[Xylitol]

Yes.

https://zeustracker.abuse.ch/monitor.ph ... .88.15.203
https://zeustracker.abuse.ch/monitor.ph ... 66.34.5.71
https://www.virustotal.com/en/file/7b6c ... 435309149/

[Xylitol]

kendra.fr recovered from take down for the second time and is re-distributing.
http://vxvault.net/ViriFiche.php?ID=28123
https://zeustracker.abuse.ch/monitor.php?host=kendra.fr
https://www.virustotal.com/en/file/9ad7 ... 436193282/

[comak]

new keys...

Code: Select all

{
  "binary": "7552f5e44684c5c0789d9fbab20eb8df",
  "family": "vmzeus2",
  "rc4sbox": "7776daaf5f6e5281ee6f68e52f46c4296233203ac53b09ade34d955b4b8e0e1bca98f78d51487513ce6c6728d87c7aa6150ab93c07fa166bdd60268038ae7b41e08f7de10f972a1d24085adc181a4afcffe23ebe44db54cf378b113fb18c662ba4d3bbeb83585ccbf5b7885d35c772bd739c1fb202dfd979f0c8221e9b0571f8019f59f1ed40c1a1a89d27874ecc19890da29e146a9082a036d045f49250b357c0c2aa94de93063db5569934a739315eef96f2850023b6d647420bb469d27ff674acbf30cd4325914c9a030c53f917637010d52cbaea2164d4b0fe0484a32d1cd7abbcc9d12e7886fbf312a9ece8e9e7e4fd49614fe67e328a55656da5c6b8c30000",
  "cfg-key": "rc6sbox",
  "cfg": "http://kendra.fr/walex/files/config.jpg",
  "alive": true,
  "botname": "\u00fb",
  "version": "02.00.00.00",
  "cnc": "kendra.fr",
  "urls": [
    "http://kendra.fr/walex/files/config.jpg"
  ],
  "fakeurl": "http://bzfdcp.com/cfg.bin",
  "rc6sbox": "93ff4027e90d6b8819814dd2f1ea2f3700c15b1b09665822794a07485490261778074aec55e5272f934470718c4e01b162f3e7bc1e758c6ec214c4f0113fb4895d61a62eaa13392368554424f966b37cbfac6600cfa6ba7a5ec3a26b8d06c5e09b165f9736328b0b3218c0f29a49863a613180c10e0ad96fb8e0e67e662efc02d0c04edcbb6b06a00a57678144254cd48c7bc4bff6289dff90773046f060a051065bf713cfb5bb40864c8e51da7a60b7",
  "strings": [
    "&;\"http://bzfdcp.com/cfg.bin"
  ]
}

[supahal]

Can you help to decrypt this file.
331e2d405c928baeb47e5d67a98195532c63c0a3

I believe this is KINS2

[comak]

i believe you are right ;]

Code: Select all

{
  "binary": "54f5ffd397b156782a177dfe85c3c8ea",
  "family": "vmzeus2",
  "rc4sbox": "561f0493246b664cc022f9ed609fe5f673ce447800135215bade1435bc746340aef15db7691a09e4d50fc14e8562c34d8c8a024f7145bdfafba7b6e9965ee35541c73ee65cd16e7261d237e15319c4862d3f58a0c2b56a31c53df0bef2ad9805b4ea834ab920aa1bac81f7df8e9e958470876c9a0bab775f3aff8d497d82cd8bb38f512e7f54b2345a292ac632909d887ae265e039ee89a37ca8bb7567d9c81c9b382c26082106fd174b07c930f5e8d3ddcadbf3d71642a6a27b47d40ca194d810f443eb9112b8fe33cb80250123361e48d0e73b5b99921d9c3c0df8dcdaccbf79a56db1270eec686f597e46cf1864fc2f280a11af502bd6a9977603a4ef57b00000",
  "cfg-key": "rc6sbox",
  "cfg": "https://vanilladed.com/server1/jf75qw.jpg",
  "botname": "botnet2",
  "version": "02.00.00.00",
  "cnc": "vanilladed.com",
  "urls": [
    "https://golfedxx.com/ktest/mod_vnc.bin",
    "https://vanilladed.com/server1/jf75qw.jpg"
  ],
  "fakeurl": "http://olpfo.com/xapwj/cfg.bin",
  "rc6sbox": "64be7c34431523a8665bd22839c72014c8bc17e6749898e2b744be04cb73dab87c8d2806b397647e057b3c3781857553bc604bc9651dbc10f0be2a3c1d33a99a5408c01e4a79b175f165ca640b14627ea1776681b3ed1fd938ac7c5befc3e1d367080476a8399c6095605577997c6b5c4d4d0f2c8991f38df2645d500026068604d45137e0451e8b9436f08416eadf717e19912906239a8cd88f9c5ca89b2f3cd30f767098698e82191e60bac20018d4",
  "strings": [
    "lhttp://olpfo.com/xapwj/cfg.bin"
  ]
}

domain seems to be dead?

[EP_X0FF]

Can you help to decrypt this file.
331e2d405c928baeb47e5d67a98195532c63c0a3

I believe this is KINS2

Maybe, as first step, you will attach your file?

[billbudsocket]

I believe this is the file.

[ikolor]

Something new malware code .

https://www.virustotal.com/en/file/d3c2 ... 438103570/

[EP_X0FF]

According to GLOBAL_BOT_MAPPING_NAME it is Zberp. Moved.

[patriq]

c2a29d45ea88ad254fd5daa7ee06cc59b61a87e2dad00fd5e106d9445b9ba965
https://www.virustotal.com/en/file/c2a2 ... /analysis/

8d576415b55ae49328ded87284c3e45d0f2bf3de2633c6538740e86e92a8558f
https://www.virustotal.com/en/file/8d57 ... /analysis/

01ce3d452c67346ebb8546de48b43705c49e6ea3417a61d1318f247d0e760fea
https://www.virustotal.com/en/file/01ce ... /analysis/


C2 still active
https://zeustracker.abuse.ch/monitor.ph ... stkoko.com

justkoko.png (78.13 KiB) Viewed 514 times

imports MSVBVM60.dll, which would make it a ZeusVM

samples and config attached.