Zeus 1[.]2[.]4[.]2[.]rar

Sharing

Copy URL Twitter E-mail

General

Target

Zeus 1.2.4.2.rar
Size

1.7MB
MD5

a24094b6e34a461d9919c38399e76bd8
SHA1

f433f88e4ac908a4cb3663a15538c03283ab1be4
SHA256

eca4c6dfae42028ab1dec3fa98f229144364c2c36182f264a0635e4b2eb02597
SHA512

2a9222e5b6d91e6149845d0b3266e2c09519795983d81cb0e938af1e71207076cb35a989523f267f8999cf90ef5288230aba005a8d9ffaa4a239ff8c06d449f0
SSDEEP

24576:XmbHF4Q0cDUKtTmytJdGNhQCDh9vK/mfK3L5cDUKtTmytJdGNhQCDh0vKrz/rRB:XmJ4Q0ShTjtG7f9velShTjtG7f0vcf

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/Zeus 1.2.4.2/builder.exe	upx
static1/unpack001/Zeus 1.2.4.2/server/zsbcs.exe	upx

Unsigned PE 7 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Zeus 1.2.4.2/bot.exe
unpack001/Zeus 1.2.4.2/builder.exe
unpack003/out.upx
unpack001/Zeus 1.2.4.2/server/zsbcs.exe
unpack004/out.upx
unpack001/Zeus 1.2.4.2/server/zsbcs64.exe
unpack001/Zeus 1.2.4.2/xCrypt.exe

Files

Zeus 1.2.4.2.rar
.rar

Password: 23
Zeus 1.2.4.2/bot.exe
.exe windows:4 windows x86 arch:x86

Password: 23

5c469d6c42d62faa32beee016e1f4f87

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

VirtualAlloc
GetCommandLineA
lstrcpyA
GetFileTime
GetModuleHandleA
Sleep
SystemTimeToFileTime
VirtualProtect
GetTimeZoneInformation
CloseHandle
lstrlenW
GetSystemTime
GetEnvironmentVariableW
SetFileTime
InitializeCriticalSection
GetFileSizeEx
GetModuleFileNameA
LeaveCriticalSection
GetAtomNameW
GetDiskFreeSpaceW
GetCurrentThreadId
GetFileSize

user32

GetDlgItemTextA
ToUnicode
CloseDesktop
MsgWaitForMultipleObjects
DrawIcon
GetMessageA
GetCursorPos
ExitWindowsEx
GetWindowThreadProcessId
GetIconInfo
SetThreadDesktop
GetKeyboardState
GetWindowTextA
GetDlgItem
OpenWindowStationA
FindWindowExA

shlwapi

wnsprintfW
StrCmpNIW
PathFileExistsW
StrStrW
PathRemoveFileSpecW
PathFindFileNameW
SHDeleteKeyA
wnsprintfA
PathCombineW
StrCmpNIA
PathMatchSpecW
wvnsprintfW

advapi32

RegDeleteValueA
CryptHashData
CryptCreateHash
CryptReleaseContext
RegQueryValueExA
CryptDestroyHash
RegCloseKey
DuplicateTokenEx
GetUserNameW
RegEnumKeyExA

Sections

.text
Size: 58KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Zeus 1.2.4.2/builder.exe
.exe windows:5 windows x86 arch:x86

Password: 23

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 68KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 62KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 107KB - Virtual size: 107KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Zeus 1.2.4.2/config.bin
Zeus 1.2.4.2/config.txt
Zeus 1.2.4.2/manual_en.txt
Zeus 1.2.4.2/manual_ru.txt
Zeus 1.2.4.2/other/redir.php
Zeus 1.2.4.2/other/sockslist.php
Zeus 1.2.4.2/server/zsbcs.exe
.exe windows:5 windows x86 arch:x86

Password: 23

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 16KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX2
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Zeus 1.2.4.2/server/zsbcs64.exe
.exe windows:5 windows x64 arch:x64

Password: 23

6d06b6b16aa2864032cb66315c3344cb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

LeaveCriticalSection
GetLastError
EnterCriticalSection
SetConsoleCtrlHandler
CreateEventW
WaitForMultipleObjects
DeleteCriticalSection
CloseHandle
HeapReAlloc
HeapAlloc
HeapFree
GetTickCount
GetProcessHeap
InitializeCriticalSection
GetConsoleMode
HeapDestroy
HeapCreate
WriteConsoleW
lstrcmpW
MultiByteToWideChar
GetStdHandle
GetFileType
lstrcpyW
CreateThread
SetEvent
WaitForSingleObject
LocalFree
GetModuleFileNameW
GetCommandLineW
WriteFile
ExitProcess

shlwapi

StrCmpNW
StrChrW
wvnsprintfW
PathFindFileNameW

shell32

CommandLineToArgvW

ws2_32

accept
WSAGetLastError
listen
send
closesocket
WSASetLastError
socket
bind
recv
WSACleanup
shutdown
select
WSAStartup

Sections

.text
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 300B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Zeus 1.2.4.2/web/cp.php
.js
Zeus 1.2.4.2/web/gate.php
Zeus 1.2.4.2/web/install/geobase.txt
Zeus 1.2.4.2/web/install/index.php
.ps1
Zeus 1.2.4.2/web/system/.htaccess
Zeus 1.2.4.2/web/system/botnet_bots.lng.en.php
Zeus 1.2.4.2/web/system/botnet_bots.lng.ru.php
Zeus 1.2.4.2/web/system/botnet_bots.php
Zeus 1.2.4.2/web/system/botnet_scripts.lng.en.php
Zeus 1.2.4.2/web/system/botnet_scripts.lng.ru.php
Zeus 1.2.4.2/web/system/botnet_scripts.php
Zeus 1.2.4.2/web/system/fsarc.php
Zeus 1.2.4.2/web/system/global.php
Zeus 1.2.4.2/web/system/lng.en.php
Zeus 1.2.4.2/web/system/lng.ru.php
Zeus 1.2.4.2/web/system/reports_db.lng.en.php
Zeus 1.2.4.2/web/system/reports_db.lng.ru.php
Zeus 1.2.4.2/web/system/reports_db.php
.js
Zeus 1.2.4.2/web/system/reports_files.lng.en.php
Zeus 1.2.4.2/web/system/reports_files.lng.ru.php
Zeus 1.2.4.2/web/system/reports_files.php
.js
Zeus 1.2.4.2/web/system/stats_main.lng.en.php
Zeus 1.2.4.2/web/system/stats_main.lng.ru.php
Zeus 1.2.4.2/web/system/stats_main.php
.js
Zeus 1.2.4.2/web/system/stats_os.lng.en.php
Zeus 1.2.4.2/web/system/stats_os.lng.ru.php
Zeus 1.2.4.2/web/system/stats_os.php
Zeus 1.2.4.2/web/system/sys_info.lng.en.php
Zeus 1.2.4.2/web/system/sys_info.lng.ru.php
Zeus 1.2.4.2/web/system/sys_info.php
Zeus 1.2.4.2/web/system/sys_options.lng.en.php
Zeus 1.2.4.2/web/system/sys_options.lng.ru.php
Zeus 1.2.4.2/web/system/sys_options.php
Zeus 1.2.4.2/web/system/sys_user.lng.en.php
Zeus 1.2.4.2/web/system/sys_user.lng.ru.php
Zeus 1.2.4.2/web/system/sys_user.php
Zeus 1.2.4.2/web/system/sys_users.lng.en.php
Zeus 1.2.4.2/web/system/sys_users.lng.ru.php
Zeus 1.2.4.2/web/system/sys_users.php
Zeus 1.2.4.2/web/theme/failed.png
.png

Password: 23
Zeus 1.2.4.2/web/theme/footer.html
Zeus 1.2.4.2/web/theme/header.html
.html .js polyglot
Zeus 1.2.4.2/web/theme/index.php
.ps1
Zeus 1.2.4.2/web/theme/popupmenu.js
.js
Zeus 1.2.4.2/web/theme/small.html
.html
Zeus 1.2.4.2/web/theme/style.css
Zeus 1.2.4.2/web/theme/throbber.gif
.gif
Zeus 1.2.4.2/web/theme/utils.js
.js
Zeus 1.2.4.2/web_cleaned/cp.php
.js
Zeus 1.2.4.2/web_cleaned/gate.php
Zeus 1.2.4.2/web_cleaned/install/geobase.txt
Zeus 1.2.4.2/web_cleaned/install/index.php
.ps1
Zeus 1.2.4.2/web_cleaned/ip.php
Zeus 1.2.4.2/web_cleaned/system/.htaccess
Zeus 1.2.4.2/web_cleaned/system/botnet_bots.lng.en.php
Zeus 1.2.4.2/web_cleaned/system/botnet_bots.lng.ru.php
Zeus 1.2.4.2/web_cleaned/system/botnet_bots.php
Zeus 1.2.4.2/web_cleaned/system/botnet_scripts.lng.en.php
Zeus 1.2.4.2/web_cleaned/system/botnet_scripts.lng.ru.php
Zeus 1.2.4.2/web_cleaned/system/botnet_scripts.php
Zeus 1.2.4.2/web_cleaned/system/fsarc.php
Zeus 1.2.4.2/web_cleaned/system/global.php
Zeus 1.2.4.2/web_cleaned/system/lng.en.php
Zeus 1.2.4.2/web_cleaned/system/lng.ru.php
Zeus 1.2.4.2/web_cleaned/system/reports_db.lng.en.php
Zeus 1.2.4.2/web_cleaned/system/reports_db.lng.ru.php
Zeus 1.2.4.2/web_cleaned/system/reports_db.php
.js
Zeus 1.2.4.2/web_cleaned/system/reports_files.lng.en.php
Zeus 1.2.4.2/web_cleaned/system/reports_files.lng.ru.php
Zeus 1.2.4.2/web_cleaned/system/reports_files.php
.js
Zeus 1.2.4.2/web_cleaned/system/stats_main.lng.en.php
Zeus 1.2.4.2/web_cleaned/system/stats_main.lng.ru.php
Zeus 1.2.4.2/web_cleaned/system/stats_main.php
.js
Zeus 1.2.4.2/web_cleaned/system/stats_os.lng.en.php
Zeus 1.2.4.2/web_cleaned/system/stats_os.lng.ru.php
Zeus 1.2.4.2/web_cleaned/system/stats_os.php
Zeus 1.2.4.2/web_cleaned/system/sys_info.lng.en.php
Zeus 1.2.4.2/web_cleaned/system/sys_info.lng.ru.php
Zeus 1.2.4.2/web_cleaned/system/sys_info.php
Zeus 1.2.4.2/web_cleaned/system/sys_options.lng.en.php
Zeus 1.2.4.2/web_cleaned/system/sys_options.lng.ru.php
Zeus 1.2.4.2/web_cleaned/system/sys_options.php
Zeus 1.2.4.2/web_cleaned/system/sys_user.lng.en.php
Zeus 1.2.4.2/web_cleaned/system/sys_user.lng.ru.php
Zeus 1.2.4.2/web_cleaned/system/sys_user.php
Zeus 1.2.4.2/web_cleaned/system/sys_users.lng.en.php
Zeus 1.2.4.2/web_cleaned/system/sys_users.lng.ru.php
Zeus 1.2.4.2/web_cleaned/system/sys_users.php
Zeus 1.2.4.2/web_cleaned/theme/failed.png
.png

Password: 23
Zeus 1.2.4.2/web_cleaned/theme/footer.html
Zeus 1.2.4.2/web_cleaned/theme/header.html
.html .js polyglot
Zeus 1.2.4.2/web_cleaned/theme/index.php
.ps1
Zeus 1.2.4.2/web_cleaned/theme/popupmenu.js
.js
Zeus 1.2.4.2/web_cleaned/theme/small.html
.html
Zeus 1.2.4.2/web_cleaned/theme/style.css
Zeus 1.2.4.2/web_cleaned/theme/throbber.gif
.gif
Zeus 1.2.4.2/web_cleaned/theme/utils.js
.js
Zeus 1.2.4.2/webinjects.txt
.js
Zeus 1.2.4.2/xCrypt.exe
.exe windows:4 windows x86 arch:x86

Password: 23

cf0ddd16c1c324fc7f0f27800be6be44

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

_CIcos
_adj_fptan
__vbaFreeVar
__vbaAryMove
__vbaStrVarMove
__vbaLenBstr
__vbaLateIdCall
__vbaFreeVarList
__vbaPut3
_adj_fdiv_m64
__vbaPut4
ord516
_adj_fprem1
__vbaRecAnsiToUni
ord519
__vbaStrCat
__vbaLsetFixstr
__vbaRecDestruct
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
ord666
__vbaAryDestruct
__vbaExitProc
__vbaFileCloseAll
__vbaOnError
__vbaObjSet
ord595
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
ord598
_CIsin
ord631
__vbaChkstk
ord526
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaGet3
__vbaStrCmp
ord529
__vbaPutOwner3
__vbaPutOwner4
__vbaI2I4
DllFunctionCall
__vbaLbound
__vbaRedimPreserve
_adj_fpatan
__vbaLateIdCallLd
__vbaRedim
__vbaRecUniToAnsi
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
ord717
__vbaGetOwner3
__vbaUbound
__vbaStrVarVal
__vbaGetOwner4
__vbaVarCat
ord536
ord537
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
ord648
ord570
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
ord572
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord578
ord100
__vbaAryLock
__vbaVarDup
ord616
__vbaVarCopy
_CIatan
ord618
__vbaStrMove
_allmul
__vbaLateIdSt
_CItan
__vbaAryUnlock
_CIexp
__vbaFreeStr
__vbaFreeObj

Sections

.text
Size: 80KB - Virtual size: 77KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 60KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: 23

Password: 23

5c469d6c42d62faa32beee016e1f4f87

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

shlwapi

advapi32

Sections

.text Size: 58KB - Virtual size: 57KB

.rdata Size: 2KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 20KB

Password: 23

Headers

DLL Characteristics

File Characteristics

Sections

UPX0 Size: - Virtual size: 68KB

UPX1 Size: 62KB - Virtual size: 64KB

.rsrc Size: 7KB - Virtual size: 8KB

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 107KB - Virtual size: 107KB

.data Size: 512B - Virtual size: 4KB

.rsrc Size: 7KB - Virtual size: 7KB

Password: 23

Headers

DLL Characteristics

File Characteristics

Sections

UPX0 Size: - Virtual size: 16KB

UPX1 Size: 5KB - Virtual size: 8KB

UPX2 Size: 512B - Virtual size: 4KB

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 10KB - Virtual size: 9KB

.data Size: 512B - Virtual size: 3KB

Password: 23

6d06b6b16aa2864032cb66315c3344cb

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

shlwapi

shell32

ws2_32

Sections

.text Size: 12KB - Virtual size: 12KB

.data Size: 512B - Virtual size: 3KB

.pdata Size: 512B - Virtual size: 300B

Password: 23

Password: 23

Password: 23

cf0ddd16c1c324fc7f0f27800be6be44

Headers

File Characteristics

Imports

msvbvm60

Sections

.text Size: 80KB - Virtual size: 77KB

.data Size: 4KB - Virtual size: 2KB

.rsrc Size: 60KB - Virtual size: 59KB

.text
Size: 58KB - Virtual size: 57KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 20KB

UPX0
Size: - Virtual size: 68KB

UPX1
Size: 62KB - Virtual size: 64KB

.rsrc
Size: 7KB - Virtual size: 8KB

.text
Size: 107KB - Virtual size: 107KB

.data
Size: 512B - Virtual size: 4KB

.rsrc
Size: 7KB - Virtual size: 7KB

UPX0
Size: - Virtual size: 16KB

UPX1
Size: 5KB - Virtual size: 8KB

UPX2
Size: 512B - Virtual size: 4KB

.text
Size: 10KB - Virtual size: 9KB

.data
Size: 512B - Virtual size: 3KB

.text
Size: 12KB - Virtual size: 12KB

.data
Size: 512B - Virtual size: 3KB

.pdata
Size: 512B - Virtual size: 300B

.text
Size: 80KB - Virtual size: 77KB

.data
Size: 4KB - Virtual size: 2KB

.rsrc
Size: 60KB - Virtual size: 59KB