A forum for reverse engineering, OS internals and malware analysis 

ZeusVM (Zeus clone)

Forum for analysis and discussion about malware.

ZeusVM (Zeus clone)

 #21957  by Xylitol
 Wed Jan 15, 2014 8:30 pm
https://www.virustotal.com/en/file/b046 ... 389817586/
weird zeus
Code: Select all
https://bilance.humanwebcentr.net:63992/prefer/moualu.exe
https://bilance.humanwebcentr.net:63992/prefer/stars/rihannew.jpg
https://bilance.humanwebcentr.net:63992/prefer/counters.php
http://localhost/captchaupload.php
http://localhost/notifygate.php
Webinject:
Code: Select all
https://microsads.net/sampler/admin/gate.php?mode=CHECK_LOGIN&type=COMMERZBANKING&bot_id=XYLITOL-F12F085_7875768FBC303C10
Image
Found here http://www.malekal.com/2014/01/15/direc ... d-to-zbot/
base64+RC4+VisualDecrypt

RC4:
Code: Select all
30 65 73 8D 11 5D CB 1A E3 7C 7E 6B 0F 6D D6 3C 39 94 32 B4 61 52 93 DD C5 2F D8 1F 74 54 6A B9 C8 22 C4 07 EA 5A 1D 7A DA 34 25 DB 0C EC A4 5C BE AF 5E D2 3A BF 7F 00 2A EE 3F 3E 72 92 48 35 03 E9 63 D7 53 33 67 0E 1B AB 38 50 40 28 CD 23 A1 2C 47 AE C3 29 91 2B B6 62 19 0A 1E 36 57 FE DF 82 42 4D F8 89 98 4C DE EF 24 95 4A AA CA 06 56 58 46 A0 87 D4 16 A6 2E 14 E0 9C 85 8B 84 BD E7 31 F7 F2 9B 2D 96 B7 AD 01 8F A9 8A 20 FA 79 04 A8 6F 51 26 BB 8E 9D DC 43 A2 09 1C 9E F1 0B FC 68 E6 02 E1 CC F5 99 B0 81 90 D0 44 80 FF D3 77 66 C7 BA ED E2 6C C1 E5 69 71 55 4E 10 4B 27 60 CF 88 FB B2 83 75 F0 A5 5F 41 21 E4 B8 05 C6 F9 EB F6 B1 A3 9F 37 B5 49 CE FD E8 4F F4 C9 C0 BC 7B 6E D1 D5 3B 45 A7 F3 13 3D B3 AC 76 D9 78 18 86 0D 12 59 64 8C C2 17 9A 97 15 7D 70 08 5B
Edit: there a cnc also on another location hosting old panel of zeusVM:
fine.landingplans.net/browser/images/logo.png
Image
fine.landingplans.net/browser/theme/style.css:
Code: Select all
html, body
{
  background: url("../theme/fonbutton/background.png");
  margin: 0 auto;
  color: #000000;
  font-family: Verdana, Helvetica, sans-serif;
  font-size: 10px
}

input, select, textarea
{ 
  background: #F5F5F5;
  font-family: Verdana, Helvetica, sans-serif;
  font-size: 10px;
  font-weight: normal;
  margin: 0
}



pre
{  
  font-size: 10pt
}

td
{ 
  margin: 0;
  padding: 1px
}

a:link, a:visited
{  
  color: #000000;
  text-decoration: none;
  font-weight: normal
}

a:hover, a:active
{
  color: #000000;
  text-decoration: underline;
  font-weight: normal
}

.div_top
{
  width: 100%;
  height: 95px;
  background: url(../images/logo.png); 
  font-size: 15px;
  color: black;
  font-weight: bold;
  padding: 2px 0;
  margin: 0
}

.context
{
  background: #F5F5F5;
  background: -webkit-gradient(linear, left top, left bottom, from(#48D1CC), to(#B0E0E6));
  background: -moz-linear-gradient(top,  #48D1CC,  #B0E0E6);
  width: 100%;
  padding: 10px;
  text-shadow: 0 1px 1px rgba(0,0,0,.3);
	-webkit-border-radius: .5em; 
	-moz-border-radius: .5em;
	border-radius: .5em;
	-webkit-box-shadow: 0 10px 2px rgba(0,0,0,.2);
	-moz-box-shadow: 0 10px 2px rgba(0,0,0,.2);
	box-shadow: 0 10px 2px rgba(0,0,0,.2);
	color: #000000;
	border: solid 1px #000000;
}

.menu
{
  padding: 5px 0;
  border-right: 1px solid #999999;
  border-bottom: 1px solid #999999;
  text-shadow: 0 1px 1px rgba(0,0,0,.3);
	-webkit-border-radius: .5em; 
	-moz-border-radius: .5em;
	border-radius: .5em;
	-webkit-box-shadow: 0 10px 2px rgba(0,0,0,.2);
	-moz-box-shadow: 0 10px 2px rgba(0,0,0,.2);
	box-shadow: 0 10px 2px rgba(0,0,0,.2);
	color: #d9eef7;
	border: solid 1px #000000;
	background: #0095cd;
	background: -webkit-gradient(linear, left top, left bottom, from(#48D1CC), to(#B0E0E6));
	background: -moz-linear-gradient(top,  #48D1CC,  #B0E0E6);
	filter:  progid:DXImageTransform.Microsoft.gradient(startColorstr='#00adee', endColorstr='#0078a5');
	}

.menu_header
{
  margin: 0 0 10px 10px;
  font-size: 10px;
  font-weight: bold
}

.menu a:link, .menu a:visited
{
  border: 1px #000000;
  display: block;
  color: #000000;
  padding: 2px 2px 2px 15px;
  margin: 0 2px 0px 2px;
  font-weight: normal;
  width: 150px;
  text-decoration: none
}

.menu a:hover, .menu a:active
{
  border: 1px solid #000000;
  background-color: #FFFFFF;
  text-decoration: none;
  color: #000000
}

.bot_a:link, .bot_a:visited
{
  color: #FF4500;
  font-weight: bold;
  text-decoration: none
}

.bot_a:hover, .bot_a:active
{
  color: #FFFFFF;
  font-weight: bold;
  text-decoration: underline
}

.menu_separator
{
  border-top: 1px solid #000000;
  margin: 2px 0
}

.menu_info
{
  color: #000000;
  padding: 2px 2px 2px 15px;
  margin: 0 2px;
  font-weight: normal;
  width: 150px
}

.table_frame
{
  border: solid 1px #000000;
  background: #FFFFFF;
  margin: 0 auto;
  padding: 1px
}

.table_frame td
{
  white-space:nowrap
}

.td_header
{
  background: #48D1CC;
  color: #000000;
  font-weight: bold;
  padding: 1px;
  margin: 0
}

.td_header a:link, .td_header a:visited
{
  color: #000000;
  text-decoration: none;
  font-weight: bold
}

.td_header a:hover, .td_header a:active
{
  color: #FFFFFF;
  text-decoration: underline;
  font-weight: bold
}

.td_c1
{
  background: #AFEEEE;
  padding: 1px;
  margin: 0
}

.td_c2
{
  background: #B0E0E6;
  padding: 1px;
  margin: 0
}

.error
{
  color: #FF0000;
  font-weight: bold
}

.success
{
  color: #228B22;
  font-weight: bold
}

.screenshot
{
  border: solid 1px #FF0000
}

.popupmenu table
{
  color: #3A5FCD;
  border: solid 1px #000000;
  background-color: #FFFFFF;
}

.popupmenu td
{
  padding: 0
}

.popupmenu a:link, .popupmenu a:visited
{
  border:           1px solid #FFFFFF;
  display:          block;
  color:            #404040;
  padding:          2px 15px;
  margin:           0;
  font-weight:      normal;
  text-decoration:  none;
  background-color: #FFFFFF
}

.popupmenu a:hover, .popupmenu a:active
{
  border:           1px solid #999999;
  background-color: #AFEEEE;
  text-decoration:  none;
  color:#000000
}

.popupmenu hr
{
  border: 1px solid #000000;
  background-color: #AFEEEE;
  margin: 0;
  padding: 0
}

.table_frame_backgrounds
{
  border: solid 3px #ffffff;
  background: #F5F5F5;
   -moz-border-radius: 5px;
  border-radius: 5px;
}

	 .sexy_list_infol1{
 background: rgb(143, 126, 126);
  padding: 1px;
  margin: 0;
  border: solid 1px #cccccc;
  font-size: 10px;
	}
	
	.sexy_list_infol2{
 background: rgb(56, 50, 50);
  padding: 1px;
  margin: 0;
 font-size: 10px;
  border: solid 1px #cccccc;
	}
	
	
	 .sexy_list_infor1{
 background: rgb(143, 126, 126);
  padding: 1px;
  margin: 0;
  border: solid 1px #cccccc;
  font-size: 10px;
	}
	
	.sexy_list_infor2{
 background: rgb(56, 50, 50);
  padding: 1px;
  margin: 0;
 font-size: 10px;
  border: solid 1px #cccccc;
	}
	
	
	.sexy_list_infol3{
 background: #efefef;
  padding: 1px;
  margin: 0;
  border: solid 1px #cccccc;
	}
	
	//////
	
.sexy_list_infl1{
 background: #000000;
  padding: 1px;
  margin: 0;
  font-size: 10px;
  
	}
	
	.sexy_list_infl2{
 background: #efefef;
  padding: 1px;
  margin: 0;
 font-size: 10px;
	}
	
	
	
	
	 .sexy_list_infr1{
 background: #FFFFFF;
  padding: 1px;
  margin: 0;
  font-size: 10px;
	}
	
	.sexy_list_infr2{
 background: #efefef;
  padding: 1px;
  margin: 0;
 font-size: 10px;
	}
	
	///////////////
fine.landingplans.net/browser/theme/throbber.gif:
Image
--
others cnc:, panel of 'second' zeusVM generation:
Code: Select all
https://fine.landingplans.net/solution/theme/throbber.gif
https://fine.landingplans.net/enter/theme/throbber.gif
https://fine.landingplans.net/shop/theme/throbber.gif
https://fine.landingplans.net/central/theme/throbber.gif
Attachments
infected
(120.35 KiB) Downloaded 128 times
infected
(416.96 KiB) Downloaded 238 times

Re: Win32/Zeus (alias Zbot)

 #21968  by comak
 Thu Jan 16, 2014 11:40 am
Its VM Zeus 01.00.00.02
targeting .de
Code: Select all
.exe: https://bilance.humanwebcentr.net:63992/prefer/moualu.exe
drop: https://bilance.humanwebcentr.net:63992/prefer/counters.php
adv .cfg: 
https://fine.landingplans.net/prefer/cheap/icof.jpg, https://sitetositenews.net/prefer/portal/rai.jpg, https://restofineswallets.su/prefer/lego/logos.jpg, https://foni.playgroundads.net:47491/prefer/copy/offimages.jpg
Attachments
pass: infected
(10.85 KiB) Downloaded 139 times

Re: Win32/Zeus (alias Zbot)

 #22010  by Xylitol
 Mon Jan 20, 2014 8:28 pm
https://www.virustotal.com/en/file/6bb8 ... 390249772/
https://www.virustotal.com/en/file/7163 ... 390249804/
Code: Select all
https://torccesstoinc.com/hez/gdw.jpg
https://torccesstoinc.com/hez/xsea.php
user_execute https://networkremove.com/4/345238901.exe
Found here http://malwaredb.malekal.com/index.php? ... 95053b7f8f

345238901.exe unpack:
https://www.virustotal.com/en/file/37fe ... 390263682/
Code: Select all
• dns: 3 ›› ip: 152.8.54.138 - adress: TORCCESSTOINC.COM
-- addr: TORCCESSTOINC.COM -- ip: 60.199.197.5
-- addr: TORCCESSTOINC.COM -- ip: 37.123.100.115
-- addr: TORCCESSTOINC.COM -- ip: 152.8.54.138
• dns: 3 ›› ip: 37.123.100.115 - adress: NETWORKREMOVE.COM
-- addr: NETWORKREMOVE.COM -- ip: 152.8.54.138
-- addr: NETWORKREMOVE.COM -- ip: 37.123.100.115
-- addr: NETWORKREMOVE.COM -- ip: 60.199.197.5
Attachments
infected
(8.89 KiB) Downloaded 114 times
infected
(364.75 KiB) Downloaded 160 times

Re: Win32/Zeus (alias Zbot)

 #22020  by comak
 Tue Jan 21, 2014 6:56 pm
Again VMZeus 1.0.0.2
targeting .es .de .it .fr .za:

rc4 key:
Code: Select all
d66c 439b 0ae8 2792 c34f fa53 00cc 36c6
39df e405 ec71 e61c 9c18 452e 993d 7302
4255 5e40 86fb 541f 7534 7937 3244 4cee
221b 2ab3 2c85 d826 e572 08e0 8ad7 cd5f
a21d 50ab 036f 95ea 8d3e d07f 2dd3 60cf
9149 3f81 3565 1780 890d a052 25a3 ba57
5a0f 90e7 306d a1c4 4e6b 6128 b913 c063
9f10 21b7 84bc f6f9 a407 b1b4 945c 8c3b
dcaf 6778 1564 a9da 41fe 097e b8c5 1197
bd74 620c ad82 9d46 9a24 f0ef 7c3c 8ebf
511a 2bc7 f57d fff4 e31e c114 fdac f1f3
5dce 6956 2fc8 3820 cad5 a8a5 aa0b ae12
48dd 76db 330e a7eb 067b b029 de58 1631
f704 47b6 f2c2 77d9 d2ed a6e9 6a70 933a
2387 98be f84a b501 c9e1 d119 bbe2 8b83
4bb2 5b68 4d7a d466 6e8f 59fc 9688 cb9e
0000
Attachments
pass: infected
(10.21 KiB) Downloaded 107 times

Re: Win32/Zeus (alias Zbot)

 #22059  by Xylitol
 Mon Jan 27, 2014 4:58 pm
http://www.malekal.com/2014/01/27/14269/
https://www.virustotal.com/en/file/7535 ... 390841995/
Code: Select all
• dns: 2 ›› ip: 140.113.202.55 - adress: TORCCESSTOINC.COM
• dns: 2 ›› ip: 140.113.202.55 - adress: NETWORKREMOVE.COM
still same key
Code: Select all
6C D6 9B 43 E8 0A 92 27 4F C3 53 FA CC 00 C6 36 DF 39 05 E4 71 EC 1C E6 18 9C 2E 45 3D 99 02 73 55 42 40 5E FB 86 1F 54 34 75 37 79 44 32 EE 4C 1B 22 B3 2A 85 2C 26 D8 72 E5 E0 08 D7 8A 5F CD 1D A2 AB 50 6F 03 EA 95 3E 8D 7F D0 D3 2D CF 60 49 91 81 3F 65 35 80 17 0D 89 52 A0 A3 25 57 BA 0F 5A E7 90 6D 30 C4 A1 6B 4E 28 61 13 B9 63 C0 10 9F B7 21 BC 84 F9 F6 07 A4 B4 B1 5C 94 3B 8C AF DC 78 67 64 15 DA A9 FE 41 7E 09 C5 B8 97 11 74 BD 0C 62 82 AD 46 9D 24 9A EF F0 3C 7C BF 8E 1A 51 C7 2B 7D F5 F4 FF 1E E3 14 C1 AC FD F3 F1 CE 5D 56 69 C8 2F 20 38 D5 CA A5 A8 0B AA 12 AE DD 48 DB 76 0E 33 EB A7 7B 06 29 B0 58 DE 31 16 04 F7 B6 47 C2 F2 D9 77 ED D2 E9 A6 70 6A 3A 93 87 23 BE 98 4A F8 01 B5 E1 C9 19 D1 E2 BB 83 8B B2 4B 68 5B 7A 4D 66 D4 8F 6E FC 59 88 96 9E CB
Attachments
infected
(234.37 KiB) Downloaded 142 times

Re: Win32/Zeus (alias Zbot)

 #22139  by Xylitol
 Tue Feb 04, 2014 6:25 pm
Another Zeus, same actor/rc4 key as previous.
http://malwaredb.malekal.com/index.php? ... 6280459917
https://www.virustotal.com/en/file/1623 ... 391538225/
Code: Select all
https://www.ectedsaysitha.com/hez/gdw.jpg
http://21cffa6f15f.ru/cfg.jpg
user_execute https://networkremove.com/8/567565433.exe
---
ectedsaysitha.com/hez/theme/style.css
---
• dns: 3 ›› ip: 140.135.113.63 - adress: ECTEDSAYSITHA.COM
• dns: 3 ›› ip: 140.113.202.55 - adress: NETWORKREMOVE.COM
• dns: 0 ›› ip: - adress: 21CFFA6F15F.RU
567565433.exe:
https://www.virustotal.com/en/file/0e69 ... 391538545/
webinjects:
Code: Select all
https://appsecurek.com/aa2hip8mae8s/script.js
https://appsecurek.com/aekavodah2ai/script.js
https://appsecurek.com/aekie9zasohf/script.js
https://appsecurek.com/aephoo7niimi/script.js
https://appsecurek.com/ahme6roo4aih/script.js
https://appsecurek.com/ahph4sau0cha/script.js
https://appsecurek.com/ahshethae3bo/script.js
https://appsecurek.com/aic1aek6iel1/script.js
https://appsecurek.com/aicu4waeroow/script.js
https://appsecurek.com/aitait3soo5k/script.js
https://appsecurek.com/aiyohchei1xe/script.js
https://appsecurek.com/bee3buoveuno/script.js
https://appsecurek.com/beivaigie3wo/script.js
https://appsecurek.com/boh6in0cu5ei/script.js
https://appsecurek.com/cuosh3ze8aiy/script.js
https://appsecurek.com/daitah6iexoh/script.js
https://appsecurek.com/diegh7ein8oi/script.js
https://appsecurek.com/eef4ahvieh4a/script.js
https://appsecurek.com/eethelahgh1j/script.js
https://appsecurek.com/eic3oochahce/script.js
https://appsecurek.com/eiquai3ahngi/script.js
https://appsecurek.com/eirahn8chaev/script.js
https://appsecurek.com/eiyaiheir6ah/script.js
https://appsecurek.com/eizaegae4dee/script.js
https://appsecurek.com/epair5ehoo6o/script.js
https://appsecurek.com/fe6faekae2ai/script.js
https://appsecurek.com/fieyoif5aph0/script.js
https://appsecurek.com/foht6ooxoa9o/script.js
https://appsecurek.com/giefohri7eik/script.js
https://appsecurek.com/giwohg7boob3/script.js
https://appsecurek.com/gohha7bo1aew/script.js
https://appsecurek.com/gou8mei8ang0/script.js
https://appsecurek.com/hiereph7ohhi/script.js
https://appsecurek.com/hudei0thee6t/script.js
https://appsecurek.com/ieweo4oanaiz/script.js
https://appsecurek.com/iexeomiej8os/script.js
https://appsecurek.com/iitae0oohaen/script.js
https://appsecurek.com/iof0eu7ahsae/script.js
https://appsecurek.com/iquahxeith7e/script.js
https://appsecurek.com/ith1wuixuocu/script.js
https://appsecurek.com/iwohy4loo2ei/script.js
https://appsecurek.com/jaexulah3rai/script.js
https://appsecurek.com/jeexae9oyeuw/script.js
https://appsecurek.com/kaem6rohk7lo/script.js
https://appsecurek.com/lohnoh1aimoo/script.js
https://appsecurek.com/mahhee9aeru0/script.js
https://appsecurek.com/moox5lei5ohh/script.js
https://appsecurek.com/nei9aemo5ahw/script.js
https://appsecurek.com/ohboo9faid2n/script.js
https://appsecurek.com/ohnaeyuoch9h/script.js
https://appsecurek.com/ooqu9ooju6ee/script.js
https://appsecurek.com/ooquu8ooluaz/script.js
https://appsecurek.com/oum5quoo3apu/script.js
https://appsecurek.com/oxeiqu4chuan/script.js
https://appsecurek.com/oyieth5mer3o/script.js
https://appsecurek.com/paesh4jie9ei/script.js
https://appsecurek.com/poh2iequohra/script.js
https://appsecurek.com/pohn3ec1yae8/script.js
https://appsecurek.com/quai2iehai1i/script.js
https://appsecurek.com/riukek3uxo3c/script.js
https://appsecurek.com/sha4rovootav/script.js
https://appsecurek.com/she6oogaiqua/script.js
https://appsecurek.com/shi7ataith4j/script.js
https://appsecurek.com/shiequ4oge7e/script.js
https://appsecurek.com/tee3maht6hae/script.js
https://appsecurek.com/thoosh6eeg9u/script.js
https://appsecurek.com/tohme6lu0aad/script.js
https://appsecurek.com/too6ho2poone/script.js
https://appsecurek.com/ucoogh6neequ/script.js
https://appsecurek.com/ueh8thee8sei/script.js
https://appsecurek.com/ugie8oog0ohj/script.js
https://appsecurek.com/uik6ahy6xoon/script.js
https://appsecurek.com/uphuodohsh5r/script.js
https://appsecurek.com/uu5pheithua4/script.js
https://appsecurek.com/uzaej8aiteit/script.js
https://appsecurek.com/vovai2shaey5/script.js
https://appsecurek.com/yai9xooboupa/script.js
https://appsecurek.com/yanae0bohtah/script.js
https://appsecurek.com/yuanguob0ohp/script.js
https://appsecurek.com/ziush7jook7o/script.js
https://secureconnectlons.com/gaamma713/scripts/berliner.js
https://secureconnectlons.com/gaamma713/scripts/comdirect.js
https://secureconnectlons.com/gaamma713/scripts/cortal.js
https://secureconnectlons.com/gaamma713/scripts/deutsche.js
https://secureconnectlons.com/gaamma713/scripts/dkb.js
https://secureconnectlons.com/gaamma713/scripts/fiducia.js
https://secureconnectlons.com/gaamma713/scripts/gad.de.js
https://secureconnectlons.com/gaamma713/scripts/haspa.js
https://secureconnectlons.com/gaamma713/scripts/jquery.js
https://secureconnectlons.com/gaamma713/scripts/noris.js
https://secureconnectlons.com/gaamma713/scripts/postbank.js
https://secureconnectlons.com/gaamma713/scripts/sparkasse.js
Attachments
infected
(713.65 KiB) Downloaded 179 times
infected
(7.29 KiB) Downloaded 116 times
infected
(57.94 KiB) Downloaded 110 times
infected
(317.79 KiB) Downloaded 141 times

Re: Win32/Zeus (alias Zbot)

 #22427  by Xylitol
 Tue Mar 11, 2014 11:28 am
Code: Select all
https://thnetworkcabl.net/qag/wrz.exe
https://thnetworkcabl.net/pde/uafs.php
https://saysithassqwk.net/pde/jsd.jpg
Code: Select all
RC4: 52 A7 03 16 1D C6 8E DA 9E 12 D7 B2 BD 6F AD 2F 0B 61 98 84 FF 7A 50 4E 07 83 2E FE 92 BB 95 99 17 6D E2 58 62 5C E9 A1 EF 7E 3D 71 F1 A3 82 7D D0 55 23 6A 26 5B 0E 8B 02 D2 41 E4 87 5A DB 20 21 DD 06 78 13 EA 05 C1 11 F5 4D 27 97 68 6C 24 47 22 B9 04 76 91 E6 86 44 E3 54 A0 F8 90 65 E8 C5 8D 43 08 BA 57 8C F9 6B AA B6 1A FC D6 35 A5 81 E7 DE 63 F3 3C 72 1C 3A 3B 33 70 36 DF 0A 7B 88 34 29 9D D9 45 85 8F 15 96 A9 B4 3F C3 C4 AF 53 10 BF 4C 31 4B 66 39 C0 09 60 19 D8 F7 28 BE CA B7 2D 79 CF 30 00 AE 1E F0 D4 9B D5 B1 FB C7 5D 56 F6 5E EE B5 18 C9 38 46 EB 89 D3 E5 3E 94 5F 6E 4F C2 9F CC 77 93 2C 7C CB BC 14 CD B0 ED B3 7F 0D 0C 01 2B 1F D1 80 DC 73 EC 9A 75 A8 32 F2 4A A2 59 0F FD FA 40 69 A6 25 74 AB 64 9C AC B8 51 F4 67 1B 42 E1 C8 CE E0 49 2A 8A A4 48 37
https://www.virustotal.com/en/file/29e7 ... 394727696/
Attachments
infected
(296.87 KiB) Downloaded 125 times

Re: ZeusVM (Zeus clone)

 #22721  by Xylitol
 Wed Apr 23, 2014 11:24 am
+2 samples i got from Kafeine.
one have test webinject (bugment.net) and the second have a big config file (bellabeachwear.com).

bugment.net:
https://www.virustotal.com/en/file/7463 ... 398252173/
Code: Select all
47 67 22 52 11 36 CF AB EA 3C 94 8B 1E F4 5C AC ED 35 7E 8C F3 01 9B 6A 27 5E D1 29 63 87 45 C9 80 E4 46 E1 F1 00 AA 2C 8D 23 E9 75 6C B2 C3 EF 4E CE 25 57 43 42 E2 2F 73 8A AD 62 B9 28 55 93 DF 0A 71 16 0E 8F 40 31 95 30 9D 4F DE 20 B5 BE E3 7C 5D B6 CB 68 D2 E5 41 3B 3A 5F 38 92 BB 1F 37 7D 39 2B 6F 49 0C 09 18 B1 E7 2E BD 79 19 FD 1D F7 61 DB 7F 03 12 B7 54 BC 81 CD 15 64 A7 FB 2A 9A F5 F6 17 4C 3D 53 04 0B 65 B3 08 2D A4 66 48 C2 4A 21 91 E6 5B C5 CA D0 C4 14 10 C0 D9 89 F8 99 97 70 13 82 56 FE DD A8 02 0F FC E0 72 6E 8E C7 96 A3 F2 32 DA 98 F0 D7 D5 86 A2 06 FF 26 4B EE 44 9F C6 85 F9 24 FA 07 C8 C1 83 D6 4D D4 88 EC A5 33 50 B0 76 77 D3 CC 9E 3E 60 7B 0D BF 78 9C 74 E8 D8 7A 51 BA 6D 58 3F 5A 34 DC 6B 1A A9 1B 84 59 69 A0 AF B8 05 1C EB 90 A6 B4 AE A1
Code: Select all
http://hhotmail.com/*
fail :)

bellabeachwear.com:
https://www.virustotal.com/en/file/8603 ... 398252160/
Code: Select all
38 72 9B 74 B8 31 05 29 43 4C 8D 40 0B 2E 88 CE 13 64 A7 D3 34 82 D0 2C 65 B7 AA 06 B1 DB 48 37 EF 0D 1F BB 5F 92 F1 50 BC 66 5E 19 1B 7A 0F 3A 20 5A 69 D7 36 A5 93 59 CA 55 01 1E AD B5 CD 97 CB 73 F0 6B 27 18 DD 2A A2 0E 22 2B 9F E2 04 EC E7 32 5D D6 84 C2 7D A8 28 44 4D 95 F6 C4 00 DC BA 90 4F 76 5C 35 3E 51 A1 EA 71 0C C0 47 75 21 C3 E3 9C 7F 79 08 60 98 8C CC B0 89 CF 17 70 87 99 45 EE 1C 68 30 BF DF B9 54 58 B3 03 94 02 9D 83 86 7B E4 25 57 0A 63 EB 23 09 F5 11 A3 4A 26 4B F4 A0 A6 33 9A 2F C8 1A 8E BE 12 56 FC 49 4E FB F9 1D F7 53 BD 8F B4 B2 3D DE D1 C6 78 6A E8 6E AB AF 39 81 42 E5 C5 FE 8A F2 C7 9E ED D9 E1 B6 AE 3B DA 16 7C 07 14 41 6D E9 67 FA 46 7E 2D D4 FD 5B 96 E6 AC 10 C9 E0 80 6C A4 3F D5 F8 62 15 61 A9 3C 91 85 C1 8B FF 6F 77 D2 D8 24 52 F3
Attachments
infected
(1 MiB) Downloaded 114 times
 Return to “Malware”