A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24916  by comak
 Mon Jan 12, 2015 12:05 pm
vmzeus 2.0
Code: Select all
{'binary': u'0b8d94b28a7c91c9a3987675f170b3c0',
 'botname': u'jason',
 'cfg': 'http://brokelowhi.com/flashplayer/mod_vncY\x15\x94\x1e-\xf64e\xe7\x85\xc3\xcc\x92K\xf8q\xb3t\x87\xe6$F}I1\xb42d\x94\xed\x83\xb7\xab\x01\x1b\xba',
 'fakeurl': 'http://olpfo.com/xapwj/cfg.bin',
 'family': 'vmzeus2',
 'rc4sbox': '42950343a02d4bcdaa77c33812f88a781599a7542509fae800076f11a9eddec8229db9bb59a4c57b4648c465ac477f9edb1e3113f2b69abe3490892b20d158d43c753eb71a538cdf2faf80d5767056ce9bc7e6d3289f4f1b67b85ce51427ea556e845afd7ecaa36423d92cc97dfce1415002350bf0338561920dddc2a198722974b3069366f5febc2ec00e8897eef6081f94bd0cd66bd29cd8dcf78fa85f693fe04c821817390f7c4dba40fff4b25d30624468eb36191d736ad749e737cb6d1cf121e201d03d6379a2ecbf8d81fbae6057104a3286a6b50516cf915b71875e2a3a45ccabb1f97a8ec1046c24f3e3e483518b96ad0adab0a5b4efe93b4e5226c60000',
 'rc6sbox': 'ac956e590059249216675ff53e661eb2de573c253ec6a9e823eaca45790cf7126e8d56e1b8422f3614fd4c7c3536e232b3de3318d1bac1000b90e5baf27231f2e6877a3ac29fab69ce2874fb3121ef149e66ca9cb5e952414168b4d792562404d3ffededd921d276c56043d25947a62b7d975e20efb3725cd46bb4c13e9a599a9403d853142513a74671660884d2cbe4cdfd5f8c3a9d1d452c938e5b980f997d3794b563a781c65b8d23c0ba373f2f9e',
 'strings': ['lhttp://olpfo.com/xapwj/cfg.bin'],
 'urls': ['http://brokelowhi.com/flashplayer/mod_vncY\x15\x94\x1e-\xf64e\xe7\x85\xc3\xcc\x92K\xf8q\xb3t\x87\xe6$F}I1\xb42d\x94\xed\x83\xb7\xab\x01\x1b\xba'],
 'version': '02.00.00.00'}

apperently i have some bug in decryptor...

anyhow cfg attached
Attachments
(84.8 KiB) Downloaded 83 times
 #29459  by tildedennis
 Tue Oct 18, 2016 4:05 pm
a couple of sphinx zeus things:

* https://securityintelligence.com/brazil ... he-sphinx/

sample (attached): https://www.virustotal.com/en/file/7c73 ... /analysis/
Code: Select all
version: 1.7.1.0
config_url: http://dayspirit.at/xen2/config.bin
config_url: http://pierin.ru/xen2/config.bin
config_url: http://clork.ru/xen2/config.bin
advanced_config_url: http://labgeni0us.at/xen2/config.bin
advanced_config_url: http://dexterlabnew.at/xen2/config.bin
advanced_config_url: http://woooowarmy.at/xen2/config.bin
webinjects (attached) targeting .br 
---

* https://blogs.forcepoint.com/security-l ... dian-banks

sample (attached): https://www.virustotal.com/en/file/3c1e ... /analysis/
version: 1.5.5.0

broken/incomplete sample ? instead of an encrypted base config it contains "{BASECONFIG}"
Attachments
(3.55 MiB) Downloaded 81 times
 #29598  by tildedennis
 Mon Nov 21, 2016 1:06 pm
flokibot (mostly zeus 2.0.8.9 + some basic DDoS + basic track 2 memory scraper):

* https://www.flashpoint-intel.com/floki- ... lware-kit/
* https://blog.malwarebytes.com/threat-an ... y-dropper/

lastest sample that i've seen (attached): https://www.virustotal.com/en/file/4bdd ... /analysis/
Code: Select all
version: 13
config_url: https://extensivee.bid/000L7bo11Nq36ou9cfjfb0rDZ17E7ULo_4agents/gate.php

not seeing any webinjects yet, but dynamic config is attached as well. 
Attachments
(227.97 KiB) Downloaded 80 times
 #30250  by tildedennis
 Fri Apr 21, 2017 1:16 pm
grab another zeus variant from off the wall:

http://blog.fortinet.com/2017/03/17/gra ... -your-data

https://virustotal.com/en/file/6d8ce2d1 ... /analysis/ (attached) has a version of 1.6.8 and the following c2s:
Code: Select all
hxxp://derqdxnvis.info/wordpress/forumpost.php
hxxp://bigtoys.info/wordpress/forumpost.php
hxxp://derqdxnvis.site/wordpress/forumpost.php
hxxp://onlinegtrnc.site/wordpress/forumpost.php
hxxp://sseriubndisers.info/wordpress/forumpost.php
hxxp://geryynet.site/wordpress/forumpost.php
the lowest version i've seen of this variant is 1.5.5 active around october 2015.

seems very likely to be an update of this 2014 zeus variant known as "tarbuka" by stopmalvertising:

http://stopmalvertising.com/spam-scams/ ... pages.html
Attachments
(386.94 KiB) Downloaded 47 times
  • 1
  • 25
  • 26
  • 27
  • 28
  • 29