A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22216  by patriq
 Fri Feb 14, 2014 2:19 pm
g0r_ wrote:
hxxp://taking.no-ip.biz/ogenew/server/ has a binary that might be related.
Thanks.

If you see something like that always grab a copy, it won't be online forever. Shouldn't assume others have it.

I just tried to look. Seems offline.

Was it this?

main_doc.zip > main_doc.exe
FUD.
https://malwr.com/analysis/ODcwY2FlYmZi ... RjNjlhNmU/

http://4.bp.blogspot.com/-2tkHIwUvvws/U ... ng_bin.png
 #22276  by patriq
 Sat Feb 22, 2014 3:18 pm
Attached:
8604424548a097efaf3c95dc920a3ab4
9f6795012bd8016efefca7a0b9fdb8db
36a8b8f51f1316dcbf5c66147d149dfc
96a8cb79bb8949d1d93ee706727f7fa4
2fdb148e33d21407f6a574277471d3d8
625e8b7a96cb8a1f7f59b345a3eb80d7
98bcbfff632cb5e2024494a08712e864

Taken from a Citadel server, more details here:
http://protectyournet.blogspot.com/2014 ... twork.html
Attachments
infected
(1.58 MiB) Downloaded 92 times
 #22393  by Xylitol
 Sun Mar 09, 2014 5:12 pm
Citadel 3.1.0.0
https://www.virustotal.com/en/file/1927 ... 394385821/
Code: Select all
95186D43B4DC5BD78840D7488E315072
http://writermusicce.com/foh/file.php|file=fok.exe
http://writermusicce.com/foh/hfer.php
http://consistingsec.net/sted/file.php
--
http://heastfootnote.com/foh/file.php|file=sokr.moj
http://spottingculde.net/foh/file.php|file=sokr.moj
http://itivelyfuture.com/foh/file.php|file=sokr.moj
http://opportunitiess.su/foh/file.php|file=sokr.moj
http://raphclickable.com/foh/file.php|file=sokr.moj
http://icallyaligned.com/foh/file.php|file=sokr.moj
http://workplaceinani.su/foh/file.php|file=sokr.moj
http://pinchtozoomgr.com/foh/file.php|file=sokr.moj
http://anxpersonaliz.com/foh/file.php|file=sokr.moj
http://measuredtrick.com/foh/file.php|file=sokr.moj
http://distributeweb.com/foh/file.php|file=sokr.moj
http://unstandardclo.net/foh/file.php|file=sokr.moj
http://minivannoteta.com/foh/file.php|file=sokr.moj
Attachments
infected
(280.54 KiB) Downloaded 69 times
 #22406  by sagysrael
 Mon Mar 10, 2014 11:56 am
I am trying to learn about zeus & spyeye...

Do you know how to decrypt the attached citadel 3.1.0.0 configuration?
Or even better, do you happen to have the decrypted version?

Thanks...
 #22424  by EP_X0FF
 Tue Mar 11, 2014 12:32 am
Thread first post updated.
 #22426  by sagysrael
 Tue Mar 11, 2014 9:22 am
Thanks Xylitol!

The configuration you attached has 49 injection parts,
but i don't see the URLs matching the injections.

I believe in Zeus, the URL list is usually at the bottom of the encrypted configuration (i.e. not part of the injections)
could be the decryptor missed the URLs section?

do you know how can I tell the URL of each injection?

Thanks again!
  • 1
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20