Cheat sheets

Perfect Zeus malware example

CWZ

Share this with people that should know this:

The Zeus malware, it is incredible and it seems that Zeus is here to stay.

We have decided to share a analysis on a Zeus malware sample.

In the information below, you will see the behaviour of the Zeus malware.

If you take a close look, you will see that the anti-virus companies are having a hard time to identify the Zeus malware.

File Details

File Name 89c4c9fd55c7c5d68fb52688b00c12d29b4537e2c8bfcd987ebf4a1b8c7cbc5f.bin
File Size 395776 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 329975284bb63cef4d666b00b5eebc3d
SHA1 fb2af919131938cc808043a02bc05802d41ce2b7
SHA256 89c4c9fd55c7c5d68fb52688b00c12d29b4537e2c8bfcd987ebf4a1b8c7cbc5f
SHA512 0480eec303cd4b526c104c2f5bfc1067ee288c2b4f5d07358f65ac97bc3d1323f35b50a26a30dc768597608911708e1ed28d602f35ae3d994b34575ec56d4af6
CRC32 F7012531
Ssdeep 6144:WkoKT3jUf9DIDmV8VF8oIwIfppmuyT78LUa7Z7L3S2:ptqDIxVpNii78oaV7Li2

Zeus mutexes from Zeus sample

  1. mutex: Global\{572E2B8D-1628-48D7-95A9-13B74EAA1643}
  2. mutex: Global\{C9916BF6-5653-D668-95A9-13B74EAA1643}
  3. mutex: Local\{C9916BF6-5653-D668-95A9-13B74EAA1643}
  4. mutex: Global\{C9916BF7-5652-D668-95A9-13B74EAA1643}
  5. mutex: Local\{C9916BF7-5652-D668-95A9-13B74EAA1643}
  6. mutex: Global\{A877DDE5-E040-B78E-95A9-13B74EAA1643}
  7. mutex: Local\{A877DDE5-E040-B78E-95A9-13B74EAA1643}
  8. mutex: Global\{A877DDE2-E047-B78E-95A9-13B74EAA1643}
  9. mutex: Local\{A877DDE2-E047-B78E-95A9-13B74EAA1643}
  10. mutex: Global\{729D3CE4-0141-6D64-95A9-13B74EAA1643}
  11. mutex: Local\{729D3CE4-0141-6D64-95A9-13B74EAA1643}
  12. mutex: Global\{C24F3ECF-036A-DDB6-95A9-13B74EAA1643}
  13. mutex: Local\{E8370EC6-3363-F7CE-95A9-13B74EAA1643}
  14. mutex: Global\{37219547-A8E2-28D8-09F2-7F41D2F17AB5}
  15. mutex: Global\{37219547-A8E2-28D8-0DF3-7F41D6F07AB5}
  16. mutex: Global\{37219547-A8E2-28D8-5DF3-7F4186F07AB5}
  17. mutex: Global\{37219547-A8E2-28D8-8DF3-7F4156F07AB5}
  18. mutex: Global\{37219547-A8E2-28D8-85F3-7F415EF07AB5}
  19. mutex: Global\{37219547-A8E2-28D8-BDF3-7F4166F07AB5}
  20. mutex: Global\{37219547-A8E2-28D8-D1F3-7F410AF07AB5}
  21. mutex: Global\{37219547-A8E2-28D8-E9F3-7F4132F07AB5}
  22. mutex: Global\{37219547-A8E2-28D8-E1F3-7F413AF07AB5}
  23. mutex: Global\{37219547-A8E2-28D8-55F0-7F418EF37AB5}
  24. mutex: Global\{37219547-A8E2-28D8-95F0-7F414EF37AB5}
  25. mutex: Global\{37219547-A8E2-28D8-C1F0-7F411AF37AB5}
  26. mutex: Global\{37219547-A8E2-28D8-29F1-7F41F2F27AB5}
  27. mutex: Global\{37219547-A8E2-28D8-75F1-7F41AEF27AB5}
  28. mutex: Global\{37219547-A8E2-28D8-BDF1-7F4166F27AB5}
  29. mutex: Global\{37219547-A8E2-28D8-05F6-7F41DEF57AB5}
  30. mutex: Global\{37219547-A8E2-28D8-91F6-7F414AF57AB5}
  31. mutex: Global\{37219547-A8E2-28D8-FDF6-7F4126F57AB5}
  32. mutex: Global\{37219547-A8E2-28D8-19F7-7F41C2F47AB5}
  33. mutex: Global\{37219547-A8E2-28D8-51F7-7F418AF47AB5}
  34. mutex: Global\{37219547-A8E2-28D8-75F7-7F41AEF47AB5}
  35. mutex: Global\{37219547-A8E2-28D8-A9F7-7F4172F47AB5}
  36. mutex: Global\{37219547-A8E2-28D8-B1F7-7F416AF47AB5}
  37. mutex: Global\{37219547-A8E2-28D8-49F4-7F4192F77AB5}
  38. mutex: Global\{37219547-A8E2-28D8-A5F4-7F417EF77AB5}
  39. mutex: Global\{37219547-A8E2-28D8-C5F5-7F411EF67AB5}
  40. mutex: Global\{37219547-A8E2-28D8-D9F5-7F4102F67AB5}
  41. mutex: Global\{37219547-A8E2-28D8-ADF5-7F4176F67AB5}
  42. mutex: Global\{37219547-A8E2-28D8-79F0-7F41A2F37AB5}
  43. mutex: Global\{37219547-A8E2-28D8-05FA-7F41DEF97AB5}
  44. mutex: Global\{37219547-A8E2-28D8-85FA-7F415EF97AB5}
  45. mutex: Global\{37219547-A8E2-28D8-9DFA-7F4146F97AB5}
  46. mutex: Global\{37219547-A8E2-28D8-C9FB-7F4112F87AB5}
  47. mutex: Global\{37219547-A8E2-28D8-39F8-7F41E2FB7AB5}
  48. mutex: Global\{37219547-A8E2-28D8-95F8-7F414EFB7AB5}
  49. mutex: Global\{37219547-A8E2-28D8-05F9-7F41DEFA7AB5}
  50. mutex: Global\{37219547-A8E2-28D8-11F9-7F41CAFA7AB5}
  51. mutex: Global\{37219547-A8E2-28D8-ADF9-7F4176FA7AB5}
  52. mutex: Global\{37219547-A8E2-28D8-51FE-7F418AFD7AB5}
  53. mutex: Global\{37219547-A8E2-28D8-0DFC-7F41D6FF7AB5}
  54. mutex: Global\{37219547-A8E2-28D8-25FC-7F41FEFF7AB5}
  55. mutex: Global\{37219547-A8E2-28D8-71FC-7F41AAFF7AB5}
  56. mutex: Global\{37219547-A8E2-28D8-C1FC-7F411AFF7AB5}
  57. mutex: Global\{A49B0AD7-3772-BB62-95A9-13B74EAA1643}
  58. mutex: Global\{37219547-A8E2-28D8-D9FE-7F4102FD7AB5}
  59. mutex: Global\{37219547-A8E2-28D8-5DF8-7F4186FB7AB5}
  60. mutex: Global\{5734B106-8CA3-48CD-95A9-13B74EAA1643}
  61. mutex: Global\{37219547-A8E2-28D8-59F4-7F4182F77AB5}
  62. mutex: Global\{37219547-A8E2-28D8-85F5-7F415EF67AB5}

Zeus malware sample connects to

Domain IP
WHITELISTED WHITELISTED
dlm0ls1vq66ou15zih0n1nqo9nh.org
1k03ivtcfrpuct6dnmckwyczg.com
3vegh4zfviyr1eqbqa03u6vdx.net
1sruwspmqlcqcgj60lrwlad31.biz
11fkeza2io4xot0fu971w42wu5.org
qsd5l4vgk8b16nvzsfn95bmp.com
joi2n1gr8izo1lhtymc1uxa9bv.net
orkq2r1wpi335kr952y1cihdd7.org
ipnku115ra0511wlsxvtembz51.net
h0s1zapllm9mc1olk9zxlox.com
rj7f9k3nbfh4154pig610eqnv9.org
WHITELISTED WHITELISTED
1hhdja81ynlbgs1j9nw7fdyfrt5.biz
1vxhawa1njphi81xwq26l7617in.net
1086cmv17hn18g1ep8lg11lg7e3e.com
al83ga1thrgzw1f0r3g91fw390n.net
8mkx9s1651zt81ijz7lc1otdper.biz
7w5r3rjhmx1n687mew1kqsgsg.org
12lx7q04qi1fi1ujm6plc8ohzb.com
n1njzb1aipngm1unqzfg8wjsu7.net
1ol8wo31w7wjk2hywbv31pu8aa8.org
wfnjhv1m7x7xj1eoocce173lubj.net
3i5qa01r6n3yz13pe8wb10g95ih.com
nox99i1iqlet0dkwah0t67igu.org
mx3ngm2g0l661pm8j4s78tc9n.biz
f0cx021pn67kv1o8o7ix1hmugjf.net
WHITELISTED WHITELISTED
WHITELISTED WHITELISTED
WHITELISTED WHITELISTED
vgkhph1e0f37117h8wi01bkmg9q.com
lnfdxq18zcpil1kk90akvnmene.net
c7b7ra1izs9k37a1yrp18rh1pg.biz
1um98274gziduc9jztmrfxjss.org
1ulfc2d1ya5rpt1k4leusbh05uc.com
1eweiadlgn4dtupgrzz1xx7io9.net
1oahftt1056oni1twvogc56l943.org
34i4ww10rsbp31fm871evjf4m6.net
6m8yzq82ysqo1ysr4fkrq77bx.com
1vdjvylsnu7hx59wd1i164afcf.org
i7tcbau06fjf1xk020k8kak0n.biz
1vu2gtavpupg41pccc0d13r9z4y.net
1fmxnfk1jwqom514bjt7zv96nfe.com
k5nmkk1gle17g1iv4o7h1uw1b1x.net
9xbu7ck8m1h3181s91x1svgppz.biz
a90fph1k1sd5a15s24mo1ig052r.org
fzff4ruwf4h0hdvxqo11celu1.com
188aha16y34w5mcr895szw68k.net
13w32fk1y5qu9k1r690hx1xvbu91.biz
1b74p2gpd5wxkhkfx3e17f1jjs.org
1gojzvyhrxvyp3nd32j9fyznq.com
j04y8h1qapbadbtgj6qvhdkq8.net
1dr99nnmhjn2mp748lhbi1ajo.org
1yy6pee135f83x1jwh91qih2oov.net
zik03z93t26biw2fh59xr3if.com 82.165.38.206
1ucib2514u4r9jl1kbtw14dpsjn.org
hwn3fv1n0t1qs20zkzmcv6pu4.biz
1tunasvzwz8sc1xo9kt1c9xo8b.net
1iqb1wq1b9q2lo1vyx88cgsdi3t.com
1r2aq2269jxfojzamig15tpva7.net
gfwf8oknsq3x1nh9gzm4svftu.biz
1wcrc3680qli21tcmzbpam2enx.org
1k8mcqf1lzo95km6nldzkmr5hq.com
16ojic417avmb2rbinf11b9nd50.net
1skoct0vvt8xe1636f8d15zwyo4.org
ergfga194y881161l8rg186cbtp.net
13nvwnn1b26881x4b8g41x2rr6d.com
9dawsd5ome52e70bnjc6orbo.org
1ecx0wgl6ad7w14iep1g12mjrqr.biz
18b6sn4fgrh7xu4dx8e12d09go.net
1sqstnzycz6lsjjks82f49hlm.com
ahz5rq15e5cxuh1l6z44hd44s.net
1oytw7f1su1e9vbwyavj1s8vh5o.biz
u2i3geelg3ugedl4oy1q2rl35.org
819dtcxbdta21p1uoy9b278v8.com
l4g1p4zztwrl1k9wq4av5c98a.net

Zeus Malware sample detected by the following anti-virus companies

Antivirus Signature
Bkav Clean
MicroWorld-eScan Trojan.GenericKD.1774288
nProtect Trojan.GenericKD.1774288
CMC Packed.Win32.Ransom-Crypter.1!O
CAT-QuickHeal Clean
McAfee RDN/Generic PWS.y!b2m
Malwarebytes Clean
K7AntiVirus Trojan-Downloader ( 003c37051 )
K7GW Trojan-Downloader ( 003c37051 )
TheHacker Clean
NANO-Antivirus Trojan.Win32.Injector.dcrlic
F-Prot Clean
Symantec Packed.Generic.459
Norman Troj_Generic.VBSAJ
TotalDefense Clean
TrendMicro-HouseCall TSPY_ZBOT.AEBT
Avast Win32:Malware-gen
ClamAV Clean
Kaspersky Trojan-Dropper.Win32.Injector.kipw
BitDefender Trojan.GenericKD.1774288
Agnitum Clean
ViRobot Clean
AegisLab Clean
Rising PE:[email protected]!1.9C3C
Ad-Aware Trojan.GenericKD.1774288
Emsisoft Trojan.GenericKD.1774288 (B)
Comodo UnclassifiedMalware
F-Secure Trojan.GenericKD.1774288
DrWeb Trojan.PWS.Panda.5676
VIPRE Trojan.Win32.Generic!SB.0
AntiVir TR/Rogue.395776.2
TrendMicro TSPY_ZBOT.AEBT
McAfee-GW-Edition Artemis!329975284BB6
Sophos Mal/EncPk-AMF
Jiangmin Clean
Antiy-AVL Trojan[Dropper]/Win32.Injector
Kingsoft Clean
Microsoft PWS:Win32/Zbot
SUPERAntiSpyware Trojan.Agent/Gen-Kazy
AhnLab-V3 Spyware/Win32.Zbot
GData Trojan.GenericKD.1774288
Commtouch Clean
ByteHero Clean
VBA32 Clean
Panda Trj/Chgt.C
Zoner Clean
ESET-NOD32 Win32/TrojanDownloader.FakeAlert.GI
Tencent Win32.Trojan-dropper.Injector.Ljan
Ikarus Trojan-Dropper.Win32.Injector
Fortinet W32/Injector.KIPW!tr
AVG SHeur4.BYVU
Baidu-International Trojan.Win32.FakeAlert.bGI
Qihoo-360 HEUR/Malware.QVM20.Gen
Share this with people that should know this:

Cyberwarzone.com