SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus (Back to overview)

Zeus

aka: Zbot
VTCollection     URLhaus      

According to CrowdStrike, The two primary goals of the Zeus trojan horse virus are stealing people's financial information and adding machines to a botnet. Unlike many types of malware, most Zeus variants try to avoid doing long-term damage to the devices they infect. Their aim is to avoid detection from antivirus software.

References
2024-02-15Bleeping ComputerSergiu Gatlan
Zeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison
Egregor IcedID Maze Zeus
2024-02-15Department of JusticeOffice of Public Affairs
Foreign National Pleads Guilty to Role in Cybercrime Schemes Involving Tens of Millions of Dollars in Losses
Egregor IcedID Maze Zeus
2023-03-14CrowdStrikeCrowdStrike
The Zeus Trojan Malware - Definition and Prevention
Zeus
2022-11-15KrebsOnSecurityBrian Krebs
Top Zeus Botnet Suspect “Tank” Arrested in Geneva
Zeus
2022-10-31paloalto Netoworks: Unit42Or Chechik
Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure
Dridex Kronos TrickBot Zeus
2022-04-15Center for Internet SecurityCIS
Top 10 Malware March 2022
Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus
2022-02-11Cisco TalosTalos
Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus
2021-09-09Recorded FutureInsikt Group
Dark Covenant: Connections Between the Russian State and Criminal Actors
BlackEnergy EternalPetya Gameover P2P Zeus
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-07-21MalwarebytesMalwarebytes
The life and death of the ZeuS Trojan
Zeus
2021-07-01Kryptos LogicKryptos Logic Vantage Team
TrickBot and Zeus
TrickBot Zeus
2021-05-07Department of JusticeOffice of Public Affairs
Four Individuals Plead Guilty to RICO Conspiracy Involving “Bulletproof Hosting” for Cybercriminals
Citadel SpyEye Zeus
2021-03-31KasperskyKaspersky
Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD EVERGREEN
CryptoLocker Pony Zeus GOLD EVERGREEN
2020-12-10US-CERTFBI, MS-ISAC, US-CERT
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-08-09F5 LabsDebbie Walkowski, Remi Cohen
Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-07-17CERT-FRCERT-FR
The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-02-25RSA ConferenceJoel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-01SecureworksSecureWorks
BRONZE WOODLAND
PlugX Zeus Roaming Tiger
2020-01-01SecureworksSecureWorks
GOLD EVERGREEN
CryptoLocker Pony Zeus
2019-12-19KrebsOnSecurityBrian Krebs
Inside ‘Evil Corp,’ a $100M Cybercrime Menace
Dridex Gameover P2P Zeus Evil Corp
2017-11-02AnomaliAnomali
Country Profile: Russian Federation
Zeus
2017-05-15SecureworksCounter Threat Unit ResearchTeam
Evolution of the GOLD EVERGREEN Threat Group
CryptoLocker Dridex Dyre Gameover P2P Murofet TrickBot Zeus GOLD EVERGREEN
2017-03-21WiredChad Hagen, Garrett M. Graff
Inside the Hunt for Russia’s Most Notorious Hacker
Gameover P2P Murofet Zeus
2014-07-02Trend MicroKervin Alintanahin, Ronnie Giagone
KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
FakeWord KIVARS PLEAD Poison RAT Zeus
2012-12-24Contagio DumpMila Parkour
Dec 2012 Linux.Chapro - trojan Apache iframer
Chapro Zeus
2010-09-07S21secMikel Gastesi
ZeuS: The missing link
Zeus
2010-08-01Contagio DumpMila Parkour
Zeus Trojan Research Links
Zeus
2010-07-24SophosJames Wyke
Why won’t my sample run?
Zeus
2010-07-14Contagiodump BlogMila Parkour
ZeuS Version scheme by the trojan author
Zeus
2010-05-03SymantecKarthik Selvaraj
A Brief Look at Zeus/Zbot 2.0
Zeus
2010-04-26SymantecPeter Coogan
SpyEye’s "Kill Zeus" Bark is Worse Than its Bite
Zeus
2010-04-19MalwareIntelligenceJorge Mieres
ZeuS on IRS Scam remains actively exploited
Zeus
2010-03-15MalwareIntelligenceMalwareIntelligence
New phishing campaign against Facebook led by Zeus
Zeus
2010-03-10SecureworksDon Jackson, Kevin Stevens
ZeuS Banking Trojan Report
Zeus
2010-02-20MalwareIntelligenceJorge Mieres
Facebook & VISA phishing campaign proposed by ZeuS
Zeus
2010-02-02EternalTODO BlogJose Miguel Esparza
ZeuS spreading via Facebook
Zeus
2010-01-25Ernesto Martin
Leveraging ZeuS to send spam through social networks
Zeus
2010-01-01MandiantEro Carrera, Peter Silberman
State of Malware: Family Ties
Bredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus
2009-11-06Eternal TodoJose Miguel Esparza
New ZeuS binary
Zeus
2009-10-01Eternal TodoJose Miguel Esparza
Detecting ZeuS
Zeus
2009-07-11MalwareIntelligenceMalwareIntelligence
Special!!! ZeuS Botnet for Dummies
Zeus
2009-01-01SymantecEric Chien, Nicolas Falliere
Zeus: King of the Bots
Zeus
2006-11-13Secure Science CorporationMicael Ligh
Malware Case Study - ZeusMalware
Zeus
Yara Rules
[TLP:WHITE] win_zeus_auto (20230808 | Detects win.zeus.)
rule win_zeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.zeus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb58 833f00 7651 8b5f08 }
            // n = 4, score = 700
            //   eb58                 | jmp                 0x5a
            //   833f00               | cmp                 dword ptr [edi], 0
            //   7651                 | jbe                 0x53
            //   8b5f08               | mov                 ebx, dword ptr [edi + 8]

        $sequence_1 = { 8b3a 3b7d08 740a 40 }
            // n = 4, score = 600
            //   8b3a                 | mov                 edi, dword ptr [edx]
            //   3b7d08               | cmp                 edi, dword ptr [ebp + 8]
            //   740a                 | je                  0xc
            //   40                   | inc                 eax

        $sequence_2 = { 8d443604 50 a1???????? 57 }
            // n = 4, score = 600
            //   8d443604             | lea                 eax, [esi + esi + 4]
            //   50                   | push                eax
            //   a1????????           |                     
            //   57                   | push                edi

        $sequence_3 = { 8d442440 50 8d442428 50 0fb64304 }
            // n = 5, score = 600
            //   8d442440             | lea                 eax, [esp + 0x40]
            //   50                   | push                eax
            //   8d442428             | lea                 eax, [esp + 0x28]
            //   50                   | push                eax
            //   0fb64304             | movzx               eax, byte ptr [ebx + 4]

        $sequence_4 = { 8d442448 50 ff15???????? 0fb744244e }
            // n = 4, score = 600
            //   8d442448             | lea                 eax, [esp + 0x48]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   0fb744244e           | movzx               eax, word ptr [esp + 0x4e]

        $sequence_5 = { 8d4c3110 81f90000a000 7715 8918 c7400400000200 89780c }
            // n = 6, score = 600
            //   8d4c3110             | lea                 ecx, [ecx + esi + 0x10]
            //   81f90000a000         | cmp                 ecx, 0xa00000
            //   7715                 | ja                  0x17
            //   8918                 | mov                 dword ptr [eax], ebx
            //   c7400400000200       | mov                 dword ptr [eax + 4], 0x20000
            //   89780c               | mov                 dword ptr [eax + 0xc], edi

        $sequence_6 = { 8918 c7400400000200 89780c ff4208 890a c645ff01 }
            // n = 6, score = 600
            //   8918                 | mov                 dword ptr [eax], ebx
            //   c7400400000200       | mov                 dword ptr [eax + 4], 0x20000
            //   89780c               | mov                 dword ptr [eax + 0xc], edi
            //   ff4208               | inc                 dword ptr [edx + 8]
            //   890a                 | mov                 dword ptr [edx], ecx
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1

        $sequence_7 = { 8d442460 50 e8???????? 8b4508 }
            // n = 4, score = 600
            //   8d442460             | lea                 eax, [esp + 0x60]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_8 = { e8???????? 84c0 7442 6a10 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7442                 | je                  0x44
            //   6a10                 | push                0x10

        $sequence_9 = { 891d???????? 891d???????? ffd6 68???????? }
            // n = 4, score = 500
            //   891d????????         |                     
            //   891d????????         |                     
            //   ffd6                 | call                esi
            //   68????????           |                     

        $sequence_10 = { 8bf3 6810270000 ff35???????? ff15???????? }
            // n = 4, score = 500
            //   8bf3                 | mov                 esi, ebx
            //   6810270000           | push                0x2710
            //   ff35????????         |                     
            //   ff15????????         |                     

        $sequence_11 = { 8d8db0fdffff e8???????? 8ad8 84db }
            // n = 4, score = 400
            //   8d8db0fdffff         | lea                 ecx, [ebp - 0x250]
            //   e8????????           |                     
            //   8ad8                 | mov                 bl, al
            //   84db                 | test                bl, bl

        $sequence_12 = { 8ac3 5b c20800 55 8bec 83e4f8 }
            // n = 6, score = 300
            //   8ac3                 | mov                 al, bl
            //   5b                   | pop                 ebx
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83e4f8               | and                 esp, 0xfffffff8

        $sequence_13 = { c9 c20400 55 8bec f6451802 }
            // n = 5, score = 300
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   f6451802             | test                byte ptr [ebp + 0x18], 2

        $sequence_14 = { 56 ff15???????? 5e 8ac3 5b c20800 }
            // n = 6, score = 300
            //   56                   | push                esi
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   8ac3                 | mov                 al, bl
            //   5b                   | pop                 ebx
            //   c20800               | ret                 8

        $sequence_15 = { 84c0 0f84ac000000 b809080002 3945f4 7713 807d0801 0f8598000000 }
            // n = 7, score = 200
            //   84c0                 | test                al, al
            //   0f84ac000000         | je                  0xb2
            //   b809080002           | mov                 eax, 0x2000809
            //   3945f4               | cmp                 dword ptr [ebp - 0xc], eax
            //   7713                 | ja                  0x15
            //   807d0801             | cmp                 byte ptr [ebp + 8], 1
            //   0f8598000000         | jne                 0x9e

        $sequence_16 = { 0f86e3000000 8b03 3509080002 3d5c5b4550 740b 3d59495351 }
            // n = 6, score = 200
            //   0f86e3000000         | jbe                 0xe9
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   3509080002           | xor                 eax, 0x2000809
            //   3d5c5b4550           | cmp                 eax, 0x50455b5c
            //   740b                 | je                  0xd
            //   3d59495351           | cmp                 eax, 0x51534959

        $sequence_17 = { c745f809080002 e8???????? 8ad8 f6450c04 7473 }
            // n = 5, score = 200
            //   c745f809080002       | mov                 dword ptr [ebp - 8], 0x2000809
            //   e8????????           |                     
            //   8ad8                 | mov                 bl, al
            //   f6450c04             | test                byte ptr [ebp + 0xc], 4
            //   7473                 | je                  0x75

        $sequence_18 = { 807b0244 7429 83fe04 0f82ec000000 8b1b 81f309080002 81fb5d515047 }
            // n = 7, score = 200
            //   807b0244             | cmp                 byte ptr [ebx + 2], 0x44
            //   7429                 | je                  0x2b
            //   83fe04               | cmp                 esi, 4
            //   0f82ec000000         | jb                  0xf2
            //   8b1b                 | mov                 ebx, dword ptr [ebx]
            //   81f309080002         | xor                 ebx, 0x2000809
            //   81fb5d515047         | cmp                 ebx, 0x4750515d

        $sequence_19 = { ff35???????? e8???????? 5f 5e 8ac3 }
            // n = 5, score = 200
            //   ff35????????         |                     
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8ac3                 | mov                 al, bl

        $sequence_20 = { 8d470c 50 c707000e0000 c7470809080002 }
            // n = 4, score = 200
            //   8d470c               | lea                 eax, [edi + 0xc]
            //   50                   | push                eax
            //   c707000e0000         | mov                 dword ptr [edi], 0xe00
            //   c7470809080002       | mov                 dword ptr [edi + 8], 0x2000809

        $sequence_21 = { b8d5000000 e8???????? 68e6010000 68???????? 6809080002 8bc6 50 }
            // n = 7, score = 200
            //   b8d5000000           | mov                 eax, 0xd5
            //   e8????????           |                     
            //   68e6010000           | push                0x1e6
            //   68????????           |                     
            //   6809080002           | push                0x2000809
            //   8bc6                 | mov                 eax, esi
            //   50                   | push                eax

        $sequence_22 = { 81fb5d515047 7410 81fb4f4d4156 7408 81fb59495354 7506 b364 }
            // n = 7, score = 200
            //   81fb5d515047         | cmp                 ebx, 0x4750515d
            //   7410                 | je                  0x12
            //   81fb4f4d4156         | cmp                 ebx, 0x56414d4f
            //   7408                 | je                  0xa
            //   81fb59495354         | cmp                 ebx, 0x54534959
            //   7506                 | jne                 8
            //   b364                 | mov                 bl, 0x64

        $sequence_23 = { 81fb59495354 7506 b364 6a14 eb18 81fb5a5c4156 740c }
            // n = 7, score = 200
            //   81fb59495354         | cmp                 ebx, 0x54534959
            //   7506                 | jne                 8
            //   b364                 | mov                 bl, 0x64
            //   6a14                 | push                0x14
            //   eb18                 | jmp                 0x1a
            //   81fb5a5c4156         | cmp                 ebx, 0x56415c5a
            //   740c                 | je                  0xe

    condition:
        7 of them and filesize < 319488
}
Download all Yara Rules