https://www.virustotal.com/en/file/5455 ... 371536716/
As this one seem seriously modded i've took the liberty to create a new thread
Zeus thread can be found here: http://www.kernelmode.info/forum/viewto ... f=16&t=474
hxxp://95.169.184.178/amob/a1/admin/exe.exe
'Zeustadel' cnc:
Olders versions was dropped via blackhole
hxxp://frestifaldance3.in/clearer/spot-channels-deletes-documenting.php?ozej=1j:1g:30:1m:1n&txxs=1i:1h:1f:1l:1m:33:2w:1g:2w:32&rrbwt=1i&zdy=nfajhd&pdaolcag=yiqjarz
https://www.virustotal.com/en/file/2bb0 ... 371538366/
https://www.virustotal.com/en/file/eca0 ... 371538368/
As this one seem seriously modded i've took the liberty to create a new thread
Zeus thread can be found here: http://www.kernelmode.info/forum/viewto ... f=16&t=474
hxxp://95.169.184.178/amob/a1/admin/exe.exe
Code: Select all
Version : 4.3.3.3
URL loader: hxtp://systemme.epac.to/exe.exe
URL server: hxtp://tools.travestieurope.biz/amob/a1/gate.php
[ADVANCEDCONFIGS]
hxtp://securewebnet.biz/amob/a1/sys.php
[WEBFILTERS]
!*.microsoft.com/*
!http://*
Code: Select all
KANAL detected a base64 signature probably for the config, tried to decode it but failed with volatility and found nothing in manual (except a headache with process injections)vol -f xp\ sp3-174fa25c.vmem zeusscan2
**************************************************
Process : explorer.exe
Pid : 1480
Address : 39845888
URL 0 : http://tools.travestieurope.biz/amob/a1/cfg/config.php
Identifier : ADMIN-E21F5B160_7875768F3101841F
Mutant key : 159752132
XOR key : 1908723210
Registry : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Onybku
Value 1 : Ustel
Value 2 : Ceebutcyi
Value 3 : Lafel
Executable : Ikimu\yraf.exe
Data file : Uxvi\ybyg.hee
Config RC4 key :
0x02600000 39 84 42 5f 44 82 2b cf 66 7a 68 28 c9 e7 10 6e 9.B_D.+.fzh(...n
0x02600010 9f 1e 20 74 62 90 70 98 6f a6 81 f5 0f a8 da 7b ...tb.p.o......{
0x02600020 c5 f3 09 b2 3f fb 9e e5 7d b4 a7 c2 4e a1 80 7c ....?...}...N..|
0x02600030 14 55 8f 48 a2 1f e9 24 f7 05 49 d0 40 b0 a3 61 .U.H...$..I.@..a
0x02600040 95 75 29 53 d1 15 00 6b 7e 45 ee 4f d3 31 8a 9d .u)S...k~E.O.1..
0x02600050 35 32 26 b8 11 67 f1 2d 0e 38 d8 18 79 d2 0a fa 52&..g.-.8..y...
0x02600060 93 25 db 2a a9 71 df 88 56 72 b5 91 2e 46 58 4c .%.*.q..Vr...FXL
0x02600070 d4 ec 3a e6 9a 87 63 c0 b7 ae 13 e3 a4 2c d9 9c ..:...c......,..
0x02600080 ad 50 bc 8b 17 de 89 ff b6 fd bf ed 1c 96 b9 be .P..............
0x02600090 5d ea 76 aa 73 94 08 65 23 30 12 5b cc 22 01 ac ].v.s..e#0.[."..
0x026000a0 69 77 e2 a5 1b 4b bb 0c fc 37 03 c3 33 c6 3b 52 iw...K...7..3.;R
0x026000b0 6d 3e a0 ba 8c 4a ef fe 3c 57 51 21 85 16 e1 43 m>...J..<WQ!...C
0x026000c0 0d dd 47 f9 d7 f2 cd 78 c7 4d b3 bd cb 86 f4 c8 ..G....x.M......
0x026000d0 02 64 e4 ab 06 5a 92 54 19 04 36 dc 8e 41 f0 c4 .d...Z.T..6..A..
0x026000e0 1a 0b 59 af d5 e0 6a ca 07 99 eb c1 9b 97 27 7f ..Y...j.......'.
0x026000f0 b1 6c e8 d6 ce 83 f8 5c 34 8d 2f 3d 1d 5e 60 f6 .l.....\4./=.^`.
0x02600100 00 00 ..
Credential RC4 key :
0x02600000 9e 40 37 d6 57 5c c2 ec 1f 31 98 3b a6 74 2b 50 .@7.W\...1.;.t+P
0x02600010 fc 4b 5a a7 10 69 32 c1 5f 1c 33 6f 36 45 c3 a3 .KZ..i2._.3o6E..
0x02600020 ff 19 cb f5 27 b2 b4 ac 47 d2 18 0f a0 c8 db e7 ....'...G.......
0x02600030 26 48 80 21 b6 d4 1a ae e1 87 76 52 5e 68 f2 c0 &H.!......vR^h..
0x02600040 3f ee aa 01 fd 20 2e 1b 43 b7 9f 6c 17 f9 df 0b ?.......C..l....
0x02600050 8a 25 d1 fb b5 67 03 0d 3d b0 a2 46 54 79 d9 34 .%...g..=..FTy.4
0x02600060 a8 88 c7 07 2c 84 94 8c 4d f8 71 00 93 8d e3 5d ....,...M.q....]
0x02600070 89 fe a1 23 9d 60 75 bb 41 1e 04 2d ba 83 91 de ...#.`u.A..-....
0x02600080 ca a9 4e ab a4 73 8e 13 d5 72 da bf 7a f1 92 44 ..N..s...r..z..D
0x02600090 0c 02 29 82 9b 4a 1d 4f 99 53 06 cd 12 af 64 f4 ..)..J.O.S....d.
0x026000a0 f0 ef e8 b1 bd d0 9c dd e5 ad f7 0e 97 4c 3c 96 .............L<.
0x026000b0 8f 05 58 24 59 e0 be ed f3 a5 11 16 0a 5b 66 78 ..X$Y........[fx
0x026000c0 49 c5 08 39 bc 14 e2 ce 90 7b c6 95 62 d8 6a e9 I..9.....{..b.j.
0x026000d0 e6 b8 51 81 7f 6e fa cc d7 e4 c4 d3 ea eb 42 61 ..Q..n........Ba
0x026000e0 55 63 6d 85 56 2a 3a f6 b9 28 3e dc 65 7e b3 6b Ucm.V*:..(>.e~.k
0x026000f0 15 30 86 77 7c 7d 70 09 22 c9 8b 2f 35 38 9a cf .0.w|}p."../58..
0x02600100 00 00 ..
**************************************************
Process : vmtoolsd.exe
Pid : 1720
Address : 33554432
URL 0 : http://tools.travestieurope.biz/amob/a1/cfg/config.php
Identifier : ADMIN-E21F5B160_7875768F3101841F
Mutant key : 159752132
XOR key : 1908723210
Registry : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Onybku
Value 1 : Ustel
Value 2 : Ceebutcyi
Value 3 : Lafel
Executable : Ikimu\yraf.exe
Data file : Uxvi\ybyg.hee
Config RC4 key :
0x02000000 39 84 42 5f 44 82 2b cf 66 7a 68 28 c9 e7 10 6e 9.B_D.+.fzh(...n
0x02000010 9f 1e 20 74 62 90 70 98 6f a6 81 f5 0f a8 da 7b ...tb.p.o......{
0x02000020 c5 f3 09 b2 3f fb 9e e5 7d b4 a7 c2 4e a1 80 7c ....?...}...N..|
0x02000030 14 55 8f 48 a2 1f e9 24 f7 05 49 d0 40 b0 a3 61 .U.H...$..I.@..a
0x02000040 95 75 29 53 d1 15 00 6b 7e 45 ee 4f d3 31 8a 9d .u)S...k~E.O.1..
0x02000050 35 32 26 b8 11 67 f1 2d 0e 38 d8 18 79 d2 0a fa 52&..g.-.8..y...
0x02000060 93 25 db 2a a9 71 df 88 56 72 b5 91 2e 46 58 4c .%.*.q..Vr...FXL
0x02000070 d4 ec 3a e6 9a 87 63 c0 b7 ae 13 e3 a4 2c d9 9c ..:...c......,..
0x02000080 ad 50 bc 8b 17 de 89 ff b6 fd bf ed 1c 96 b9 be .P..............
0x02000090 5d ea 76 aa 73 94 08 65 23 30 12 5b cc 22 01 ac ].v.s..e#0.[."..
0x020000a0 69 77 e2 a5 1b 4b bb 0c fc 37 03 c3 33 c6 3b 52 iw...K...7..3.;R
0x020000b0 6d 3e a0 ba 8c 4a ef fe 3c 57 51 21 85 16 e1 43 m>...J..<WQ!...C
0x020000c0 0d dd 47 f9 d7 f2 cd 78 c7 4d b3 bd cb 86 f4 c8 ..G....x.M......
0x020000d0 02 64 e4 ab 06 5a 92 54 19 04 36 dc 8e 41 f0 c4 .d...Z.T..6..A..
0x020000e0 1a 0b 59 af d5 e0 6a ca 07 99 eb c1 9b 97 27 7f ..Y...j.......'.
0x020000f0 b1 6c e8 d6 ce 83 f8 5c 34 8d 2f 3d 1d 5e 60 f6 .l.....\4./=.^`.
0x02000100 00 00 ..
Credential RC4 key :
0x02000000 9e 40 37 d6 57 5c c2 ec 1f 31 98 3b a6 74 2b 50 .@7.W\...1.;.t+P
0x02000010 fc 4b 5a a7 10 69 32 c1 5f 1c 33 6f 36 45 c3 a3 .KZ..i2._.3o6E..
0x02000020 ff 19 cb f5 27 b2 b4 ac 47 d2 18 0f a0 c8 db e7 ....'...G.......
0x02000030 26 48 80 21 b6 d4 1a ae e1 87 76 52 5e 68 f2 c0 &H.!......vR^h..
0x02000040 3f ee aa 01 fd 20 2e 1b 43 b7 9f 6c 17 f9 df 0b ?.......C..l....
0x02000050 8a 25 d1 fb b5 67 03 0d 3d b0 a2 46 54 79 d9 34 .%...g..=..FTy.4
0x02000060 a8 88 c7 07 2c 84 94 8c 4d f8 71 00 93 8d e3 5d ....,...M.q....]
0x02000070 89 fe a1 23 9d 60 75 bb 41 1e 04 2d ba 83 91 de ...#.`u.A..-....
0x02000080 ca a9 4e ab a4 73 8e 13 d5 72 da bf 7a f1 92 44 ..N..s...r..z..D
0x02000090 0c 02 29 82 9b 4a 1d 4f 99 53 06 cd 12 af 64 f4 ..)..J.O.S....d.
0x020000a0 f0 ef e8 b1 bd d0 9c dd e5 ad f7 0e 97 4c 3c 96 .............L<.
0x020000b0 8f 05 58 24 59 e0 be ed f3 a5 11 16 0a 5b 66 78 ..X$Y........[fx
0x020000c0 49 c5 08 39 bc 14 e2 ce 90 7b c6 95 62 d8 6a e9 I..9.....{..b.j.
0x020000d0 e6 b8 51 81 7f 6e fa cc d7 e4 c4 d3 ea eb 42 61 ..Q..n........Ba
0x020000e0 55 63 6d 85 56 2a 3a f6 b9 28 3e dc 65 7e b3 6b Ucm.V*:..(>.e~.k
0x020000f0 15 30 86 77 7c 7d 70 09 22 c9 8b 2f 35 38 9a cf .0.w|}p."../58..
0x02000100 00 00 ..
**************************************************
Process : ctfmon.exe
Pid : 1440
Address : 12058624
URL 0 : http://tools.travestieurope.biz/amob/a1/cfg/config.php
Identifier : ADMIN-E21F5B160_7875768F3101841F
Mutant key : 159752132
XOR key : 1908723210
Registry : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Onybku
Value 1 : Ustel
Value 2 : Ceebutcyi
Value 3 : Lafel
Executable : Ikimu\yraf.exe
Data file : Uxvi\ybyg.hee
Config RC4 key :
0x00b80000 39 84 42 5f 44 82 2b cf 66 7a 68 28 c9 e7 10 6e 9.B_D.+.fzh(...n
0x00b80010 9f 1e 20 74 62 90 70 98 6f a6 81 f5 0f a8 da 7b ...tb.p.o......{
0x00b80020 c5 f3 09 b2 3f fb 9e e5 7d b4 a7 c2 4e a1 80 7c ....?...}...N..|
0x00b80030 14 55 8f 48 a2 1f e9 24 f7 05 49 d0 40 b0 a3 61 .U.H...$..I.@..a
0x00b80040 95 75 29 53 d1 15 00 6b 7e 45 ee 4f d3 31 8a 9d .u)S...k~E.O.1..
0x00b80050 35 32 26 b8 11 67 f1 2d 0e 38 d8 18 79 d2 0a fa 52&..g.-.8..y...
0x00b80060 93 25 db 2a a9 71 df 88 56 72 b5 91 2e 46 58 4c .%.*.q..Vr...FXL
0x00b80070 d4 ec 3a e6 9a 87 63 c0 b7 ae 13 e3 a4 2c d9 9c ..:...c......,..
0x00b80080 ad 50 bc 8b 17 de 89 ff b6 fd bf ed 1c 96 b9 be .P..............
0x00b80090 5d ea 76 aa 73 94 08 65 23 30 12 5b cc 22 01 ac ].v.s..e#0.[."..
0x00b800a0 69 77 e2 a5 1b 4b bb 0c fc 37 03 c3 33 c6 3b 52 iw...K...7..3.;R
0x00b800b0 6d 3e a0 ba 8c 4a ef fe 3c 57 51 21 85 16 e1 43 m>...J..<WQ!...C
0x00b800c0 0d dd 47 f9 d7 f2 cd 78 c7 4d b3 bd cb 86 f4 c8 ..G....x.M......
0x00b800d0 02 64 e4 ab 06 5a 92 54 19 04 36 dc 8e 41 f0 c4 .d...Z.T..6..A..
0x00b800e0 1a 0b 59 af d5 e0 6a ca 07 99 eb c1 9b 97 27 7f ..Y...j.......'.
0x00b800f0 b1 6c e8 d6 ce 83 f8 5c 34 8d 2f 3d 1d 5e 60 f6 .l.....\4./=.^`.
0x00b80100 00 00 ..
Credential RC4 key :
0x00b80000 9e 40 37 d6 57 5c c2 ec 1f 31 98 3b a6 74 2b 50 .@7.W\...1.;.t+P
0x00b80010 fc 4b 5a a7 10 69 32 c1 5f 1c 33 6f 36 45 c3 a3 .KZ..i2._.3o6E..
0x00b80020 ff 19 cb f5 27 b2 b4 ac 47 d2 18 0f a0 c8 db e7 ....'...G.......
0x00b80030 26 48 80 21 b6 d4 1a ae e1 87 76 52 5e 68 f2 c0 &H.!......vR^h..
0x00b80040 3f ee aa 01 fd 20 2e 1b 43 b7 9f 6c 17 f9 df 0b ?.......C..l....
0x00b80050 8a 25 d1 fb b5 67 03 0d 3d b0 a2 46 54 79 d9 34 .%...g..=..FTy.4
0x00b80060 a8 88 c7 07 2c 84 94 8c 4d f8 71 00 93 8d e3 5d ....,...M.q....]
0x00b80070 89 fe a1 23 9d 60 75 bb 41 1e 04 2d ba 83 91 de ...#.`u.A..-....
0x00b80080 ca a9 4e ab a4 73 8e 13 d5 72 da bf 7a f1 92 44 ..N..s...r..z..D
0x00b80090 0c 02 29 82 9b 4a 1d 4f 99 53 06 cd 12 af 64 f4 ..)..J.O.S....d.
0x00b800a0 f0 ef e8 b1 bd d0 9c dd e5 ad f7 0e 97 4c 3c 96 .............L<.
0x00b800b0 8f 05 58 24 59 e0 be ed f3 a5 11 16 0a 5b 66 78 ..X$Y........[fx
0x00b800c0 49 c5 08 39 bc 14 e2 ce 90 7b c6 95 62 d8 6a e9 I..9.....{..b.j.
0x00b800d0 e6 b8 51 81 7f 6e fa cc d7 e4 c4 d3 ea eb 42 61 ..Q..n........Ba
0x00b800e0 55 63 6d 85 56 2a 3a f6 b9 28 3e dc 65 7e b3 6b Ucm.V*:..(>.e~.k
0x00b800f0 15 30 86 77 7c 7d 70 09 22 c9 8b 2f 35 38 9a cf .0.w|}p."../58..
0x00b80100 00 00 ..
**************************************************
Process : wscntfy.exe
Pid : 1136
Address : 11730944
URL 0 : http://tools.travestieurope.biz/amob/a1/cfg/config.php
Identifier : ADMIN-E21F5B160_7875768F3101841F
Mutant key : 159752132
XOR key : 1908723210
Registry : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Onybku
Value 1 : Ustel
Value 2 : Ceebutcyi
Value 3 : Lafel
Executable : Ikimu\yraf.exe
Data file : Uxvi\ybyg.hee
Config RC4 key :
0x00b30000 39 84 42 5f 44 82 2b cf 66 7a 68 28 c9 e7 10 6e 9.B_D.+.fzh(...n
0x00b30010 9f 1e 20 74 62 90 70 98 6f a6 81 f5 0f a8 da 7b ...tb.p.o......{
0x00b30020 c5 f3 09 b2 3f fb 9e e5 7d b4 a7 c2 4e a1 80 7c ....?...}...N..|
0x00b30030 14 55 8f 48 a2 1f e9 24 f7 05 49 d0 40 b0 a3 61 .U.H...$..I.@..a
0x00b30040 95 75 29 53 d1 15 00 6b 7e 45 ee 4f d3 31 8a 9d .u)S...k~E.O.1..
0x00b30050 35 32 26 b8 11 67 f1 2d 0e 38 d8 18 79 d2 0a fa 52&..g.-.8..y...
0x00b30060 93 25 db 2a a9 71 df 88 56 72 b5 91 2e 46 58 4c .%.*.q..Vr...FXL
0x00b30070 d4 ec 3a e6 9a 87 63 c0 b7 ae 13 e3 a4 2c d9 9c ..:...c......,..
0x00b30080 ad 50 bc 8b 17 de 89 ff b6 fd bf ed 1c 96 b9 be .P..............
0x00b30090 5d ea 76 aa 73 94 08 65 23 30 12 5b cc 22 01 ac ].v.s..e#0.[."..
0x00b300a0 69 77 e2 a5 1b 4b bb 0c fc 37 03 c3 33 c6 3b 52 iw...K...7..3.;R
0x00b300b0 6d 3e a0 ba 8c 4a ef fe 3c 57 51 21 85 16 e1 43 m>...J..<WQ!...C
0x00b300c0 0d dd 47 f9 d7 f2 cd 78 c7 4d b3 bd cb 86 f4 c8 ..G....x.M......
0x00b300d0 02 64 e4 ab 06 5a 92 54 19 04 36 dc 8e 41 f0 c4 .d...Z.T..6..A..
0x00b300e0 1a 0b 59 af d5 e0 6a ca 07 99 eb c1 9b 97 27 7f ..Y...j.......'.
0x00b300f0 b1 6c e8 d6 ce 83 f8 5c 34 8d 2f 3d 1d 5e 60 f6 .l.....\4./=.^`.
0x00b30100 00 00 ..
Credential RC4 key :
0x00b30000 9e 40 37 d6 57 5c c2 ec 1f 31 98 3b a6 74 2b 50 .@7.W\...1.;.t+P
0x00b30010 fc 4b 5a a7 10 69 32 c1 5f 1c 33 6f 36 45 c3 a3 .KZ..i2._.3o6E..
0x00b30020 ff 19 cb f5 27 b2 b4 ac 47 d2 18 0f a0 c8 db e7 ....'...G.......
0x00b30030 26 48 80 21 b6 d4 1a ae e1 87 76 52 5e 68 f2 c0 &H.!......vR^h..
0x00b30040 3f ee aa 01 fd 20 2e 1b 43 b7 9f 6c 17 f9 df 0b ?.......C..l....
0x00b30050 8a 25 d1 fb b5 67 03 0d 3d b0 a2 46 54 79 d9 34 .%...g..=..FTy.4
0x00b30060 a8 88 c7 07 2c 84 94 8c 4d f8 71 00 93 8d e3 5d ....,...M.q....]
0x00b30070 89 fe a1 23 9d 60 75 bb 41 1e 04 2d ba 83 91 de ...#.`u.A..-....
0x00b30080 ca a9 4e ab a4 73 8e 13 d5 72 da bf 7a f1 92 44 ..N..s...r..z..D
0x00b30090 0c 02 29 82 9b 4a 1d 4f 99 53 06 cd 12 af 64 f4 ..)..J.O.S....d.
0x00b300a0 f0 ef e8 b1 bd d0 9c dd e5 ad f7 0e 97 4c 3c 96 .............L<.
0x00b300b0 8f 05 58 24 59 e0 be ed f3 a5 11 16 0a 5b 66 78 ..X$Y........[fx
0x00b300c0 49 c5 08 39 bc 14 e2 ce 90 7b c6 95 62 d8 6a e9 I..9.....{..b.j.
0x00b300d0 e6 b8 51 81 7f 6e fa cc d7 e4 c4 d3 ea eb 42 61 ..Q..n........Ba
0x00b300e0 55 63 6d 85 56 2a 3a f6 b9 28 3e dc 65 7e b3 6b Ucm.V*:..(>.e~.k
0x00b300f0 15 30 86 77 7c 7d 70 09 22 c9 8b 2f 35 38 9a cf .0.w|}p."../58..
0x00b80100 00 00 ..
'Zeustadel' cnc:
Olders versions was dropped via blackhole
hxxp://frestifaldance3.in/clearer/spot-channels-deletes-documenting.php?ozej=1j:1g:30:1m:1n&txxs=1i:1h:1f:1l:1m:33:2w:1g:2w:32&rrbwt=1i&zdy=nfajhd&pdaolcag=yiqjarz
https://www.virustotal.com/en/file/2bb0 ... 371538366/
https://www.virustotal.com/en/file/eca0 ... 371538368/
Attachments
infected
(267.32 KiB) Downloaded 90 times
(267.32 KiB) Downloaded 90 times
infected
(460.62 KiB) Downloaded 122 times
(460.62 KiB) Downloaded 122 times