A forum for reverse engineering, OS internals and malware analysis 

Citadel (Zeus clone)

Forum for analysis and discussion about malware.

Requests

 #18311  by reverser
 Fri Feb 22, 2013 9:21 pm
I'd like to have a look at "Uknown malware" from the NBC hack mentioned here:
The attack also served an unknown malware binary, connecting to various websites:

hxxp://envirsoft.com/d.htm
hxxp://eastsidetennisassociation.com/l.htm
hxxp://magasin-shop.com/r.htm
hxxp://beautiesofcanada.com/o.htm

Some antivirus vendors identify this malware as Zbot or a rootkit (MD5: 1fa5afe1ddcd083d40b5b330fd9b3613), but it is most definitely not Zbot and it’s not a rootkit either. The malware binary has a curious filename (3S4H3S.exe) and an interesting string at the end “SadokBdi”.

Re: Requests

 #18338  by Squirl
 Tue Feb 26, 2013 9:06 am
The compromise was serving up Citadel, according to most AV blogs. I've attached the various components of the compromise (but no Troj, sadly).
Attachments
password: infected
(25.47 KiB) Downloaded 65 times

Re: Citadel (Zeus clone)

 #19229  by Xylitol
 Wed May 08, 2013 7:56 pm
Citadel 1.3.5.1 targeting french banks
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://angelescitypattaya.com/mimosa/welcome.php
Config: hxtp://angelescitypattaya.com/mimosa/file.php|file=mimosa.exe
Panel: hxtp://angelescitypattaya.com/mimosa/control.php
Reports path: /reporting/
Botnet ID: mimosa
Key: 92 A6 70 B6 CE FC A5 15 CF 1D AA 7A B1 8C EE 65
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Attachments
infected
(616.07 KiB) Downloaded 182 times

Re: Citadel (Zeus clone)

 #19551  by Xylitol
 Tue Jun 04, 2013 7:50 pm
Citadel 1.3.5.1 targeting chase.com domains
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://www.gruppo-abc.it/public/mode.php
Config: hxtp://www.piszek.com/wp-includes/images/file.php|file=soft.exe
hxtp://byzantineinvestments.info/wp-content/uploads/file.php|file=tstconfig.bin
hxtp://kim.humanclay.ca/wp-content/uploads/2007/file.php|file=tstconfig.bin
Key: 15 0D 06 66 B7 3E B5 A4 5D 69 02 A3 70 2D C2 9A
login key: C1F20D2340B519056A7D89B7DF4B0FFF
Attachments
infected
(998.74 KiB) Downloaded 142 times

Re: Citadel (Zeus clone)

 #19595  by Xylitol
 Mon Jun 10, 2013 4:27 pm
Citadel 1.3.5.1 targeting french banks
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://rivascloviso.net/caticlan/welcome.php
Update: hxtp://rivascloviso.net/caticlan/file.php
Panel: hxtp://rivascloviso.net/caticlan/control.php
Reports path: /reporting/
Botnet ID: caticlan
Key: 92 A6 70 B6 CE FC A5 15 CF 1D AA 7A B1 8C EE 65
login key: C1F20D2340B519056A7D89B7DF4B0FFF
Attachments
infected
(589.61 KiB) Downloaded 142 times

Re: Citadel (Zeus clone)

 #19596  by Xylitol
 Mon Jun 10, 2013 6:20 pm
Citadel 1.3.5.1 targeting wellsfargo.com domains
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://64.85.233.8/hide/1355/enter.php
Update: hxtp://whitewidow.ciscofreak.com/hide/1355/file.php|file=config.bin
Key: 11 0D 57 79 BA 74 C2 E4 98 6C F6 BD 65 BC FF C1
login key: C1F20D2340B519056A7D89B7DF4B0FFF
Attachments
infected
(602.92 KiB) Downloaded 143 times
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 20
 Return to “Malware”