luni, 26 februarie 2018

Zeus botnet simple analysis

A little analysis of Zeus botnet.

It was done for someone to see how it works and I share it with you.

  • OEP: 0040DCA0
  • COMPILER: Borland Delphi 6.0 – 7.0
  • MD5: 8a849d20c0a954f45566cec53acc9263
  • SHA-1: 764c29fd18c3f3c4d9ba3fe394655f2ed2ec0c01

Injects into remote processes
Injected into “explorer.exe”
Drops files:


MD5: 769919e56bd4e9e1e906559c1c36bdf6
SHA-1: 39ed72d34e02e1674742cb47bbd6ebdad13f7931
Reg: HKU\S-1-5-21-2442644137-1929233181-142757687-1000\Software\Microsoft\Windows\CurrentVersion\Run\{74A201A8-2DEE-69F0-F124-27DF3D9773DA}: “C:\Users\Insider\AppData\Roaming\Qioho\giep.exe”

  • Same atributes like bot.exe

Some of the processes made by the bot.exe action:
  • CreateFile
  • RegOpenKey
  • RegisterClass
  • CoCreate
  • CreateThread
  • RegCreateKey
  • RegSetValue
  • ProcessStarted
 Network traffic:
In the same way it is using the /POST request for sending stealed data, when the victim visits some bank account, paypal…etc.
Botnet host directory and login page:


The remove is easy. You just have to follow the path’s to find the droped executables and delete the created registers.

Niciun comentariu:

Trimiteți un comentariu