win.zeus (Back to overview)

Zeus

aka: Zbot
URLhaus      

There is no description at this point.

References
2012-12-24 ⋅ Contagio DumpMila Parkour
@online{parkour:20121224:dec:927ddb9, author = {Mila Parkour}, title = {{Dec 2012 Linux.Chapro - trojan Apache iframer}}, date = {2012-12-24}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html}, language = {English}, urldate = {2019-12-20} } Dec 2012 Linux.Chapro - trojan Apache iframer
Chapro Zeus
2010-09-07 ⋅ S21secMikel Gastesi
@online{gastesi:20100907:zeus:330336f, author = {Mikel Gastesi}, title = {{ZeuS: The missing link}}, date = {2010-09-07}, organization = {S21sec}, url = {https://www.s21sec.com/en/zeus-the-missing-link/}, language = {English}, urldate = {2020-01-17} } ZeuS: The missing link
Zeus
2010-08-01 ⋅ Contagio DumpMila Parkour
@online{parkour:20100801:zeus:3a2cfe8, author = {Mila Parkour}, title = {{Zeus Trojan Research Links}}, date = {2010-08-01}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html}, language = {English}, urldate = {2019-12-04} } Zeus Trojan Research Links
Zeus
2010-07-24 ⋅ SophosJames Wyke
@online{wyke:20100724:why:17e044c, author = {James Wyke}, title = {{Why won’t my sample run?}}, date = {2010-07-24}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2010/07/24/sample-run/}, language = {English}, urldate = {2020-01-13} } Why won’t my sample run?
Zeus
2010-07-14 ⋅ Contagiodump BlogMila Parkour
@online{parkour:20100714:zeus:996ba0d, author = {Mila Parkour}, title = {{ZeuS Version scheme by the trojan author}}, date = {2010-07-14}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html}, language = {English}, urldate = {2019-12-20} } ZeuS Version scheme by the trojan author
Zeus
2010-05-03 ⋅ SymantecKarthik Selvaraj
@online{selvaraj:20100503:brief:d35dcb7, author = {Karthik Selvaraj}, title = {{A Brief Look at Zeus/Zbot 2.0}}, date = {2010-05-03}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20}, language = {English}, urldate = {2019-12-06} } A Brief Look at Zeus/Zbot 2.0
Zeus
2010-04-26 ⋅ SymantecPeter Coogan
@online{coogan:20100426:spyeyes:fb53c77, author = {Peter Coogan}, title = {{SpyEye’s "Kill Zeus" Bark is Worse Than its Bite}}, date = {2010-04-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite}, language = {English}, urldate = {2019-12-16} } SpyEye’s "Kill Zeus" Bark is Worse Than its Bite
Zeus
2010-04-19 ⋅ MalwareIntelligenceJorge Mieres
@online{mieres:20100419:zeus:5a230a6, author = {Jorge Mieres}, title = {{ZeuS on IRS Scam remains actively exploited}}, date = {2010-04-19}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html}, language = {English}, urldate = {2019-11-27} } ZeuS on IRS Scam remains actively exploited
Zeus
2010-03-15 ⋅ MalwareIntelligenceMalwareIntelligence
@online{malwareintelligence:20100315:new:d307b96, author = {MalwareIntelligence}, title = {{New phishing campaign against Facebook led by Zeus}}, date = {2010-03-15}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html}, language = {English}, urldate = {2020-01-07} } New phishing campaign against Facebook led by Zeus
Zeus
2010-03-10 ⋅ SecureworksKevin Stevens, Don Jackson
@online{stevens:20100310:zeus:be8ff11, author = {Kevin Stevens and Don Jackson}, title = {{ZeuS Banking Trojan Report}}, date = {2010-03-10}, organization = {Secureworks}, url = {https://www.secureworks.com/research/zeus?threat=zeus}, language = {English}, urldate = {2020-01-13} } ZeuS Banking Trojan Report
Zeus
2010-02-20 ⋅ MalwareIntelligenceJorge Mieres
@online{mieres:20100220:facebook:13a2eb5, author = {Jorge Mieres}, title = {{Facebook & VISA phishing campaign proposed by ZeuS}}, date = {2010-02-20}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html}, language = {English}, urldate = {2020-01-06} } Facebook & VISA phishing campaign proposed by ZeuS
Zeus
2010-02-02 ⋅ EternalTODO BlogJose Miguel Esparza
@online{esparza:20100202:zeus:c1a8f1f, author = {Jose Miguel Esparza}, title = {{ZeuS spreading via Facebook}}, date = {2010-02-02}, organization = {EternalTODO Blog}, url = {http://eternal-todo.com/blog/zeus-spreading-facebook}, language = {English}, urldate = {2019-07-11} } ZeuS spreading via Facebook
Zeus
2010-01-25 ⋅ Ernesto Martin
@online{martin:20100125:leveraging:2c0f7d8, author = {Ernesto Martin}, title = {{Leveraging ZeuS to send spam through social networks}}, date = {2010-01-25}, url = {http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html}, language = {English}, urldate = {2019-10-28} } Leveraging ZeuS to send spam through social networks
Zeus
2009-11-06 ⋅ Eternal TodoJose Miguel Esparza
@online{esparza:20091106:new:f49d94c, author = {Jose Miguel Esparza}, title = {{New ZeuS binary}}, date = {2009-11-06}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/new-zeus-binary}, language = {English}, urldate = {2020-01-08} } New ZeuS binary
Zeus
2009-10-01 ⋅ Eternal TodoJose Miguel Esparza
@online{esparza:20091001:detecting:3586ef7, author = {Jose Miguel Esparza}, title = {{Detecting ZeuS}}, date = {2009-10-01}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/detecting-zeus}, language = {English}, urldate = {2020-01-10} } Detecting ZeuS
Zeus
2009-07-11 ⋅ MalwareIntelligenceMalwareIntelligence
@online{malwareintelligence:20090711:special:df61090, author = {MalwareIntelligence}, title = {{Special!!! ZeuS Botnet for Dummies}}, date = {2009-07-11}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html}, language = {English}, urldate = {2020-01-07} } Special!!! ZeuS Botnet for Dummies
Zeus
2009 ⋅ SymantecNicolas Falliere, Eric Chien
@techreport{falliere:2009:zeus:73559c2, author = {Nicolas Falliere and Eric Chien}, title = {{Zeus: King of the Bots}}, date = {2009}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf}, language = {English}, urldate = {2020-01-07} } Zeus: King of the Bots
Zeus
2006-11-13 ⋅ Secure Science CorporationMicael Ligh
@techreport{ligh:20061113:malware:d305d70, author = {Micael Ligh}, title = {{Malware Case Study - ZeusMalware}}, date = {2006-11-13}, institution = {Secure Science Corporation}, url = {https://www.mnin.org/write/ZeusMalware.pdf}, language = {English}, urldate = {2019-11-23} } Malware Case Study - ZeusMalware
Zeus
Yara Rules
[TLP:WHITE] win_zeus_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_zeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { eb58 833f00 7651 8b5f08 }
            // n = 4, score = 600
            //   eb58                 | jmp                 0x5a
            //   833f00               | cmp                 dword ptr [edi], 0
            //   7651                 | jbe                 0x53
            //   8b5f08               | mov                 ebx, dword ptr [edi + 8]

        $sequence_1 = { 6801000080 ff15???????? eb1e 50 33c0 }
            // n = 5, score = 500
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     
            //   eb1e                 | jmp                 0x20
            //   50                   | push                eax
            //   33c0                 | xor                 eax, eax

        $sequence_2 = { 8bc7 50 6a04 5f bb14270000 8bc6 }
            // n = 6, score = 500
            //   8bc7                 | mov                 eax, edi
            //   50                   | push                eax
            //   6a04                 | push                4
            //   5f                   | pop                 edi
            //   bb14270000           | mov                 ebx, 0x2714
            //   8bc6                 | mov                 eax, esi

        $sequence_3 = { 8b4020 eb06 8b4814 8b4018 }
            // n = 4, score = 500
            //   8b4020               | mov                 eax, dword ptr [eax + 0x20]
            //   eb06                 | jmp                 8
            //   8b4814               | mov                 ecx, dword ptr [eax + 0x14]
            //   8b4018               | mov                 eax, dword ptr [eax + 0x18]

        $sequence_4 = { 8bf3 6810270000 ff35???????? ff15???????? }
            // n = 4, score = 500
            //   8bf3                 | mov                 esi, ebx
            //   6810270000           | push                0x2710
            //   ff35????????         |                     
            //   ff15????????         |                     

        $sequence_5 = { e8???????? 84c0 7442 6a10 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7442                 | je                  0x44
            //   6a10                 | push                0x10

        $sequence_6 = { c9 c3 6a1c 58 e8???????? 85c0 7406 }
            // n = 7, score = 500
            //   c9                   | leave               
            //   c3                   | ret                 
            //   6a1c                 | push                0x1c
            //   58                   | pop                 eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7406                 | je                  8

        $sequence_7 = { 7626 8b45f8 8b7314 e8???????? ff75f8 8bf0 e8???????? }
            // n = 7, score = 500
            //   7626                 | jbe                 0x28
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b7314               | mov                 esi, dword ptr [ebx + 0x14]
            //   e8????????           |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     

        $sequence_8 = { 3b750c 72da 32c0 5f 5e 5b c9 }
            // n = 7, score = 500
            //   3b750c               | cmp                 esi, dword ptr [ebp + 0xc]
            //   72da                 | jb                  0xffffffdc
            //   32c0                 | xor                 al, al
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c9                   | leave               

        $sequence_9 = { ff750c 8d4702 ff7508 c6443a0100 e8???????? }
            // n = 5, score = 500
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8d4702               | lea                 eax, [edi + 2]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   c6443a0100           | mov                 byte ptr [edx + edi + 1], 0
            //   e8????????           |                     

        $sequence_10 = { 8d85ecfbffff 50 68f6000000 33db ff15???????? }
            // n = 5, score = 400
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]
            //   50                   | push                eax
            //   68f6000000           | push                0xf6
            //   33db                 | xor                 ebx, ebx
            //   ff15????????         |                     

        $sequence_11 = { 8d8db0fdffff e8???????? 8ad8 84db }
            // n = 4, score = 400
            //   8d8db0fdffff         | lea                 ecx, [ebp - 0x250]
            //   e8????????           |                     
            //   8ad8                 | mov                 bl, al
            //   84db                 | test                bl, bl

        $sequence_12 = { 8bec 81ec18040000 53 8d85ecfbffff 50 }
            // n = 5, score = 400
            //   8bec                 | mov                 ebp, esp
            //   81ec18040000         | sub                 esp, 0x418
            //   53                   | push                ebx
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]
            //   50                   | push                eax

        $sequence_13 = { 8ac3 5b c9 c20c00 55 8bec 81ec18040000 }
            // n = 7, score = 400
            //   8ac3                 | mov                 al, bl
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20c00               | ret                 0xc
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec18040000         | sub                 esp, 0x418

        $sequence_14 = { 53 83c8ff 8d4dd8 e8???????? 6a0a }
            // n = 5, score = 200
            //   53                   | push                ebx
            //   83c8ff               | or                  eax, 0xffffffff
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   6a0a                 | push                0xa

        $sequence_15 = { 0f82ec000000 8b1b 81f309080002 81fb5d515047 7410 81fb4f4d4156 7408 }
            // n = 7, score = 200
            //   0f82ec000000         | jb                  0xf2
            //   8b1b                 | mov                 ebx, dword ptr [ebx]
            //   81f309080002         | xor                 ebx, 0x2000809
            //   81fb5d515047         | cmp                 ebx, 0x4750515d
            //   7410                 | je                  0x12
            //   81fb4f4d4156         | cmp                 ebx, 0x56414d4f
            //   7408                 | je                  0xa

        $sequence_16 = { 8b03 3509080002 3d5c5b4550 740b 3d59495351 }
            // n = 5, score = 200
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   3509080002           | xor                 eax, 0x2000809
            //   3d5c5b4550           | cmp                 eax, 0x50455b5c
            //   740b                 | je                  0xd
            //   3d59495351           | cmp                 eax, 0x51534959

        $sequence_17 = { 81fb5a5c4156 740c 81fb45415356 0f85b2000000 b365 6a15 8d742418 }
            // n = 7, score = 200
            //   81fb5a5c4156         | cmp                 ebx, 0x56415c5a
            //   740c                 | je                  0xe
            //   81fb45415356         | cmp                 ebx, 0x56534145
            //   0f85b2000000         | jne                 0xb8
            //   b365                 | mov                 bl, 0x65
            //   6a15                 | push                0x15
            //   8d742418             | lea                 esi, [esp + 0x18]

        $sequence_18 = { 50 c707000e0000 c7470809080002 e8???????? }
            // n = 4, score = 200
            //   50                   | push                eax
            //   c707000e0000         | mov                 dword ptr [edi], 0xe00
            //   c7470809080002       | mov                 dword ptr [edi + 8], 0x2000809
            //   e8????????           |                     

        $sequence_19 = { 7415 8bcf 6bc90c bea8234200 }
            // n = 4, score = 200
            //   7415                 | je                  0x17
            //   8bcf                 | mov                 ecx, edi
            //   6bc90c               | imul                ecx, ecx, 0xc
            //   bea8234200           | mov                 esi, 0x4223a8

        $sequence_20 = { 6bc90c bea8234200 e8???????? 84c0 741d 8b3d???????? }
            // n = 6, score = 200
            //   6bc90c               | imul                ecx, ecx, 0xc
            //   bea8234200           | mov                 esi, 0x4223a8
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   741d                 | je                  0x1f
            //   8b3d????????         |                     

        $sequence_21 = { 6801440000 33f6 56 68b0154000 c645fb00 }
            // n = 5, score = 200
            //   6801440000           | push                0x4401
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi
            //   68b0154000           | push                0x4015b0
            //   c645fb00             | mov                 byte ptr [ebp - 5], 0

        $sequence_22 = { 68ac234200 ff15???????? ff7508 e8???????? }
            // n = 4, score = 200
            //   68ac234200           | push                0x4223ac
            //   ff15????????         |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

    condition:
        7 of them
}
Download all Yara Rules