A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20352  by unixfreaxjp
 Fri Aug 02, 2013 7:28 pm
Some Zeus Payload URLs alive:
Code: Select all
-------------------------------------------------------------------------------------------
DOWNLOAD URL                                 POC by URLQUERY (Snapped ALIVE!! by MMD)   CN
-------------------------------------------------------------------------------------------
h00p://www.giftedintuitive.com/kQYjoPqY.exe  http://urlquery.net/report.php?id=4226237 US
h00p://ftp.jason-tooling.com/nhdx.exe        http://urlquery.net/report.php?id=4226246 US
h00p://paulalfrey.com/guBwFA.exe             http://urlquery.net/report.php?id=4226249 US
h00p://bremertondisciples.org/p6AERteJ.exe   http://urlquery.net/report.php?id=4226293 US
h00p://proactionpt.com/7dPmE3P.exe           http://urlquery.net/report.php?id=4226295 US
h00p://ruffledpaper.com/N7SvZ.exe            http://urlquery.net/report.php?id=4226294 US
h00p://www.energiereise-namaste.de/EggT.exe  http://urlquery.net/report.php?id=4226312 DE
h00p://www.labycar.com/Zi6L.exe              http://urlquery.net/report.php?id=4226311 IT
h00p://208.112.50.5/c38QVmd.exe              http://urlquery.net/report.php?id=4226314 US
h00p://s148231503.onlinehome.us/y3R.exe      http://urlquery.net/report.php?id=4226318 US
h00p://microconvergent.com/0nE8JSm.exe       http://urlquery.net/report.php?id=4226333 US
h00p://ca-merchant.com/tnBj.exe              http://urlquery.net/report.php?id=4226334 US
h00p://www.mbbd.it/ALmx.exe                  http://urlquery.net/report.php?id=4227741 IT
h00p://fanpageserver.info/qtJ.exe            http://urlquery.net/report.php?id=4227765 US
h00p://icewebhosts.com/vcGv9E.exe            http://urlquery.net/report.php?id=4227789 US
h00p://legodendart.com/f2kr.exe              http://urlquery.net/report.php?id=4227824 US
h00p://horizon.okcareertech.org/1k7Yvm.exe   http://urlquery.net/report.php?id=4227855 US
h00p://marinapanagiotidou.gr/qntUYid.exe     http://urlquery.net/report.php?id=4227869 US
h00p://www.sch.ac.cy/DH8xSJxy.exe            http://urlquery.net/report.php?id=4227891 CYPRUS
h00p://ftp.petrasolutions.com/REXLa9.exe     http://urlquery.net/report.php?id=4257417 US
h00p://magic-crystal.ch/0ijiK8Y.exe          http://urlquery.net/report.php?id=4257421 SWISS
h00p://chartomresidence.com/j7qtsL.exe       http://urlquery.net/report.php?id=4257734 US
h00p://ftp.evolplay.org/bzfBGWP.exe          http://urlquery.net/report.php?id=4319543 FR
h00p://www.giftedintuitive.com/kQYjoPqY.exe  http://urlquery.net/report.php?id=4319547 US
h00p://esmallboxes.com/hc53.exe              http://urlquery.net/report.php?id=4323339 US
h00p://stratinaki.gr/KK37.exe                http://urlquery.net/report.php?id=4329290 US
h00p://innerharmonynutrition.com/e2PhGTiC.exe http://urlquery.net/report.php?id=4329392 US
h00p://elearning-ss11-neu.fham.de/ecbUL7vg.exe http://urlquery.net/report.php?id=4329417 DE
h00p://www.sch.ac.cy/DH8xSJxy.exe            http://urlquery.net/report.php?id=4329427 CYPRUS
 #20769  by EP_X0FF
 Tue Sep 10, 2013 5:55 pm
rough_spear wrote:Hi All,

Zbot sample with low detection.

MD5 - f2583374f538f95198490f2e019e3430

VT - https://www.virustotal.com/en/file/4b0a ... 378811356/ (7 / 47).

Regards,

rough_spear. ;)
Take deobfuscated.

https://www.virustotal.com/en/file/0ca5 ... 378835660/
Attachments
pass: infected
(76.91 KiB) Downloaded 64 times
 #20909  by Xylitol
 Sun Sep 22, 2013 2:08 pm
https://zeustracker.abuse.ch/monitor.ph ... itylab.biz
In attach the decoded config (before the sinkhole), may that will be usefull to rkhunter but i think eset have already the stuff :)
Attachments
infected
(10.33 KiB) Downloaded 63 times
 #21059  by MountFranklin
 Fri Oct 04, 2013 1:24 am
Hello forty-six & Xylitol,

Would it also be possible to share the original/encrypted config file associated to this malware. C&C seems already inaccessible.

Thank you very much in advance.

regards,
  • 1
  • 17
  • 18
  • 19
  • 20
  • 21
  • 29