The Zeus malware, it is incredible and it seems that Zeus is here to stay.
We have decided to share a analysis on a Zeus malware sample.
In the information below, you will see the behaviour of the Zeus malware.
If you take a close look, you will see that the anti-virus companies are having a hard time to identify the Zeus malware.
File Details
| File Name | 89c4c9fd55c7c5d68fb52688b00c12d29b4537e2c8bfcd987ebf4a1b8c7cbc5f.bin |
|---|---|
| File Size | 395776 bytes |
| File Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 329975284bb63cef4d666b00b5eebc3d |
| SHA1 | fb2af919131938cc808043a02bc05802d41ce2b7 |
| SHA256 | 89c4c9fd55c7c5d68fb52688b00c12d29b4537e2c8bfcd987ebf4a1b8c7cbc5f |
| SHA512 | 0480eec303cd4b526c104c2f5bfc1067ee288c2b4f5d07358f65ac97bc3d1323f35b50a26a30dc768597608911708e1ed28d602f35ae3d994b34575ec56d4af6 |
| CRC32 | F7012531 |
| Ssdeep | 6144:WkoKT3jUf9DIDmV8VF8oIwIfppmuyT78LUa7Z7L3S2:ptqDIxVpNii78oaV7Li2 |
Zeus mutexes from Zeus sample
- mutex: Global\{572E2B8D-1628-48D7-95A9-13B74EAA1643}
- mutex: Global\{C9916BF6-5653-D668-95A9-13B74EAA1643}
- mutex: Local\{C9916BF6-5653-D668-95A9-13B74EAA1643}
- mutex: Global\{C9916BF7-5652-D668-95A9-13B74EAA1643}
- mutex: Local\{C9916BF7-5652-D668-95A9-13B74EAA1643}
- mutex: Global\{A877DDE5-E040-B78E-95A9-13B74EAA1643}
- mutex: Local\{A877DDE5-E040-B78E-95A9-13B74EAA1643}
- mutex: Global\{A877DDE2-E047-B78E-95A9-13B74EAA1643}
- mutex: Local\{A877DDE2-E047-B78E-95A9-13B74EAA1643}
- mutex: Global\{729D3CE4-0141-6D64-95A9-13B74EAA1643}
- mutex: Local\{729D3CE4-0141-6D64-95A9-13B74EAA1643}
- mutex: Global\{C24F3ECF-036A-DDB6-95A9-13B74EAA1643}
- mutex: Local\{E8370EC6-3363-F7CE-95A9-13B74EAA1643}
- mutex: Global\{37219547-A8E2-28D8-09F2-7F41D2F17AB5}
- mutex: Global\{37219547-A8E2-28D8-0DF3-7F41D6F07AB5}
- mutex: Global\{37219547-A8E2-28D8-5DF3-7F4186F07AB5}
- mutex: Global\{37219547-A8E2-28D8-8DF3-7F4156F07AB5}
- mutex: Global\{37219547-A8E2-28D8-85F3-7F415EF07AB5}
- mutex: Global\{37219547-A8E2-28D8-BDF3-7F4166F07AB5}
- mutex: Global\{37219547-A8E2-28D8-D1F3-7F410AF07AB5}
- mutex: Global\{37219547-A8E2-28D8-E9F3-7F4132F07AB5}
- mutex: Global\{37219547-A8E2-28D8-E1F3-7F413AF07AB5}
- mutex: Global\{37219547-A8E2-28D8-55F0-7F418EF37AB5}
- mutex: Global\{37219547-A8E2-28D8-95F0-7F414EF37AB5}
- mutex: Global\{37219547-A8E2-28D8-C1F0-7F411AF37AB5}
- mutex: Global\{37219547-A8E2-28D8-29F1-7F41F2F27AB5}
- mutex: Global\{37219547-A8E2-28D8-75F1-7F41AEF27AB5}
- mutex: Global\{37219547-A8E2-28D8-BDF1-7F4166F27AB5}
- mutex: Global\{37219547-A8E2-28D8-05F6-7F41DEF57AB5}
- mutex: Global\{37219547-A8E2-28D8-91F6-7F414AF57AB5}
- mutex: Global\{37219547-A8E2-28D8-FDF6-7F4126F57AB5}
- mutex: Global\{37219547-A8E2-28D8-19F7-7F41C2F47AB5}
- mutex: Global\{37219547-A8E2-28D8-51F7-7F418AF47AB5}
- mutex: Global\{37219547-A8E2-28D8-75F7-7F41AEF47AB5}
- mutex: Global\{37219547-A8E2-28D8-A9F7-7F4172F47AB5}
- mutex: Global\{37219547-A8E2-28D8-B1F7-7F416AF47AB5}
- mutex: Global\{37219547-A8E2-28D8-49F4-7F4192F77AB5}
- mutex: Global\{37219547-A8E2-28D8-A5F4-7F417EF77AB5}
- mutex: Global\{37219547-A8E2-28D8-C5F5-7F411EF67AB5}
- mutex: Global\{37219547-A8E2-28D8-D9F5-7F4102F67AB5}
- mutex: Global\{37219547-A8E2-28D8-ADF5-7F4176F67AB5}
- mutex: Global\{37219547-A8E2-28D8-79F0-7F41A2F37AB5}
- mutex: Global\{37219547-A8E2-28D8-05FA-7F41DEF97AB5}
- mutex: Global\{37219547-A8E2-28D8-85FA-7F415EF97AB5}
- mutex: Global\{37219547-A8E2-28D8-9DFA-7F4146F97AB5}
- mutex: Global\{37219547-A8E2-28D8-C9FB-7F4112F87AB5}
- mutex: Global\{37219547-A8E2-28D8-39F8-7F41E2FB7AB5}
- mutex: Global\{37219547-A8E2-28D8-95F8-7F414EFB7AB5}
- mutex: Global\{37219547-A8E2-28D8-05F9-7F41DEFA7AB5}
- mutex: Global\{37219547-A8E2-28D8-11F9-7F41CAFA7AB5}
- mutex: Global\{37219547-A8E2-28D8-ADF9-7F4176FA7AB5}
- mutex: Global\{37219547-A8E2-28D8-51FE-7F418AFD7AB5}
- mutex: Global\{37219547-A8E2-28D8-0DFC-7F41D6FF7AB5}
- mutex: Global\{37219547-A8E2-28D8-25FC-7F41FEFF7AB5}
- mutex: Global\{37219547-A8E2-28D8-71FC-7F41AAFF7AB5}
- mutex: Global\{37219547-A8E2-28D8-C1FC-7F411AFF7AB5}
- mutex: Global\{A49B0AD7-3772-BB62-95A9-13B74EAA1643}
- mutex: Global\{37219547-A8E2-28D8-D9FE-7F4102FD7AB5}
- mutex: Global\{37219547-A8E2-28D8-5DF8-7F4186FB7AB5}
- mutex: Global\{5734B106-8CA3-48CD-95A9-13B74EAA1643}
- mutex: Global\{37219547-A8E2-28D8-59F4-7F4182F77AB5}
- mutex: Global\{37219547-A8E2-28D8-85F5-7F415EF67AB5}
Zeus malware sample connects to
| Domain | IP |
|---|---|
| WHITELISTED | WHITELISTED |
| dlm0ls1vq66ou15zih0n1nqo9nh.org | |
| 1k03ivtcfrpuct6dnmckwyczg.com | |
| 3vegh4zfviyr1eqbqa03u6vdx.net | |
| 1sruwspmqlcqcgj60lrwlad31.biz | |
| 11fkeza2io4xot0fu971w42wu5.org | |
| qsd5l4vgk8b16nvzsfn95bmp.com | |
| joi2n1gr8izo1lhtymc1uxa9bv.net | |
| orkq2r1wpi335kr952y1cihdd7.org | |
| ipnku115ra0511wlsxvtembz51.net | |
| h0s1zapllm9mc1olk9zxlox.com | |
| rj7f9k3nbfh4154pig610eqnv9.org | |
| WHITELISTED | WHITELISTED |
| 1hhdja81ynlbgs1j9nw7fdyfrt5.biz | |
| 1vxhawa1njphi81xwq26l7617in.net | |
| 1086cmv17hn18g1ep8lg11lg7e3e.com | |
| al83ga1thrgzw1f0r3g91fw390n.net | |
| 8mkx9s1651zt81ijz7lc1otdper.biz | |
| 7w5r3rjhmx1n687mew1kqsgsg.org | |
| 12lx7q04qi1fi1ujm6plc8ohzb.com | |
| n1njzb1aipngm1unqzfg8wjsu7.net | |
| 1ol8wo31w7wjk2hywbv31pu8aa8.org | |
| wfnjhv1m7x7xj1eoocce173lubj.net | |
| 3i5qa01r6n3yz13pe8wb10g95ih.com | |
| nox99i1iqlet0dkwah0t67igu.org | |
| mx3ngm2g0l661pm8j4s78tc9n.biz | |
| f0cx021pn67kv1o8o7ix1hmugjf.net | |
| WHITELISTED | WHITELISTED |
| WHITELISTED | WHITELISTED |
| WHITELISTED | WHITELISTED |
| vgkhph1e0f37117h8wi01bkmg9q.com | |
| lnfdxq18zcpil1kk90akvnmene.net | |
| c7b7ra1izs9k37a1yrp18rh1pg.biz | |
| 1um98274gziduc9jztmrfxjss.org | |
| 1ulfc2d1ya5rpt1k4leusbh05uc.com | |
| 1eweiadlgn4dtupgrzz1xx7io9.net | |
| 1oahftt1056oni1twvogc56l943.org | |
| 34i4ww10rsbp31fm871evjf4m6.net | |
| 6m8yzq82ysqo1ysr4fkrq77bx.com | |
| 1vdjvylsnu7hx59wd1i164afcf.org | |
| i7tcbau06fjf1xk020k8kak0n.biz | |
| 1vu2gtavpupg41pccc0d13r9z4y.net | |
| 1fmxnfk1jwqom514bjt7zv96nfe.com | |
| k5nmkk1gle17g1iv4o7h1uw1b1x.net | |
| 9xbu7ck8m1h3181s91x1svgppz.biz | |
| a90fph1k1sd5a15s24mo1ig052r.org | |
| fzff4ruwf4h0hdvxqo11celu1.com | |
| 188aha16y34w5mcr895szw68k.net | |
| 13w32fk1y5qu9k1r690hx1xvbu91.biz | |
| 1b74p2gpd5wxkhkfx3e17f1jjs.org | |
| 1gojzvyhrxvyp3nd32j9fyznq.com | |
| j04y8h1qapbadbtgj6qvhdkq8.net | |
| 1dr99nnmhjn2mp748lhbi1ajo.org | |
| 1yy6pee135f83x1jwh91qih2oov.net | |
| zik03z93t26biw2fh59xr3if.com | 82.165.38.206 |
| 1ucib2514u4r9jl1kbtw14dpsjn.org | |
| hwn3fv1n0t1qs20zkzmcv6pu4.biz | |
| 1tunasvzwz8sc1xo9kt1c9xo8b.net | |
| 1iqb1wq1b9q2lo1vyx88cgsdi3t.com | |
| 1r2aq2269jxfojzamig15tpva7.net | |
| gfwf8oknsq3x1nh9gzm4svftu.biz | |
| 1wcrc3680qli21tcmzbpam2enx.org | |
| 1k8mcqf1lzo95km6nldzkmr5hq.com | |
| 16ojic417avmb2rbinf11b9nd50.net | |
| 1skoct0vvt8xe1636f8d15zwyo4.org | |
| ergfga194y881161l8rg186cbtp.net | |
| 13nvwnn1b26881x4b8g41x2rr6d.com | |
| 9dawsd5ome52e70bnjc6orbo.org | |
| 1ecx0wgl6ad7w14iep1g12mjrqr.biz | |
| 18b6sn4fgrh7xu4dx8e12d09go.net | |
| 1sqstnzycz6lsjjks82f49hlm.com | |
| ahz5rq15e5cxuh1l6z44hd44s.net | |
| 1oytw7f1su1e9vbwyavj1s8vh5o.biz | |
| u2i3geelg3ugedl4oy1q2rl35.org | |
| 819dtcxbdta21p1uoy9b278v8.com | |
| l4g1p4zztwrl1k9wq4av5c98a.net |
Zeus Malware sample detected by the following anti-virus companies
| Antivirus | Signature |
|---|---|
| Bkav | Clean |
| MicroWorld-eScan | Trojan.GenericKD.1774288 |
| nProtect | Trojan.GenericKD.1774288 |
| CMC | Packed.Win32.Ransom-Crypter.1!O |
| CAT-QuickHeal | Clean |
| McAfee | RDN/Generic PWS.y!b2m |
| Malwarebytes | Clean |
| K7AntiVirus | Trojan-Downloader ( 003c37051 ) |
| K7GW | Trojan-Downloader ( 003c37051 ) |
| TheHacker | Clean |
| NANO-Antivirus | Trojan.Win32.Injector.dcrlic |
| F-Prot | Clean |
| Symantec | Packed.Generic.459 |
| Norman | Troj_Generic.VBSAJ |
| TotalDefense | Clean |
| TrendMicro-HouseCall | TSPY_ZBOT.AEBT |
| Avast | Win32:Malware-gen |
| ClamAV | Clean |
| Kaspersky | Trojan-Dropper.Win32.Injector.kipw |
| BitDefender | Trojan.GenericKD.1774288 |
| Agnitum | Clean |
| ViRobot | Clean |
| AegisLab | Clean |
| Rising | PE:[email protected]!1.9C3C |
| Ad-Aware | Trojan.GenericKD.1774288 |
| Emsisoft | Trojan.GenericKD.1774288 (B) |
| Comodo | UnclassifiedMalware |
| F-Secure | Trojan.GenericKD.1774288 |
| DrWeb | Trojan.PWS.Panda.5676 |
| VIPRE | Trojan.Win32.Generic!SB.0 |
| AntiVir | TR/Rogue.395776.2 |
| TrendMicro | TSPY_ZBOT.AEBT |
| McAfee-GW-Edition | Artemis!329975284BB6 |
| Sophos | Mal/EncPk-AMF |
| Jiangmin | Clean |
| Antiy-AVL | Trojan[Dropper]/Win32.Injector |
| Kingsoft | Clean |
| Microsoft | PWS:Win32/Zbot |
| SUPERAntiSpyware | Trojan.Agent/Gen-Kazy |
| AhnLab-V3 | Spyware/Win32.Zbot |
| GData | Trojan.GenericKD.1774288 |
| Commtouch | Clean |
| ByteHero | Clean |
| VBA32 | Clean |
| Panda | Trj/Chgt.C |
| Zoner | Clean |
| ESET-NOD32 | Win32/TrojanDownloader.FakeAlert.GI |
| Tencent | Win32.Trojan-dropper.Injector.Ljan |
| Ikarus | Trojan-Dropper.Win32.Injector |
| Fortinet | W32/Injector.KIPW!tr |
| AVG | SHeur4.BYVU |
| Baidu-International | Trojan.Win32.FakeAlert.bGI |
| Qihoo-360 | HEUR/Malware.QVM20.Gen |