A forum for reverse engineering, OS internals and malware analysis 

Citadel (Zeus clone)

Forum for analysis and discussion about malware.

Re: Citadel (Zeus clone)

 #21283  by Xylitol
 Wed Oct 30, 2013 12:20 pm
Citadel who target wellsfargo
Code: Select all
Drop: hxtp://seposa.ru/images/one/bazi/e75.php
Update: hxtp://seposa.ru/images/one/bazi/file.php|file=soft.exe
key: B4 75 A2 91 52 1C 12 98 88 0F 92 8C E2 01 56 B3
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
https://zeustracker.abuse.ch/monitor.php?host=seposa.ru
Attachments
infected
(5.8 KiB) Downloaded 52 times

Re: Citadel (Zeus clone)

 #21284  by Xylitol
 Wed Oct 30, 2013 12:45 pm
Citadel who target japan.
Code: Select all
Drop: hxtp://gromydoonyy240.com/ppp/
Update: hxtp://gromydoonyy240.com/ppp/file.php|file=jj03.exe
key: DD FB 2F 07 49 AB 4B C5 F6 C0 D1 22 C4 05 B0 10
Login key: D52C3A25FB86B4660219344E1BC5A755
Same enc key as http://www.kernelmode.info/forum/viewto ... =60#p20700 & http://www.kernelmode.info/forum/viewto ... =80#p21178 & http://www.kernelmode.info/forum/viewto ... =80#p21222 & http://www.kernelmode.info/forum/viewto ... =80#p21250 & http://www.kernelmode.info/forum/viewto ... =80#p21264

https://zeustracker.abuse.ch/monitor.ph ... art108.com
https://zeustracker.abuse.ch/monitor.ph ... nyy240.com
Attachments
infected
(7.37 KiB) Downloaded 59 times

Re: Citadel (Zeus clone)

 #21316  by Xylitol
 Sun Nov 03, 2013 10:18 am
Citadel targeting wellsfargo.
Code: Select all
Drop: hxtp://fizzytechs.zz.mu/videos/gate.php
Update: hxtp://fizzytechs.zz.mu/videos/file.php|file=soft.exe
Key: 0D 29 BA 09 CB EF FA 2C F0 5A AF 67 F5 5B E6 52
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Code: Select all
Drop: hxtp://fizzytechs.zz.mu/public_html/images/gate.php
Update: hxtp://fizzytechs.zz.mu/public_html/images/file.php|file=soft.exe
Key: 0D 29 BA 09 CB EF FA 2C F0 5A AF 67 F5 5B E6 52
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Code: Select all
Drop: hxtp://fizzytechs.zz.mu/public_html/news/file.php|file=soft.exe
Update: hxtp://fizzytechs.zz.mu/public_html/news/gate.php
Key: 0D 29 BA 09 CB EF FA 2C F0 5A AF 67 F5 5B E6 52
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Code: Select all
Drop: hxtp://fizzytechs.zz.mu/public_html/themes/gate.php
Update: hxtp://fizzytechs.zz.mu/public_html/themes/file.php|file=soft.exe
Key: 0D 29 BA 09 CB EF FA 2C F0 5A AF 67 F5 5B E6 52
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Attachments
infected
(18.09 KiB) Downloaded 54 times

Re: Citadel (Zeus clone)

 #21317  by Xylitol
 Sun Nov 03, 2013 10:34 am
Citadel targeting Japan.
Code: Select all
Drop: hxtp://gormosssnter205.net/ppp/
Update: hxtp://gormosssnter205.net/ppp/file.php|file=jj03.exe
Key: DD FB 2F 07 49 AB 4B C5 F6 C0 D1 22 C4 05 B0 10
Login key: D52C3A25FB86B4660219344E1BC5A755
Same enc key as http://www.kernelmode.info/forum/viewto ... =60#p20700 & http://www.kernelmode.info/forum/viewto ... =80#p21178 & http://www.kernelmode.info/forum/viewto ... =80#p21222 & http://www.kernelmode.info/forum/viewto ... =80#p21250 & http://www.kernelmode.info/forum/viewto ... =80#p21264 & http://www.kernelmode.info/forum/viewto ... =90#p21284
Attachments
infected
(4.59 KiB) Downloaded 58 times

Re: Citadel (Zeus clone)

 #21320  by Xylitol
 Sun Nov 03, 2013 12:02 pm
Citadel targeting Canada, sample courtesy of Kafeine delivered via Impact Exploit Kit on the same IP.
Code: Select all
Drop: hxtp://inforick.com/img/gate.php
Update: hxtp://inforick.com/zip/file.php|file=soft.exe
Key: 82 75 FC 56 7F D5 E6 A0 F3 B6 61 18 4B C8 B1 41
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
https://zeustracker.abuse.ch/monitor.ph ... forick.com
https://www.virustotal.com/en/file/db09 ... 383480378/
webinj:
Code: Select all
http://empressbridge.com/popups/js/admin/
Image
Attachments
infected
(8.82 KiB) Downloaded 60 times
infected
(38.94 KiB) Downloaded 67 times
infected
(575.58 KiB) Downloaded 92 times
infected
(6.56 KiB) Downloaded 68 times

Re: Citadel (Zeus clone)

 #21332  by Xylitol
 Mon Nov 04, 2013 5:09 pm
Citadel targeting Spain, Netherlands, America
Code: Select all
Drop: hxtp://fsnc.ru/modules/MenuManager/lang/ext/Countrydate/parking.php
Update: hxtp://fsnc.ru/modules/MenuManager/lang/ext/Countrydate/file.php|file=racing.exe
Key: 1E C3 04 07 86 8D 49 92 4A 86 4A DE AC B4 05 C2
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
https://zeustracker.abuse.ch/monitor.php?host=fsnc.ru
Interesting the WebInjects are obfuscated inside the config.
edit: bentpanel securetechicsatcontrol.com/bentpanel/ foxit wrote on it http://foxitsecurity.files.wordpress.co ... belka1.pdf
Attachments
infected
(68.99 KiB) Downloaded 58 times

Re: Citadel (Zeus clone)

 #21333  by Xylitol
 Mon Nov 04, 2013 5:36 pm
Citadel who target United Kingdom, America, Spain and some service like paypal etc...
Code: Select all
Drop: hxtp://wandingoo.net/project/gate.php
Update: hxtp://wandingoo.net/project/file.php|file=build.exe
Key: 59 56 60 0C 76 6B 4C A5 8C 77 F2 D8 16 66 A1 25
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
https://zeustracker.abuse.ch/monitor.ph ... dingoo.net
https://www.virustotal.com/en/file/30ff ... 383586664/
Code: Select all
EXE: hxxp://fildirekt.se/dl/1383373105.exe
Attachments
infected
(354.3 KiB) Downloaded 71 times

Re: Citadel (Zeus clone)

 #21345  by Xylitol
 Wed Nov 06, 2013 11:21 am
Citadel targeting wellsfargo
Code: Select all
Drop: hxtp://lanko.biz/cigbin/atmosphere.php
Update: hxtp://lanko.biz/cigbin/beans.php|file=ohshit.exe
Key: E7 8F EC 12 0F 46 E0 C1 A6 4F 97 87 C0 CC 99 B9
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
https://zeustracker.abuse.ch/monitor.php?host=lanko.biz
Attachments
infected
(5.79 KiB) Downloaded 55 times
  • 1
  • 8
  • 9
  • 10
  • 11
  • 12
  • 20
 Return to “Malware”