[."..
0x00b300a0  69 77 e2 a5 1b 4b bb 0c fc 37 03 c3 33 c6 3b 52   iw...K...7..3.;R
0x00b300b0  6d 3e a0 ba 8c 4a ef fe 3c 57 51 21 85 16 e1 43   m>...J..<WQ!...C
0x00b300c0  0d dd 47 f9 d7 f2 cd 78 c7 4d b3 bd cb 86 f4 c8   ..G....x.M......
0x00b300d0  02 64 e4 ab 06 5a 92 54 19 04 36 dc 8e 41 f0 c4   .d...Z.T..6..A..
0x00b300e0  1a 0b 59 af d5 e0 6a ca 07 99 eb c1 9b 97 27 7f   ..Y...j.......'.
0x00b300f0  b1 6c e8 d6 ce 83 f8 5c 34 8d 2f 3d 1d 5e 60 f6   .l.....\4./=.^`.
0x00b30100  00 00                                             ..
Credential RC4 key             : 
0x00b30000  9e 40 37 d6 57 5c c2 ec 1f 31 98 3b a6 74 2b 50   .@7.W\...1.;.t+P
0x00b30010  fc 4b 5a a7 10 69 32 c1 5f 1c 33 6f 36 45 c3 a3   .KZ..i2._.3o6E..
0x00b30020  ff 19 cb f5 27 b2 b4 ac 47 d2 18 0f a0 c8 db e7   ....'...G.......
0x00b30030  26 48 80 21 b6 d4 1a ae e1 87 76 52 5e 68 f2 c0   &H.!......vR^h..
0x00b30040  3f ee aa 01 fd 20 2e 1b 43 b7 9f 6c 17 f9 df 0b   ?.......C..l....
0x00b30050  8a 25 d1 fb b5 67 03 0d 3d b0 a2 46 54 79 d9 34   .%...g..=..FTy.4
0x00b30060  a8 88 c7 07 2c 84 94 8c 4d f8 71 00 93 8d e3 5d   ....,...M.q....]
0x00b30070  89 fe a1 23 9d 60 75 bb 41 1e 04 2d ba 83 91 de   ...#.`u.A..-....
0x00b30080  ca a9 4e ab a4 73 8e 13 d5 72 da bf 7a f1 92 44   ..N..s...r..z..D
0x00b30090  0c 02 29 82 9b 4a 1d 4f 99 53 06 cd 12 af 64 f4   ..)..J.O.S....d.
0x00b300a0  f0 ef e8 b1 bd d0 9c dd e5 ad f7 0e 97 4c 3c 96   .............L<.
0x00b300b0  8f 05 58 24 59 e0 be ed f3 a5 11 16 0a 5b 66 78   ..X$Y........[fx
0x00b300c0  49 c5 08 39 bc 14 e2 ce 90 7b c6 95 62 d8 6a e9   I..9.....{..b.j.
0x00b300d0  e6 b8 51 81 7f 6e fa cc d7 e4 c4 d3 ea eb 42 61   ..Q..n........Ba
0x00b300e0  55 63 6d 85 56 2a 3a f6 b9 28 3e dc 65 7e b3 6b   Ucm.V*:..(>.e~.k
0x00b300f0  15 30 86 77 7c 7d 70 09 22 c9 8b 2f 35 38 9a cf   .0.w|}p."../58..
0x00b80100  00 00                                             ..
KANAL detected a base64 signature probably for the config, tried to decode it but failed with volatility and found nothing in manual (except a headache with process injections)

'Zeustadel' cnc:
Image

Olders versions was dropped via blackhole
hxxp://frestifaldance3.in/clearer/spot-channels-deletes-documenting.php?ozej=1j:1g:30:1m:1n&txxs=1i:1h:1f:1l:1m:33:2w:1g:2w:32&rrbwt=1i&zdy=nfajhd&pdaolcag=yiqjarz

https://www.virustotal.com/en/file/2bb0 ... 371538366/
https://www.virustotal.com/en/file/eca0 ... 371538368/
Attachments
infected
(267.32 KiB) Downloaded 91 times
infected
(460.62 KiB) Downloaded 123 times