ZeusVM (Zeus clone) - Page 3

Zberp

#22971 by p4r4n0id
Sun May 25, 2014 10:52 am

Hi,

source: http://securityintelligence.com/new-zbe ... 4HJQdJ5MU8

vt - https://www.virustotal.com/en/file/34a0 ... /analysis/

Sample attached.

- p4r4n0id

Attachments

zberp.7z

pwd: infected
(207.18 KiB) Downloaded 94 times

Keep Low. Move Fast. Kill First. Die Last. One Shot. One Kill. No Luck. Pure Skill.
http://p4r4n0id.com/

Username

p4r4n0id

Posts

126

Joined

Thu Sep 22, 2011 11:36 am

Location

Israel

Contact

Re: ZeusVM (Zeus clone)

#22972 by Xylitol
Sun May 25, 2014 11:37 am

moved.
also a 1.0.0.5 in attach

Code: Select all

7F 81 6D DC E0 2A 4E F2 59 85 E1 EE A8 B0 F6 1A 50 28 E8 CC 68 2D 79 DA 42 93 9E 11 26 32 B6 5C D5 3C FD CE 6B 0F 30 97 7E 3E 25 3A 06 D9 2B 35 4D A0 CF 8C 4B 60 54 76 22 DE 39 C7 45 8A 89 92 69 64 E6 FE D2 B5 23 BB 36 0C 52 A5 A6 5F A4 C5 7C BC 74 24 B2 C4 01 EB 03 DD 88 C8 CA 0B 00 20 0E EF 9A 6A 2F 14 71 63 86 B9 E9 AA D7 21 90 D1 0A 12 31 E4 8B E3 D4 7A C9 34 9C 41 D8 80 78 44 BD A2 53 FB B7 1F A9 84 3F 8F 6E 10 C6 C0 B3 B4 A3 DB A7 15 D6 05 08 82 07 6F 2C 18 17 43 E2 AF 4A AC D0 AD AB 47 8E 57 51 EA F3 7D 5B 8D 13 40 9B 1E 58 F0 95 4F 49 9D B1 F5 E7 99 A1 83 E5 BE EC 65 C1 BF 1C 77 48 72 ED 3B 94 46 5A 70 02 C3 6C 2E 96 D3 F9 3D 75 27 56 CB 0D F4 CD 38 F8 FA 09 5D AE 61 1D FC F7 98 29 66 DF F1 73 9F 5E 87 62 1B 19 04 FF B8 67 16 BA 91 4C 33 37 C2 55 7B

Attachments

tmp71.edns.su.zip

infected
(206.46 KiB) Downloaded 100 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: ZeusVM (Zeus clone)

#22991 by comak
Thu May 29, 2014 11:29 am

from p4r4n0id's sample:

Code: Select all

Version: 01.00.01.00
Botnet: HTM2
Botnet RC4: 38729b74b8310529434c8d400b2e88ce1364a7d33482d02c65b7aa06b1db4837ef0d1fbb5f92f150bc665e191b7a0f3a205a69d736a59359ca55011eadb5cd97cb73f06b2718dd2aa20e222b9fe204ece7325dd684c27da828444d95f6c400dcba904f765c353e51a1ea710cc0477521c3e39c7f790860988cccb089cf1770879945ee1c6830bfdfb95458b30394029d83867be425570a63eb2309f511a34a264bf4a0a6339a2fc81a8ebe1256fc494efbf91df753bd8fb4b23dded1c6786ae86eabaf398142e5c5fe8af2c79eedd9e1b6ae3bda167c0714416de967fa467e2dd4fd5b96e6ac10c9e0806ca43fd5f8621561a93c9185c18bff6f77d2d82452f30000
Botnet RC6: 340e74d2ddea02894f3754596ab9ef84b25abfb41c4422ea71020a9c312cae3c4edac489c0eb79f8fe0737d47f81f8bbf8649c95b28c1b55269ff07613d4c5fc33c1718bb6b2e1f2c85b7f1bb88321584c10735aa989b504ebf9c57fdabba95bf2d12ae17e39e1a132fd2920c79fa219bd3fc49e0b1ef07ac57e92172a1d713a836886052b8d2c7a211de514aef3a8685dd2cc30b7f2ba201e1c917d061ad1c3eae77ed9fd85e622e9862f63177cb3b8
URLs: ['https://img.mswguard.com/img2/pix2.jpg']
FakeUrl: http://ovjjy.com/fnsmh/cfg.bin
OtherEncStrings: ['1]_W3U', '5lr|1=']
OtherStrigns: ['ohttp://ovjjy.com/fnsmh/cfg.bin\x00']

sadly url seems to be dead

Username

comak

Posts

43

Joined

Mon Oct 14, 2013 8:25 am

Contact

Re: ZeusVM (Zeus clone)

#23072 by comak
Mon Jun 09, 2014 4:39 pm

new version from http://blog.dynamoo.com/2014/06/inovice ... -spam.html

Code: Select all

{
'version': '02.00.00.00',
'botnet': 'C1',
 'cfg': 'https://62.76.185.30/c.jpg',
 'fakeurl': 'http://ilfahcn.com/cfg.bin',
 'rc4sbox': '56689c78c6122baaa6a52c6dfc75636ab873363de718fb8a77097c2622b5ccd4dc8e8f4a9f059447bd298c7b9e8d412855524921ac79b2873a92938bd1f7e2d82fa21fc74bb05af9ec74f5cb1746e4195d2db11d57d5f0cf9a15ff0e433c3f5b07d25432700b7f01c042e0973ea1041c000883dd445c8866d0aff159bf91c8fd24ce02a97a309953f30313c40c1b722e617e0da44e1a7d6e62eb9667a7ba38c5853348ad5fd67176a3a8eaede35169abdfc13580d390b7deae4d9be60a11d7b36c60e8a095814558f4149def20bbf64cee06cddaca644f1ed93110e1392ae5db820fb9fe6525f85ec2bebc8637b66b3b34506f98c923e984fac3b416f28940270000',
 'rc6sbox':'8a8d6d1aecc63fd1767bff112688165e67aaed426146d46f2ce3ef389a41ac48a397aefedee1c80215c857c1b31aba5035a20c088a2c5cbaf85400c5024427a75fd3d795f8fa4a3fa3535505e5b765fe02f6e591a73eb18991c2c37d9084a24808d150e67bfe7586e79160d098bda87df92e50f524d57ba6643f1f150a790049c682d2ea188548da8d5bbb3d10735c8142ff8e089d31d43d53e9d3e3b6c19f3a428e036835d2d74034ece6c5a6eb1103'
 'urls': "['https://62.76.185.30/c.jpg']"
}

many changes in binstorage... :(

attached binary raw cfg and decoded

Attachments

vm2_0.zip

pw: infected
(497.28 KiB) Downloaded 108 times

mak - @maciekkotowicz

Username

comak

Posts

43

Joined

Mon Oct 14, 2013 8:25 am

Contact

Re: ZeusVM (Zeus clone)

#23075 by forty-six
Mon Jun 09, 2014 9:25 pm

@comak Looks like dropper in file:

In case file is removed, I've attached below

Code: Select all


ZVM file: 62.76.41.73:8080 /tst/b_cr.exe

Attachments

b_cr.7z

(186.35 KiB) Downloaded 86 times

Username

forty-six

Posts

66

Joined

Tue Sep 03, 2013 3:23 pm

Re: ZeusVM (Zeus clone)

#23098 by tohitsugu
Wed Jun 11, 2014 10:02 pm

Is there some new method of extracting RC6? I've never figured out how you guys get the RC6 from the binary.

Username

tohitsugu

Posts

5

Joined

Fri Apr 08, 2011 1:53 am

Re: ZeusVM (Zeus clone)

#23161 by MountFranklin
Fri Jun 20, 2014 4:31 am

guys, i've got this sample and its config as attached, details were obtained from

http://stopmalvertising.com/spam-scams/ ... lware.html

anyone who can decrypt the config?

Regards,
MountFranklin