A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #23043  by tohitsugu
 Wed Jun 04, 2014 5:10 pm
Hello everyone,

I am new to reverse engineering and am slowly learning the ropes. Lately I have been attempting to reverse some zeus binaries I've found on some computers at work and have had trouble getting the RC4 key. I found the following articles very helpful and thought I might share them with you:


http://vrt-blog.snort.org/2014/06/an-in ... g-and.html
http://mnin.blogspot.com/2011/09/abstra ... -zeus.html
 #23406  by tomchop
 Fri Jul 18, 2014 5:17 pm
If you're focusing on Zeus (or its variants like Citadel), I strongly recommend you to dig into the Volatility plugins that have been made to dump part of their configuration (including their RC4 keys).

Here are some useful links:

Volatility zeusscan.py plugin
Volatility 2.0 Plugin Vscan
(Very early version of the plugin, great detail about inner workings)
Abstract Memory Analysis: Zeus Encryption Keys