A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22741  by Xylitol
 Sun Apr 27, 2014 10:34 am
+2 samples

https://zeustracker.abuse.ch/monitor.ph ... rience.com
https://www.virustotal.com/en/file/461b ... 398594687/
found some keys but none of them worked on the config
Code: Select all
32 67 68 D1 43 AE ED A0 65 A4 E6 28 09 EE A1 7A 3F C4 FA 95 2C 3B 39 F0 57 6B 0F 93 63 11 22 87 D5 72 14 BF FD 10 08 AF 1C F1 25 B1 88 3A 50 79 0D 8B 4B 1E 66 2D 71 85 9B 53 BE 5F D4 15 40 52 76 61 44 D3 0B E9 C9 7C 4F AB B5 27 EC 69 90 23 C7 4A FE 8C 12 75 FF 97 80 6F FB 58 A2 A8 74 70 05 C0 46 51 E7 33 9A 17 00 19 F6 BC B4 4D D6 81 CF 34 29 86 5B 2B 01 CE 4C E0 1F EF 98 64 CA A5 F8 E3 3D 7D 16 AC 54 31 F7 3E FC 59 AD 55 42 94 CD 92 73 7F 99 41 8D 0A 13 B2 9D 0E 02 DC 9C 78 F3 1B E2 B9 8E A6 5E 6A DE A3 56 D7 47 F5 37 CB 03 07 B3 C2 CC D8 36 2E B7 3C 38 1A 5C 84 E8 A7 A9 BA D9 DB C3 DF 6D DD 9E 60 F2 45 F4 06 7E DA EB E4 62 D0 C5 4E 48 BD D2 2A 5D B6 6E 21 EA 83 04 8A 24 C1 E5 18 8F 0C 77 C8 2F F9 BB C6 7B 20 82 E1 AA 26 9F 96 30 1D B0 B8 89 6C 49 5A 35 91
----------------
32 17 DA F3 C1 92 CA 22 7D AF EE 2D 40 FD DF 52 ED C4 FA 95 2C 3B 39 F0 57 6B 0F 93 63 11 A0 87 D5 72 14 BF E6 10 08 A4 1C F1 25 B1 88 3A 50 79 0D 8B 4B 1E 66 28 71 85 9B 53 BE 5F D4 15 09 7A 76 61 44 D3 0B E9 C9 7C 4F AB B5 27 EC 69 90 23 C7 4A FE 8C 12 75 FF 97 80 6F FB 58 A2 A8 74 70 05 C0 46 51 E7 33 9A 67 00 19 F6 BC B4 4D D6 81 CF 34 29 86 5B 2B 01 CE 4C E0 1F EF 98 64 3F A5 F8 E3 3D 65 16 AC 54 31 F7 3E FC 59 AD 55 42 94 CD AE 73 7F 99 41 8D 0A 13 B2 9D 0E 02 DC 9C 78 D1 1B E2 B9 8E A6 5E 6A DE A3 56 D7 47 F5 37 CB 03 07 B3 C2 CC D8 36 2E B7 3C 38 1A 5C 84 E8 A7 A9 BA D9 DB C3 A1 6D DD 9E 60 F2 45 F4 06 7E 68 EB E4 62 D0 C5 4E 48 BD D2 2A 5D B6 6E 21 EA 83 04 8A 24 43 E5 18 8F 0C 77 C8 2F F9 BB C6 7B 20 82 E1 AA 26 9F 96 30 1D B0 B8 89 6C 49 5A 35 91
----------------
91 F2 04 96 1A 4B BB 35 F5 64 20 4F 14 D2 0A 3B 0C 5D CC 1F 32 E4 A4 73 AF 4D 75 5A CB 59 67 CF 7B CD 81 8A 27 B8 C3 4C 2D 48 4E C5 D0 62 2F EB DA 7E 06 F4 45 B0 60 9E DD 6D DF 2A DB D9 BA A9 A7 E8 84 5C 6C 38 3C B7 2E 36 D8 C6 C2 B3 07 03 C1 37 1D 47 D7 56 A3 DE 6A 5E A6 8E B9 E2 1B F3 78 9C DC 02 0E 9D B2 13 E1 8D 41 99 7F 77 92 EA 94 42 55 AD 24 FC 3E F7 31 54 AC 16 7D 3D E3 F8 A5 CA 30 98 EF 83 E0 AA CE 01 2B 5B 86 29 34 E5 21 D6 8F B4 BC F6 19 00 17 9A 33 E7 51 46 C0 05 70 74 A8 A2 58 FB 6F 80 97 FF 18 12 8C FE 4A C7 23 90 69 EC B6 B5 AB 9F 7C C9 E9 0B D3 44 61 76 52 40 15 D4 5F BE 53 9B 85 71 BD 66 1E 89 8B 0D 79 50 3A 88 B1 25 F1 1C 49 08 10 FD BF 26 72 D5 87 22 11 63 93 0F 6B 57 F0 39 82 2C 95 FA C4 3F 7A A1 EE 09 28 E6 C8 65 A0 ED AE 43 D1 68 6E F9
----------------
3E AF 4F 7F 03 66 78 84 0B FE 07 F4 2C AC E1 87 E2 63 BB 81 25 37 82 F0 9C C0 79 85 73 BE FB 0E 7D 0F F1 D7 38 5F 6E B8 14 6A 17 1D F7 34 99 A4 69 2E 61 E8 DC 0A 2B 01 C9 CF 31 8D 3C D4 6B 74 09 98 4E 86 BF 15 C8 CA 20 12 FF CB 64 39 7B D3 5A D6 DA 54 93 40 90 A0 00 41 E6 D2 1A 4B A1 7C 32 1B A2 62 58 CD D8 88 EF 19 51 29 7A 67 C1 23 8E A7 35 48 71 60 F9 33 C5 70 C3 56 E4 68 44 EE DB 91 3A F8 BC 3F 10 8A 65 0D DE 18 30 EC 9D 06 BD B1 52 B5 B0 04 5B AE 59 21 55 08 B6 02 8C 22 4C 57 E0 9A 28 94 43 95 3D 89 A6 2A A9 D1 49 5E 42 A8 5C ED 36 16 EB 3B 96 1E D9 C6 AA 97 45 A5 6C DF AD F2 B9 A3 26 B4 11 9E E7 E3 9F B2 72 6F EA 8F 83 9B 53 1F 05 C4 77 E9 FC 2F 7E B3 24 6D 0C DD E5 D0 D5 13 FD 4A 1C 46 27 AB F3 F5 8B CE F6 2D C2 75 C7 76 B7 47 4D 5D BA 50 FA 80 CC 92
----------------
22 35 DD 38 7B 1A 50 9F CF 04 C1 93 49 6F 3D 3E E2 ED 98 3C 05 25 59 F5 3F AB 0F 06 32 26 B8 FF 66 7E 64 03 0C 2B D3 37 9A 09 DF F2 44 11 A8 5D DA CE 55 F9 21 E9 A2 00 90 69 75 01 E7 31 6A EF 4A E1 4E 45 46 E5 13 AC 2D 36 83 6E F6 D4 C9 92 4F 15 E8 BF AF 7F B5 40 6D AA 43 7A C4 73 70 A9 B6 5B EC 8A 08 B4 6B 4C 42 BB 2E A3 2F B3 1B E0 AE 19 81 72 E4 D8 A5 AD 82 18 D9 12 24 D6 1D 9D 5C 7D D0 BD 68 D2 A7 9B 3B DB A1 E3 76 2C B9 A6 17 96 CB 5A 97 95 A4 CD BA 94 4D 1C FC FB A0 F3 DC 20 56 0E 0A 39 D1 B2 48 30 7C 4B 74 9E 0D 86 F8 61 C2 91 8E 3A 58 79 EB 5E 6C 67 89 62 14 1E C6 B1 77 E6 88 29 B7 5F B0 80 2A 16 DE C7 EA C8 78 D7 C3 41 65 D5 BC 33 71 27 8C F4 07 FD FA F0 28 1F 23 9C 54 57 52 8D C5 84 C0 FE 34 CC 8F F7 BE 51 0B 85 F1 CA 99 53 8B 02 63 10 47 EE 87 60
Same problem on another sample: https://www.virustotal.com/en/file/d13a ... 398595055/
Code: Select all
4F 7A B5 2D 07 1F 2F 1E 38 D7 3F 03 93 CA 21 84 DB 54 35 D0 2A C5 D5 4C B3 0D 32 7D A7 2E 71 EF 94 25 44 BD 95 63 DE 40 E9 AD 66 6D E7 5E 2B 83 1B 02 69 76 7C 77 E8 9A 0C 28 88 CF 5C 5D 61 64 4B BC 53 A8 33 AE 90 B1 B4 86 D1 91 D4 1C C4 2C E4 A3 A4 92 E0 E2 0B 89 1A CB 37 62 34 06 15 27 16 6B BE 49 EA 31 6C 79 D8 41 81 9B A9 09 50 C3 4D D2 22 65 7B 45 AF 78 0F F0 87 5A 9D 29 3D D6 52 CE D9 6F A2 96 30 14 10 80 46 51 C0 F6 B6 E1 75 17 DA 59 A0 11 9F FB CD A1 AA 48 3B B7 39 E5 B0 DF 56 7F 70 FC B8 BA 9C 13 E6 E3 EB 73 F8 68 F9 4E 0A C1 8E 58 67 47 B9 BB 3A 20 98 04 B2 F2 C8 DD 3C 8F 60 82 00 5B 7E D3 36 19 8D 99 F3 FE ED 8B 43 EC 57 24 26 8C BF C9 12 0E CC EE 05 FD 23 42 74 AC 5F C7 8A F7 DC AB 9E 6A 3E FF A5 C6 1D F1 F5 08 55 F4 C2 6E 97 72 FA 18 A6 4A 85 01
----------------
A2 9C 75 F3 CD B9 A0 6C A3 1D 74 79 05 85 C0 AA F5 F8 64 3F DD 18 F4 6B 43 2B 9E 38 91 CB 39 D2 8F 13 E0 34 0D 5F 4E E8 89 A8 4D D3 3E 5A 51 6F EB 71 56 41 92 C6 A1 86 29 6A 9F B4 37 01 0A AC EC D7 7E 5E 7C FE 78 7F 1C 67 82 32 CE 24 47 2F DA C2 A9 E5 1E 4B 12 0C 65 87 58 BD B6 C4 1F 04 99 BA 6E 68 9D 60 28 D8 5D 40 B0 EF 53 81 77 09 69 16 3A 80 49 CF 2E 00 BC 36 33 B7 8E FF 59 E1 97 AD 2D A5 D5 42 9B 52 7D C1 94 2C 0F 63 AF 96 48 10 07 46 DC C9 22 F9 1A A7 25 AB B5 B3 CA A6 F7 F6 D0 02 15 C5 44 5B BB FD 54 CC 8C 0B 73 C7 FA BF 9A 5C B8 C3 93 45 DE 4A 72 EA D6 8D 31 ED 61 83 50 4C 98 F0 57 95 E3 FB E9 3D 66 F2 D1 B1 6D 70 06 19 FC 26 90 30 E7 0E A4 E2 D9 55 8A E4 62 84 E6 3C 23 3B 7A 88 14 F1 2A C8 AE 35 8B 17 21 DB DF 7B 20 76 27 EE 08 D4 4F B2 11 BE 03 1B
----------------
21 B5 AD 1F F7 D4 09 E1 C1 2B EC 04 76 70 F6 08 47 41 52 B3 90 CE 10 C8 13 E0 DE 6F 1B 64 1D 40 7E 84 4C 28 37 E7 25 F4 0F D5 42 8E B4 38 12 D9 AB FC BB F0 67 DF 2E 43 C3 DC 51 EE 5D 20 01 73 BA 4A 0B B8 CF 3B 68 24 7C C7 80 95 75 DA C0 3D 57 A1 0A D3 C4 B7 9F 48 C5 9A DB 49 BE 60 91 69 EB 33 62 0C CD 5B A0 F9 22 1C 14 9B 54 8B 58 4F 6E AF C9 78 A3 71 1A EA 27 7B 3A 3E 4E D7 C2 36 07 97 94 6A CA 8C 82 96 87 85 F5 0E 4B 77 35 56 86 FD 2F 63 2A 0D F1 4D E6 AC 17 FF A7 B2 31 1E 3C F2 45 BD 9C 89 59 AE A6 81 5F 3F 83 99 39 02 E4 A9 CC B1 32 BC 50 D6 DD A5 6D C6 7D 61 05 A2 92 B9 5A 16 26 30 D8 53 CB 74 5E D0 A8 11 A4 29 E8 FB B0 19 F3 8A 7A 03 EF FE 66 44 72 F8 9D 34 18 B6 98 D2 AA 6B 23 8D FA 9E E3 E5 BF D1 55 46 93 E2 79 06 15 00 E9 6C ED 65 2D 2C 5C 88 7F 8F
looks like the encryption method changed :|
Attachments
infected
(439.34 KiB) Downloaded 85 times
infected
(222.48 KiB) Downloaded 76 times
 #22742  by Xylitol
 Sun Apr 27, 2014 4:40 pm
v1.0.0.2 found on my cuckoo.
Image
https://www.virustotal.com/en/file/6798 ... 398616893/
Code: Select all
C2 B3 1D 3D 36 DF 0D F7 16 8B FB E4 E6 0C 65 3B 20 A9 1F 7A F4 34 2D 02 86 D1 85 59 26 56 E7 11 21 64 FD C4 EF 57 E1 50 DE B0 24 43 08 D3 AE 92 A4 4D 8D 91 55 6B 0B 6D 6E C0 93 A3 87 DA 80 9D 83 9E 67 A1 D4 60 5C 39 30 CB 00 B6 6F 7F E3 73 D9 88 1E 25 8E 5D 98 9A BF E8 DB 28 33 04 BE 1B C5 C7 EC BC 37 42 DC 76 BD 7E 0A 7D 99 46 19 71 90 F3 FA D6 8A 77 40 FF DD C6 F0 CA 97 14 17 29 0F 69 EA 18 EB 15 A2 51 E2 1C BB 10 12 22 B4 8F 49 79 1A 05 B5 38 D8 A0 41 2A 5E C1 B9 CF F6 4C 07 74 2E AF E9 CE D2 7B 23 FE 3F B7 45 2C 4A C8 81 B8 4E 6A 70 CC B1 94 01 AA 9C 48 96 8C 62 13 F9 44 3C 89 E0 3E 5B 03 95 AD D0 78 72 FC 61 F2 4F A6 35 3A ED 6C AC 2F 75 66 F1 AB A5 CD 82 32 C9 58 27 F5 52 5F 31 4B A7 06 2B 09 84 C3 BA 9B 68 53 54 D5 F8 EE 7C 0E 47 9F 5A A8 E5 D7 63 B2
Attachments
infected
(330.78 KiB) Downloaded 75 times
 #22750  by comak
 Mon Apr 28, 2014 1:52 pm
thanks for samples Xylitol,

from baseconfig of samples i got:
993e400bc0d8f1df346f80a11e91826e.bin
Code: Select all
Botnet: oly
Botnet RC4: 4f7ab52d071f2f1e38d73f0393ca2184db5435d02ac5d54cb30d327da72e71ef942544bd9563de40e9ad666de75e2b831b0269767c77e89a0c2888cf5c5d61644bbc53a833ae90b1b486d191d41cc42ce4a3a492e0e20b891acb376234061527166bbe49ea316c79d841819ba90950c34dd222657b45af780ff0875a9d293dd652ced96fa296301410804651c0f6b6e17517da59a0119ffbcda1aa483bb739e5b0df567f70fcb8ba9c13e6e3eb73f868f94e0ac18e586747b9bb3a209804b2f2c8dd3c8f6082005b7ed336198d99f3feed8b43ec5724268cbfc9120eccee05fd234274ac5fc78af7dcab9e6a3effa5c61df1f50855f4c26e9772fa18a64a85010000
URLs: ['http://maildingo.net/update/sdtg.jpg', 'http://diggermoutx.su/notes/mod_vnc.bin']
FakeUrl: http://mivmuufhg.com/cfg.bin
OtherEncStrings: []
OtherStrigns: []
06207738eba712130ba911f78fc773ae:
Code: Select all
Botnet:
Botnet RC4: 326768d143aeeda065a4e62809eea17a3fc4fa952c3b39f0576b0f9363112287d57214bffd1008af1cf125b1883a50790d8b4b1e662d71859b53be5fd4154052766144d30be9c97c4fabb527ec699023c74afe8c1275ff97806ffb58a2a8747005c04651e7339a170019f6bcb44dd681cf3429865b2b01ce4ce01fef9864caa5f8e33d7d16ac5431f73efc59ad554294cd92737f99418d0a13b29d0e02dc9c78f31be2b98ea65e6adea356d747f537cb0307b3c2ccd8362eb73c381a5c84e8a7a9bad9dbc3df6ddd9e60f245f4067edaebe462d0c54e48bdd22a5db66e21ea83048a24c1e5188f0c77c82ff9bbc67b2082e1aa269f96301db0b8896c495a35910000
URLs: ['http://analiticwebexperience.com/forum/header1.jpg']
FakeUrl: http://dhomzzalbt.com/cfg.bin
OtherEncStrings: ['_RoL4/']

im still working on getting full config, there are some changes is seems there is no backup pseudo-dga and function used to decode baseconfig is inlined
 #22752  by comak
 Mon Apr 28, 2014 5:14 pm
ok, mistery solved - they switched to rc6 (big thx for @pnX for help)

sboxes:
993e400bc0d8f1df346f80a11e91826e
Code: Select all
640ae9cd455320a1c33f0690d4fcac0a8aa0350b7752e08221a0236e3f4294357cf30e98295adfc865399ee28a4ff3a87087650d69135414eba7a67f10fda0f83d044fe7273b652f33a4fa27792fe2ce33e17a47739be5d09a22b3df0cee498f6d4ac7401b736bcece5d4d55cfbba48d0e874c251908d70c20ec310f92915f2d7ea5744d8361904c3e0e00d9ea48e26adbc99ca43009224ca15b8ef40083d838775cd1628d3047f4a61a0532815e2151
06207738eba712130ba911f78fc773ae:
Code: Select all
bd34d6aac9eb1e9ec7d7f54a715c39b153ceafd9f7bbcfb2ab1f221ec0cd25f7d6435862f3e7c6ab87a02ecb66478e91c150d2dd85ed8fe342a0b9a70b0d6e9717d37b2efd6a7eee97b63ede5b147348b7199ee8d079f3c18c9539771bbdf0f82244cc6b447f59d2fe881b50ec97b931a797dc64b08372f16263f4cd7ea8b4ac4b0df7c4b8ec8bed7910c714c46ef8907d6b6581c7ea13c94fc5b31587f57ef7421686e6a4a720b8934ab4d240d63001
and they addes some zeroes to random junk in from of basestruct
Attachments
infected
(6.35 KiB) Downloaded 71 times
 #22758  by Xylitol
 Tue Apr 29, 2014 2:43 pm
Nice !
Unfortunately i can't look right now to new samples, my motherboard died yesterday and i'm waiting to receive new hardware :(
i'm using my Raspberry Pi for the moment.
+2 v1.0.0.2 samples attached.

https://zeustracker.abuse.ch/monitor.ph ... ponitan.pw
https://www.virustotal.com/en/file/b236 ... 398782289/
Code: Select all
36 54 FD 7A B3 95 3C 64 EC 9B B2 0A 9E 1F 7F 20 39 D9 4F 03 7B 6E 05 6C 4B 0D E2 10 C6 5D 48 EF 5B E8 0B BC 7E E0 6B F4 6A E5 53 D3 40 F8 99 72 50 F1 2B 73 DD 5C D6 15 27 55 29 8C C7 5E 68 38 2F B9 2A 21 8E BB 3A 63 07 1A 62 F5 84 61 85 32 08 2C 65 D8 78 77 49 75 FC 8D 19 71 92 81 52 30 79 A6 9C D1 22 82 CC A0 E3 98 8B 44 34 5A 17 F0 90 1C BF AD A2 DC 3E FA 7C E6 56 26 35 CE 42 43 FF 57 AF D4 97 47 3B AE C9 B5 87 C2 B8 AB 9F 01 4A 12 A1 4D EA 1B 93 BD E9 16 F9 91 33 FB B4 DF 89 9A BA 28 A9 F3 1E A3 CD CA 24 4C 09 86 00 B0 83 3F 45 9D D7 C0 C5 ED B7 A4 CF 46 13 D2 7D 58 11 94 C3 D0 0F 02 6D DB 04 23 25 E7 B6 E4 EB F7 14 8A D5 2D 6F BE 18 41 DE AC EE 59 4E 88 3D 70 E1 80 CB FE C8 B1 0C C4 A7 DA F6 67 31 06 8F 37 69 76 60 A8 2E 0E AA C1 66 1D 5F 51 F2 96 74 A5
https://zeustracker.abuse.ch/monitor.ph ... aininfo.ru
https://www.virustotal.com/en/file/8159 ... 398782272/
Code: Select all
3D 15 B5 76 FB 58 28 1A E9 B6 C5 3A 0E 14 0F BE 84 22 43 FC 73 A3 89 3F 99 E5 46 37 9D AC 32 4E DD B8 FA 8F F8 12 B2 AB 50 78 66 61 9A 74 92 AD 64 10 8D C3 96 D3 A7 C0 C6 24 48 BB 5F 49 CA 5A 54 CB 79 EB 6E 62 6D 06 1B D2 7B 27 2B 69 17 09 71 5E 63 F2 AA 52 39 E7 A5 55 81 51 38 F1 DA FF CE 20 8C 83 DC F5 87 EA A1 DF 19 6C BF 90 B7 3C B1 2A 02 59 07 CC 08 86 3B 7F EF 60 8A C4 53 ED DE 72 A8 7D 57 9C EC BD B4 5B D9 45 F9 00 1E D7 D6 E1 94 18 A0 91 98 AE 4F 95 B0 41 3E 26 25 A4 E0 04 1F 0C 23 65 CD 33 03 BC E2 31 A6 9E 5C 21 8B 6F 05 75 AF 34 D4 5D F3 40 D0 47 13 0B 97 C1 E4 C8 0D 68 2E E6 4B 29 D8 70 88 77 F4 B9 01 85 E8 C2 C9 C7 44 F0 67 11 D1 1C 7C 4C 6A 30 93 FD 7E 2C 42 0A 2D 80 E3 A9 D5 7A BA A2 FE 9B 4A 82 1D 8E EE B3 4D CF 36 F7 35 2F 6B 9F F6 56 16 DB
Attachments
infected
(641.92 KiB) Downloaded 82 times
 #22909  by Xylitol
 Sun May 18, 2014 3:54 pm
Got my new hardware.. :)
https://zeustracker.abuse.ch/monitor.ph ... essetin.su
https://zeustracker.abuse.ch/monitor.ph ... ltingeg.su
http://vxvault.siri-urz.net/ViriFiche.php?ID=26491
Code: Select all
02 E9 55 21 3B CC 3C 76 16 83 B0 51 5A DA 94 96 63 4E 3A 8B 59 AD 95 A3 C6 7E A4 68 B1 41 93 71 91 D7 7F 3D 3E D5 9C 17 39 1D 11 24 D2 C5 4C 4F 1B 5E 81 A6 EB BD 25 E4 8D B8 AB 5B A5 F8 AA 04 6B 97 B6 42 80 92 8E 36 22 61 B3 73 B5 EE 70 46 CB 1E 56 E1 0C 6C B9 A1 07 0F 31 BE CF 48 98 79 00 D8 DB F1 8A 0B FC 7D 08 26 43 2C 9E 06 01 15 05 F0 99 BF 19 2A E0 7C DD 18 C0 89 6E CE 52 20 30 AF 69 27 28 F4 2D 9F 8C 88 B4 64 D9 66 9B 0E E8 33 90 DF 1C C2 60 58 85 67 C4 D4 87 47 1F EA BA 7B 72 23 F3 9A 75 34 14 D3 3F C7 F5 F9 5C 77 2F FE 84 BB DE 35 13 09 10 C9 A9 E7 A0 CD 4D 45 AE 86 A7 EC AC 7A 9D 54 37 A2 50 82 5D 49 D0 4B F6 53 4A 38 F7 D6 44 29 62 40 E5 FA 78 6F 32 6A 2E C1 5F 0D B7 6D EF E3 0A 8F CA 74 FD B2 D1 1A FB C8 BC 57 E6 F2 FF E2 ED DC 65 03 2B C3 12 A8
Attachments
infected
(314.42 KiB) Downloaded 73 times
 #22923  by Xylitol
 Mon May 19, 2014 12:46 pm
Call yandex instead of google, can't decode it.
original file from Kafeine (e0d6b40254fd9ec8215ac9e63d3032b3) attached version is what i pulled from the server.
Code: Select all
https://bloggershop.co.vu/idcon/banner.jpg
https://bloggershop.co.vu/idcon/driver/load.exe
https://bloggershop.co.vu/idcon/static.php
https://housekeeping.co.vu/idcon/menu.jpg
https://www.virustotal.com/en/file/8584 ... 400503236/ >> 2/53
http://vxvault.siri-urz.net/ViriFiche.php?ID=26509
edit: ZeuS Track-isized ~ https://zeustracker.abuse.ch/monitor.ph ... shop.co.vu
Also ClamAV added a detection for configs: Win.Trojan.ZeusVM
Attachments
infected
(239.31 KiB) Downloaded 77 times
 #22924  by comak
 Mon May 19, 2014 2:08 pm
heh just got info about it;]

vmzeu with rc6:

Sample: 98fc97487c4c7fd8ce5e5f1d501a1288
Version: 01.00.01.00
Botnet:
Botnet RC4: 69a18b0951ff05ac238ebdb17c87492b1c02a80c521381b2216cec7b801ed03dc719240fb0656f1ff9e1bc9979dc9fc22e36563b539dd4474b5c105033e8c1626834647ed56175ed0003f76a1b98ce92aee029b6ab63eeb52aafdfc974414416cf3043b4770e1732fc844dfaeffde94c8545e7d226f3a770ad6ea2badb5bb9e272575da611f15ad88d258c40c5c3ca46cb3f9a15071da3c80adeeb0ba573a48f97e5be9b082c4f0654c6663871d778b73c1204d39ecc96222df4b8f8935f9486f258bbaaf07f3918ea8955a09127951420e3fbe4c0da9031594e35fe2837c4880d7d76bfd11a2fb3d9cd83608af5826b3a6d4ad6427add485e013ee6a99cf6670000
Botnet RC6: dea8fa69e808cb8cd0a3fbbae235e38de9092d6bba51ea2ff16a79977956923b02839229cb1acb0aeaf0969eee22c61735c08c7366efcebac2f21e32a5e11f57aa32e478165b4b04af6b376717786908c1035854ac41e19745a184ead40c9695098c1160c23aa130c56a663398a444372c1b9a31d5d94ec186bf6258ec5627efa0e19dc3b18afa549419eb4d27c7f2db36094b203be62bd27389e356395319063ae85a170495339103eb1528408cf1cf
URLs: ['https://bloggershop.co.vu/frontnode-f83 ... e_play.jpg']
FakeUrl: http://wlgzhddnqg.com/cfg.bin
OtherEncStrings: []
OtherStrigns: []
Attachments
(15.65 KiB) Downloaded 70 times
 #22935  by Xylitol
 Tue May 20, 2014 2:29 pm
Another ZeusVM rc6
https://www.virustotal.com/en/file/444c ... 400582547/ >> 2/53
repack: https://www.virustotal.com/en/file/9dd1 ... 400613332/ >> 7/49
repack: https://www.virustotal.com/en/file/838e ... 400660690/ >> 12/52
http://vxvault.siri-urz.net/ViriFiche.php?ID=26516
https://zeustracker.abuse.ch/monitor.ph ... keynet.com
Code: Select all
http://ovjjy.com/fnsmh/cfg.bin
https://ecrowkeynet.com/lc/df1w.jpg
https://ecrowkeynet.com/lc/md64.php
Same actor as http://www.kernelmode.info/forum/viewto ... 205#p22449


And more older, still belonging to the same actor:
https://zeustracker.abuse.ch/monitor.ph ... ty2073.net
Code: Select all
47 67 22 52 11 36 CF AB EA 3C 94 8B 1E F4 5C AC ED 35 7E 8C F3 01 9B 6A 27 5E D1 29 63 87 45 C9 80 E4 46 E1 F1 00 AA 2C 8D 23 E9 75 6C B2 C3 EF 4E CE 25 57 43 42 E2 2F 73 8A AD 62 B9 28 55 93 DF 0A 71 16 0E 8F 40 31 95 30 9D 4F DE 20 B5 BE E3 7C 5D B6 CB 68 D2 E5 41 3B 3A 5F 38 92 BB 1F 37 7D 39 2B 6F 49 0C 09 18 B1 E7 2E BD 79 19 FD 1D F7 61 DB 7F 03 12 B7 54 BC 81 CD 15 64 A7 FB 2A 9A F5 F6 17 4C 3D 53 04 0B 65 B3 08 2D A4 66 48 C2 4A 21 91 E6 5B C5 CA D0 C4 14 10 C0 D9 89 F8 99 97 70 13 82 56 FE DD A8 02 0F FC E0 72 6E 8E C7 96 A3 F2 32 DA 98 F0 D7 D5 86 A2 06 FF 26 4B EE 44 9F C6 85 F9 24 FA 07 C8 C1 83 D6 4D D4 88 EC A5 33 50 B0 76 77 D3 CC 9E 3E 60 7B 0D BF 78 9C 74 E8 D8 7A 51 BA 6D 58 3F 5A 34 DC 6B 1A A9 1B 84 59 69 A0 AF B8 05 1C EB 90 A6 B4 AE A1
Code: Select all
user_execute http://groupleaf.com/cr_sp.exe
user_execute http://guber56.co.uk/dll2/712887.exe
user_execute http://guber56.co.uk/dll2/apt2.exe
user_execute http://guber56.co.uk/pink/1.0/apt.exe
bot_update http://guber56.co.uk/vc2/vn2.exe
Attachments
infected
(393.94 KiB) Downloaded 69 times
infected
(425.58 KiB) Downloaded 78 times