A forum for reverse engineering, OS internals and malware analysis 

Win32/Zeus (alias Zbot)

Forum for analysis and discussion about malware.

Re: Trojan Zeus (alias ZBot)

 #14503  by rkhunter
 Sat Jul 07, 2012 10:10 am
Another 3 samples with same crypter, just with a few differences

7 / 41 https://www.virustotal.com/file/1bd5f61 ... /analysis/
MD5: 31cf2ccf68f7a1619557b4419df695a7
SHA1: f88a9ddf11fa6a897c555ce9116dba931fde22c5

16 / 41 https://www.virustotal.com/file/5de9d8d ... /analysis/
MD5: 48f9e3ac24d25d29d6bf49d740315e93
SHA1: 07196dbb66efb55d76b5e90c38142bc33f97e346

8 / 42 https://www.virustotal.com/file/b22548b ... /analysis/
MD5: 76b3cb955487f1665040c5647bf12f56
SHA1: 6840405767e8af443346933daed0897ce111a73e

Copies itself with random name into %appdata%\random_folder_name\random_file_name
Autorun from HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{CLSID}
Completely hangs my WinXPSP3 (with help of injections)...

Anti-emu trick
Image
Attachments
pass:infected
(769.17 KiB) Downloaded 71 times

Re: Trojan Zeus (alias ZBot)

 #14574  by rkhunter
 Wed Jul 11, 2012 11:44 am
Another two samples with same crypter.

SHA1: 13e641e3bd50be036f11b723d638cad3113ab888
MD5: 4adfa56c29697b7da23fda1eb28e944b

SHA1: 738d1e5e09dc5dd7bcb1159b373082bc798cb613
MD5: e1dc32531343a9a4a1d26653913056e2
Attachments
pass:infected
(255.62 KiB) Downloaded 64 times
pass:infected
(255.63 KiB) Downloaded 64 times

Re: Trojan Zeus (alias ZBot)

 #14646  by rkhunter
 Sat Jul 14, 2012 4:27 pm
I'm really surprised that distribution of ZBot does not go down after MS disrupted it botnet.

SHA1: 2a3afcbea8eab0af728074961efa2261e4caac5b
MD5: 6ab0e184b719f0736f2d5a5aed237081

SHA1: e269e29f318838b98734677e7b0948a24fe0678c
MD5: d69f7006bcc39b8f3f9d64c2e53c201f

SHA1: a19cfa21cda25cc95663073d420f37518e271b76
MD5: ecd99c603ba277a4b08a66cd7c0c0a42

Samples with MD5 inside.
Attachments
pass:infected
(752.97 KiB) Downloaded 79 times

Re: Trojan Zeus (alias ZBot)

 #14935  by rkhunter
 Mon Jul 30, 2012 5:31 pm
SHA1: 0ddb5eab870ad4b0092fafa8173aaa8eba05505f
MD5: 08f75835042c914b3beed2d139a460c2

SHA1: 2406897397594062395ae942ac8fe4447a6ad2dc
MD5: 2b4abf6e80586f8f60569b7c59423ba9
Attachments
pass:infected
(562.17 KiB) Downloaded 83 times
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14
  • 29
 Return to “Malware”