A forum for reverse engineering, OS internals and malware analysis 

Citadel (Zeus clone)

Forum for analysis and discussion about malware.

Re: Citadel (Zeus clone)

 #21455  by Xylitol
 Tue Nov 26, 2013 1:30 pm
Citadel targeting France and Canada.
Code: Select all
Drop: hxtp://cita.zlayvez.name/citad/gate.php
Update: hxtp://cita.zlayvez.name/citad/file.php|file=soft.exe
Key: A0 67 BA F7 77 A7 1F 2D F6 F2 14 F8 98 46 98 87
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
https://www.virustotal.com/en/file/89f3 ... 385472805/
https://zeustracker.abuse.ch/monitor.ph ... ayvez.name
webinj:
Code: Select all
https://crdmitual.co/CM/Admin/login.php
https://mypowereddeds.com/CABMO/log/cookie.php?BID=%BOTID%
Image
Same actor as inforick ? >>21320
Attachments
infected
(294.73 KiB) Downloaded 66 times

Re: Citadel (Zeus clone)

 #21456  by Xylitol
 Tue Nov 26, 2013 1:42 pm
Citadel targeting wellsfargo.
Code: Select all
Drop: hxtp://www.morebiobags.co.uk/cache/king/gate.php
Update: hxtp://www.morebiobags.co.uk/cache/king/file.php|file=soft.exe
Key: 7A C5 2C 5F F7 C3 74 46 44 80 91 5F 49 D7 EB BE
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
https://zeustracker.abuse.ch/monitor.ph ... bags.co.uk
Attachments
infected
(5.79 KiB) Downloaded 49 times

Re: Citadel (Zeus clone)

 #21457  by Xylitol
 Tue Nov 26, 2013 1:54 pm
Citadel targeting Canada, sample courtesy of Kafeine.
Code: Select all
Drop: hxtp://ubicdt.com/01net/gate.php
Update: hxtp://ubicdt.com/01net/file.php|file=soft.exe
Key: 42 71 9F D5 A8 BA 96 DA 36 0B 16 8D 6D 6C E8 91
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
https://www.virustotal.com/en/file/485e ... 385473973/
https://zeustracker.abuse.ch/monitor.ph ... ubicdt.com
webinjs:
Code: Select all
https://wikipizzahut.com/pcadmin/
Image

Image
0/46 > Epic failure.
Attachments
infected
(247.16 KiB) Downloaded 69 times

Re: Citadel (Zeus clone)

 #21463  by MountFranklin
 Tue Nov 26, 2013 11:59 pm
Xylitol wrote:1.3.5.1 targeting Kingdom of Saudi Arabia, Australia, Portugal, Finland, Denmark, United Kingdom, Brazil, liberty reserve, facebook...
Courtesy of kafeine.
Code: Select all
Drop: hxtp://valentine.su/test/lfdxwp3.php
Update: hxtp://valentine.su/test/file.php|file=file.dll
Key: 1F F6 17 62 9E FA 4C EE 8F E6 C2 29 49 51 2E 3B
Login key: 2D5523342D4ACB20E85CABB46C86C339
John Doe 21
Image
https://zeustracker.abuse.ch/monitor.ph ... lentine.su
Fastflux and MiTB webinjs.
Code: Select all
hxtps://anl.su/george/admin.php
hxtps://anl.su/george/install.php
Alot of different citadel keys these days, looks like the microsoft heat is gone, people start again doing business with Citadel.
Hello Kylitol & Kafeine,

Would it be possible to have the citadel binary?

Thank you very much.

Regards,

Re: Citadel (Zeus clone)

 #21469  by Xylitol
 Wed Nov 27, 2013 4:32 pm
Citadel targeting Germany, Netherlands, sample courtesy of Kafeine.
Code: Select all
Drop: hxtp://46.30.41.183/3311555142345/hdtyryw.php
Update: hxtp://46.30.41.183/3311555142345/file.php|file=ered2.exe
Key: 76 16 B2 23 5D E8 F5 67 6C 25 93 4C 96 86 48 D6
Login key: 5CB682C10440B2EBAF9F28C1FE438468
Citadel login key unknown to ZeusLegalNotice, same actors as here: http://www.kernelmode.info/forum/viewto ... 272#p21274
https://www.virustotal.com/en/file/7927 ... 385569999/
https://zeustracker.abuse.ch/monitor.ph ... .30.41.183
webinj:
Code: Select all
https://advtef.com/deu/ven/login.php
Image
Attachments
infected
(432.16 KiB) Downloaded 63 times

Re: Citadel (Zeus clone)

 #21470  by tildedennis
 Wed Nov 27, 2013 6:50 pm
I recently extracted the login keys, conf URLs, and AES keys from a set of ~5300 Citadel samples. Here are the login keys and their counts:
Code: Select all
   
    1808 login_key: C1F20D2340B519056A7D89B7DF4B0FFF John Doe 25 (leaked builder)
    772 login_key: D52C3A25FB86B4660219344E1BC5A755 John Doe 71
    417 login_key: E1C305D625E51AE7BD22476672562A41 John Doe 73
    242 login_key: C2E51B1A9C3B93372D8D560591E7AE42 John Doe 62
    239 login_key: A14B6E0D78C5495E46A207D5B4C32E6B John Doe 25
    188 login_key: 0F3EACCF21540D6CA9610A4577D8C213 John Doe 7
    160 login_key: CF29CEFF7E5CB37C67AAB60796B60475 John Doe 66
    140 login_key: D13BD90340B64BE3877E4A0E10BBC80A John Doe 11
    130 login_key: F5F4D5EBD5855E904AB8DB757D320604 John Doe 80
    108 login_key: 5BFC136C923EFFF56F85105F6413CB1D John Doe 35
    100 login_key: 2D5523342D4ACB20E85CABB46C86C339 John Doe 21
     75 login_key: 1DA0BCEF39270EC94AAB4264A47B9537 John Doe 14
     66 login_key: 4540176117A581DE8A1D9D57C8135A6A John Doe 26
     65 login_key: 33C1F6D0ADF95197F001268FE10E1331 John Doe 24
     56 login_key: F0A950E6E640669F93C2026D76A9EB8F John Doe 77
     55 login_key: C2245AB3333584477F0BCA0C832DC433 John Doe 61
     48 login_key: 2F9CD491C23C02060430D652EF472BC0 John Doe 22
     45 login_key: F1017CFD7AE8D8D62BDEE1A3CEB72ECA John Doe 78
     45 login_key: 20038735198F82BC8495A2C1B01A9210 John Doe 15
     42 login_key: 4DF156722347C195696567442125ACE3 John Doe 30
     33 login_key: EE719148F13CDF2D63C448DE2918F595 John Doe 76
     30 login_key: 8A055496EA720959CA6B204EE878ADD8 John Doe 48
     30 login_key: 72276DE3DB6C4C394ABA83C216B60093 John Doe 41
     26 login_key: 71DC1A7CBD2F3C042EA0C2923807472C Not MSFT
     25 login_key: 9DA4B8572182DB73357FE92E851103B7 John Doe 51
     24 login_key: CE5602335EE36E68836E7C944311FFE8 John Doe 65
     24 login_key: 79B194D261FBD4BE3591802621C7E08E John Doe 44
     21 login_key: E95338F2BE801EE0AFA1C2C732BAD9AA John Doe 75
     20 login_key: CDB375D1A03F553F9D793D491F5B76AF John Doe 55
     20 login_key: CA3AAA9454EDE395CAFAA9AB2C17F4AD John Doe 25
     20 login_key: 6577AC52A1301B6F282DF6F6550D5F9F John Doe 38
     20 login_key: 028087C1E98E85951E8FE5881C56AE27 John Doe 3
     18 login_key: D4F8692DF46C91578EF688508CC29040 John Doe 70
     17 login_key: C604914BE8410C1D6AAF2E4F98CBCB8  John Doe 63
     15 login_key: B4919DB768CA6D8A2DD461841CFDB7BD John Doe 25
     15 login_key: 15C035744112F8D3D696B638CAF9E4D3 John Doe 11
     14 login_key: D88D8C5081A1C4882CF4BBD3C114963D John Doe 72
     14 login_key: 49564AFFF457E4BB4EA2B5CCCBA3C97A John Doe 27
     12 login_key: E3851B7BA755000CD095F903205BAE85 John Doe 48
     12 login_key: 5CB682C10440B2EBAF9F28C1FE438468 Not MSFT
     11 login_key: 19A8D9AB37F82AAF26E0FB3E02774CD5 John Doe 13
      9 login_key: 24894C3A6907B1DEE773050D2E54AE54 John Doe 18
      9 login_key: 2003BA35A24F7E7B767D2837037E8E11 John Doe 16
      8 login_key: A7E93E5AB154D58E9330775E7B842CAB John Doe 54
      8 login_key: 08B40E82496D1CC0AB296E2915C37913 John Doe 5
      7 login_key: AE4231D43AC9E2BFF9D4D5CA3F6A479B John Doe 56
      7 login_key: 7114B0C95C94D1BD7E3E2CC9B6BF4BDE John Doe 40
      6 login_key: D311E577A602A08AD11DAF124794D4C9 John Doe 68
      6 login_key: B53D535746D0ED692861C0C9D4DEFC3D John Doe 59
      6 login_key: B2EB727CF1C59A3EB05E1A211BFFFAF0 John Doe 28
      5 login_key: BAF3AE2080FC4346836F38869779392D John Doe 25
      5 login_key: 8D91FF5A557AD196DBC8A61F9B4BA68A John Doe 49
      5 login_key: 87C7990D8144EF5A875F8953BA45A7C3 John Doe 47
      4 login_key: A9B0A3F1522313D46F7A3D00A5F3C5FE John Doe 55
      4 login_key: 9E68DD4AB1CA3FEA13EDB285A38246ED John Doe 52
      4 login_key: 36EE84D2FE332BC0D7118FADF4AC5A3C John Doe 25
      4 login_key: 0C3CFE4C95BE7AB74F975D47D91118BC John Doe 6
      3 login_key: E52DC273F577FFA395B7AD3178598D27 John Doe 74
      3 login_key: 2C4F2579B0C1F2015252BED777D4B82D John Doe 20
      2 login_key: D1D5D9AC933D8F95A6C80E32AAC5E140 John Doe 67
      2 login_key: 75E63F7BF816D3AE1778DF52B5434E22 John Doe 42
      2 login_key: 4D09C466F6ED9AAD559DF417BB919EAE John Doe 29
      1 login_key: 9AE11768F9F48806F8018D36CF92651E John Doe 50
      1 login_key: 8151120FA52194F7932F481B4CCC0924 John Doe 46
      1 login_key: 1145F8F36720EBB5A8F8FF93A3863D36 John Doe 8
Let me know if anyone's interested in a particular login key and I can provide conf URLs, AES keys, and samples.

Re: Citadel (Zeus clone)

 #21473  by MountFranklin
 Thu Nov 28, 2013 3:28 am
Kafeine wrote:Here is it.
Thank you very much Kafeine but it doesn't seem to be matching with what Xylitol was referencing in terms of its KEY and Login Key:
Xylitol wrote:1.3.5.1 targeting Kingdom of Saudi Arabia, Australia, Portugal, Finland, Denmark, United Kingdom, Brazil, liberty reserve, facebook...
Courtesy of kafeine.
Code: Select all
Drop: hxtp://valentine.su/test/lfdxwp3.php
Update: hxtp://valentine.su/test/file.php|file=file.dll
Key: 1F F6 17 62 9E FA 4C EE 8F E6 C2 29 49 51 2E 3B
Login key: 2D5523342D4ACB20E85CABB46C86C339
On this particular sample, what I am getting is Login Key: 95186D43B4DC5BD78840D7488E315072

and based on its base config details, its C&C:
hXXp://hawaiianbewar.net/adu/file.php|file=uerf.pse
hXXp://pparentlymate.com/adu/file.php|file=uerf.pse

Please note that I am not proving anything wrong or something, I am just a bit confused since I am not getting the same result. Please let me know otherwise.

Thank you very much again for your continuous support and generosity.

Best regards,
MountFranklin
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14
  • 20
 Return to “Malware”