A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #9735  by pigindrin
 Thu Nov 17, 2011 6:12 pm
Hello, i tried to decrypt a sample of zeus but i couldn´t. Could you? If so, can you help me to decrypt the file I attached? It is a sample of zeus.

Thk!
Attachments
pass: infected
(410.34 KiB) Downloaded 33 times
 #9775  by Evilcry
 Sun Nov 20, 2011 10:57 am
This tool does not work for all ZeuS situations, the best approaches to achieve rapidly results are

-> Debugging, like this traversecode.com/2009/12/31/decrypting-the-zeus-config-file/ (reach it via google webcache)
-> Process Memory Dump, simulate infection, run firefox and dump its process memory (does not works always)
-> Via Volatility, here tutorial and plugins http://mnin.blogspot.com/2011/09/abstra ... -zeus.html