A forum for reverse engineering, OS internals and malware analysis 

Win32/Zeus (alias Zbot)

Forum for analysis and discussion about malware.

Re: Fareit - BlackHole loader of ZBot

 #18314  by EP_X0FF
 Sat Feb 23, 2013 4:03 am
Mosh wrote:
EP_X0FF wrote:Invalid PE file.
I'm sorry about that, here is another sample tested.

Detection ratio: 4 / 46
https://www.virustotal.com/en/file/b9b4 ... /analysis/
Zbot, in attach unpacked. Posts moved.
Attachments
pass: malware
(142.42 KiB) Downloaded 86 times

Re: Win32/Zeus (alias Zbot)

 #18552  by EP_X0FF
 Sun Mar 17, 2013 4:41 am
Zbot, payload of Fareit from http://www.kernelmode.info/forum/viewto ... 551#p18551 (hxxp://cmonline.co.nz/1D2e.exe)

8573b0ab8d6b64e5788ed2de9cc50588a1eafb70
91c9e79b9579e936f98382845b64bd0ce61a2b6a

https://www.virustotal.com/en/file/3388 ... /analysis/
https://www.virustotal.com/en/file/7743 ... /analysis/
Attachments
pass: infected
(424.46 KiB) Downloaded 87 times

Re: Win32/Zeus (alias Zbot)

 #18596  by Horgh
 Tue Mar 19, 2013 6:39 pm
Payload of BH EK hxxp://microadobeflashupd.com/central/accessible-capable-order.php

I included a crappy dump of the unpacked malware in the archive.
pwd : infected
(436.06 KiB) Downloaded 72 times

Re: Win32/Zeus (alias Zbot)

 #18632  by rough_spear
 Thu Mar 21, 2013 6:53 pm
Hi All,

Here are 5 files of Zbot.

list of MD5
3FEA31FF25592C2C23E822EFE6088225
88891B61341B231B75F85C9989451713
A294C9AECFBBFF2F816A1CFFE5F07C2C
BE91584FF5CEBB82F8FEBFC720B7E87D
FA503BA5FAB027D995A1383129438B89

Regards,

rough_spear. ;)
Attachments
password - infected.
(270.21 KiB) Downloaded 78 times

Re: Win32/Zeus (alias Zbot)

 #18635  by rough_spear
 Thu Mar 21, 2013 7:16 pm
Hi All,

2 more files of Zbot.

MD5

4553AFA4E01B74CA207613B565295A2A
610DC991350C194BA1C3EB0039E43DD0

Regards,

rough_spear.
Attachments
password - infected.
(207.76 KiB) Downloaded 80 times

Zbot C2 config

 #18695  by Squirl
 Tue Mar 26, 2013 12:45 pm
url: hxxp://paypal-servcies.com/
hxxp://paypal-servcies.com:2082/login/
hxxp://paypal-servcies.com/server/cp.php?m=login

MySQL DB creds: User = admin
pass = "" [empty string]
Attachments
infected
(1.31 MiB) Downloaded 93 times

Re: Win32/Zeus (alias Zbot)

 #18858  by rough_spear
 Sun Apr 07, 2013 12:12 am
Hi All,

Two more Zbot samples

MD5
1C16AFE42BDE47275AE687650B3CD062
497DBDF3059D003EA040428910F6ADB3

Regards,

rough_spear. ;)
Attachments
password - infected.
(420.69 KiB) Downloaded 70 times

Re: Win32/Zeus (alias Zbot)

 #18868  by hnpl2011
 Mon Apr 08, 2013 7:23 am
more zbot samples from spam email
MD5:
388d2ba0bc1073b6a8addc4e5dbc2bb0
64654a86bacaf80535b333f6f7768c5b
eadf0db89290a6ea8817ddec718f8c2e
Attachments
pass: infected
(804.26 KiB) Downloaded 79 times

Re: Win32/Zeus (alias Zbot)

 #18910  by rkhunter
 Fri Apr 12, 2013 9:21 am
Zbot family runs on selected systems only
http://blogs.avg.com/news-threats/zbot- ... d-systems/

Sample in attach.

SHA256: 31a8bc76d886c07d20f4b1314e04a82ea400056a5619fa1388895bf6d424c710
SHA1: 242cf7d0b11b3fd9ff94d9bdbd2ed789ec9cb433
MD5: a2a6fb6d26f3d70da25dbcaac05fc894
Attachments
pass:infected
(233.34 KiB) Downloaded 70 times
  • 1
  • 14
  • 15
  • 16
  • 17
  • 18
  • 29
 Return to “Malware”