Win32/Zeus (alias Zbot) - Page 15

Re: Trojan Zeus (alias ZBot)

#17032 by EX!
Wed Dec 05, 2012 2:33 pm

#Zbot

SHA256: ff6949caabf682b6f38df69613dad4f195e2b7c5dfe689f7f7dc9961b84b7067
SHA1: 45b80e5b19fca1a971b66d3a8fa421ffa1312ddc
MD5: 7ee9fb68bb80d25148a2e1543e62cd9f
Tamaño: 305.0 KB ( 312320 bytes )
Nombre: dhxs.exe
Tipo: Win32 EXE
Etiquetas: peexe
Detecciones: 7 / 46

:mrgreen:

Attachments

dhxs-exe.zip

password = infected
(296.11 KiB) Downloaded 74 times

Username

EX!

Posts

35

Joined

Wed Jun 29, 2011 8:24 pm

Contact

Unknown Banking trojan

#17037 by AaLl86
Wed Dec 05, 2012 6:26 pm

Hi All Kernelmode folks!!

I found this sample from a PC here in Italy. I've just scanned it with some AVs but none of them reveals what is it.
I've started to disassemble it, I found no especially interesting features... A lot of ntdll, wininet, wsock4 functions hooked and a pair of encryption layers + 1 watchdog thread. It install itself in the classic HKLM\Microsoft\Windows\CurrentVersion\Run key.
Unfortunally I don't have much spare time to deeply analyze it.
I report here a picture representing hooked procedures....

Hooked API picture
HookedAPI.jpg (183.09 KiB) Viewed 489 times

I hope that this could be interesting... I apologize if this trojan could be already present in KM database.... I searched and doesn't find anything similar...
Regards,
Andrea

Attachments

FAX_Sample.rar

Dropper
(507.69 KiB) Downloaded 79 times

Username

AaLl86

Posts

50

Joined

Sat Mar 20, 2010 4:21 pm

Location

Italy

Contact

Re: Unknown Banking trojan

#17038 by Buster_BSA
Wed Dec 05, 2012 7:00 pm

Seems like if it has FTP stealer funtionality.

Username

Buster_BSA

Posts

390

Joined

Mon Mar 22, 2010 6:42 am

Re: Unknown Banking trojan

#17039 by markusg
Wed Dec 05, 2012 7:23 pm

Zeus gameover i think, sends data to /Pony
89.166.50.40
Comes often via spam,

And is often active in italy

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: Unknown Banking trojan

#17040 by Buster_BSA
Wed Dec 05, 2012 8:00 pm

http://www.symantec.com/connect/blogs/b ... euszbot-20

None of the attached files seem to be the dropper. I was unable to get any of the files registering itself at AutoStart registry key (HKLM\Microsoft\Windows\CurrentVersion\Run).

Username

Buster_BSA

Posts

390

Joined

Mon Mar 22, 2010 6:42 am

Re: Unknown Banking trojan

#17049 by AaLl86
Thu Dec 06, 2012 10:39 am

Buster_BSA wrote:http://www.symantec.com/connect/blogs/b ... euszbot-20

None of the attached files seem to be the dropper. I was unable to get any of the files registering itself at AutoStart registry key (HKLM\Microsoft\Windows\CurrentVersion\Run).

Hi Buster_BSA!
I personally used "FAX_281290192982.pdf.exe" file and it infected my Windows Xp Sp3 machine.... You have just to rename it. For me it worked.... Btw thanks for signalization....

Andrea

Username

AaLl86

Posts

50

Joined

Sat Mar 20, 2010 4:21 pm

Location

Italy

Contact

Re: Unknown Banking trojan

#17051 by markusg
Thu Dec 06, 2012 1:49 pm

Yes this fax... exe works.
this is why i think the malware comes from an spam campagne, because i see such in some spams

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: Trojan Zeus (alias ZBot)

#17155 by Waves97
Thu Dec 13, 2012 2:09 pm

New sample with digital signature
https://www.virustotal.com/file/fd374bd ... 355407434/

Attachments

ZBOT.7z

Pass: infected
(282.08 KiB) Downloaded 83 times

Username

Waves97

Posts

33

Joined

Sat Jun 02, 2012 4:41 pm

Location

Poland

Re: Trojan Zeus (alias ZBot)

#17156 by Waves97
Thu Dec 13, 2012 2:25 pm

Next 3 samples ;)

Attachments

Zbots x3.7z

pass: infected
(1.29 MiB) Downloaded 108 times

Username

Waves97

Posts

33

Joined

Sat Jun 02, 2012 4:41 pm

Location

Poland

Re: Trojan Zeus (alias ZBot)

#17157 by SmilingWolf
Thu Dec 13, 2012 6:36 pm

Ice IX 1.2.5 - 1.2.6 Builders Unpacked + settings and injects

Attachments

Ice IX 1.2.5 - 1.2.6 Builders Unpacked.7z

pass: infected
(130.34 KiB) Downloaded 95 times

Username

SmilingWolf

Posts

5

Joined

Wed Jul 25, 2012 8:29 am