SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus (Back to overview)

Zeus

aka: Zbot
URLhaus      

There is no description at this point.

References
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim Ransomware REvil Ryuk Zeus
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020SecureworksSecureWorks
@online{secureworks:2020:gold:cbab642, author = {SecureWorks}, title = {{GOLD EVERGREEN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-evergreen}, language = {English}, urldate = {2020-05-23} } GOLD EVERGREEN
CryptoLocker Pony Zeus
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:f48e53c, author = {SecureWorks}, title = {{BRONZE WOODLAND}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland}, language = {English}, urldate = {2020-05-23} } BRONZE WOODLAND
PlugX Zeus Roaming Tiger
2019-12-19KrebsOnSecurityBrian Krebs
@online{krebs:20191219:inside:c7595ad, author = {Brian Krebs}, title = {{Inside ‘Evil Corp,’ a $100M Cybercrime Menace}}, date = {2019-12-19}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/}, language = {English}, urldate = {2020-11-02} } Inside ‘Evil Corp,’ a $100M Cybercrime Menace
Dridex Gameover P2P Zeus Evil Corp
2017-11-02AnomaliAnomali
@techreport{anomali:20171102:country:853fdd8, author = {Anomali}, title = {{Country Profile: Russian Federation}}, date = {2017-11-02}, institution = {Anomali}, url = {https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf}, language = {English}, urldate = {2020-09-23} } Country Profile: Russian Federation
Zeus
2014-07-02Trend MicroKervin Alintanahin, Ronnie Giagone
@online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
FakeWord KIVARS PLEAD Poison RAT Zeus
2012-12-24Contagio DumpMila Parkour
@online{parkour:20121224:dec:927ddb9, author = {Mila Parkour}, title = {{Dec 2012 Linux.Chapro - trojan Apache iframer}}, date = {2012-12-24}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html}, language = {English}, urldate = {2019-12-20} } Dec 2012 Linux.Chapro - trojan Apache iframer
Chapro Zeus
2010-09-07S21secMikel Gastesi
@online{gastesi:20100907:zeus:330336f, author = {Mikel Gastesi}, title = {{ZeuS: The missing link}}, date = {2010-09-07}, organization = {S21sec}, url = {https://www.s21sec.com/en/zeus-the-missing-link/}, language = {English}, urldate = {2020-01-17} } ZeuS: The missing link
Zeus
2010-08-01Contagio DumpMila Parkour
@online{parkour:20100801:zeus:3a2cfe8, author = {Mila Parkour}, title = {{Zeus Trojan Research Links}}, date = {2010-08-01}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html}, language = {English}, urldate = {2019-12-04} } Zeus Trojan Research Links
Zeus
2010-07-24SophosJames Wyke
@online{wyke:20100724:why:17e044c, author = {James Wyke}, title = {{Why won’t my sample run?}}, date = {2010-07-24}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2010/07/24/sample-run/}, language = {English}, urldate = {2020-01-13} } Why won’t my sample run?
Zeus
2010-07-14Contagiodump BlogMila Parkour
@online{parkour:20100714:zeus:996ba0d, author = {Mila Parkour}, title = {{ZeuS Version scheme by the trojan author}}, date = {2010-07-14}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html}, language = {English}, urldate = {2019-12-20} } ZeuS Version scheme by the trojan author
Zeus
2010-05-03SymantecKarthik Selvaraj
@online{selvaraj:20100503:brief:d35dcb7, author = {Karthik Selvaraj}, title = {{A Brief Look at Zeus/Zbot 2.0}}, date = {2010-05-03}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20}, language = {English}, urldate = {2019-12-06} } A Brief Look at Zeus/Zbot 2.0
Zeus
2010-04-26SymantecPeter Coogan
@online{coogan:20100426:spyeyes:fb53c77, author = {Peter Coogan}, title = {{SpyEye’s "Kill Zeus" Bark is Worse Than its Bite}}, date = {2010-04-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite}, language = {English}, urldate = {2019-12-16} } SpyEye’s "Kill Zeus" Bark is Worse Than its Bite
Zeus
2010-04-19MalwareIntelligenceJorge Mieres
@online{mieres:20100419:zeus:5a230a6, author = {Jorge Mieres}, title = {{ZeuS on IRS Scam remains actively exploited}}, date = {2010-04-19}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html}, language = {English}, urldate = {2019-11-27} } ZeuS on IRS Scam remains actively exploited
Zeus
2010-03-15MalwareIntelligenceMalwareIntelligence
@online{malwareintelligence:20100315:new:d307b96, author = {MalwareIntelligence}, title = {{New phishing campaign against Facebook led by Zeus}}, date = {2010-03-15}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html}, language = {English}, urldate = {2020-01-07} } New phishing campaign against Facebook led by Zeus
Zeus
2010-03-10SecureworksKevin Stevens, Don Jackson
@online{stevens:20100310:zeus:be8ff11, author = {Kevin Stevens and Don Jackson}, title = {{ZeuS Banking Trojan Report}}, date = {2010-03-10}, organization = {Secureworks}, url = {https://www.secureworks.com/research/zeus?threat=zeus}, language = {English}, urldate = {2020-01-13} } ZeuS Banking Trojan Report
Zeus
2010-02-20MalwareIntelligenceJorge Mieres
@online{mieres:20100220:facebook:13a2eb5, author = {Jorge Mieres}, title = {{Facebook & VISA phishing campaign proposed by ZeuS}}, date = {2010-02-20}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html}, language = {English}, urldate = {2020-01-06} } Facebook & VISA phishing campaign proposed by ZeuS
Zeus
2010-02-02EternalTODO BlogJose Miguel Esparza
@online{esparza:20100202:zeus:c1a8f1f, author = {Jose Miguel Esparza}, title = {{ZeuS spreading via Facebook}}, date = {2010-02-02}, organization = {EternalTODO Blog}, url = {http://eternal-todo.com/blog/zeus-spreading-facebook}, language = {English}, urldate = {2019-07-11} } ZeuS spreading via Facebook
Zeus
2010-01-25Ernesto Martin
@online{martin:20100125:leveraging:2c0f7d8, author = {Ernesto Martin}, title = {{Leveraging ZeuS to send spam through social networks}}, date = {2010-01-25}, url = {http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html}, language = {English}, urldate = {2019-10-28} } Leveraging ZeuS to send spam through social networks
Zeus
2009-11-06Eternal TodoJose Miguel Esparza
@online{esparza:20091106:new:f49d94c, author = {Jose Miguel Esparza}, title = {{New ZeuS binary}}, date = {2009-11-06}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/new-zeus-binary}, language = {English}, urldate = {2020-01-08} } New ZeuS binary
Zeus
2009-10-01Eternal TodoJose Miguel Esparza
@online{esparza:20091001:detecting:3586ef7, author = {Jose Miguel Esparza}, title = {{Detecting ZeuS}}, date = {2009-10-01}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/detecting-zeus}, language = {English}, urldate = {2020-01-10} } Detecting ZeuS
Zeus
2009-07-11MalwareIntelligenceMalwareIntelligence
@online{malwareintelligence:20090711:special:df61090, author = {MalwareIntelligence}, title = {{Special!!! ZeuS Botnet for Dummies}}, date = {2009-07-11}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html}, language = {English}, urldate = {2020-01-07} } Special!!! ZeuS Botnet for Dummies
Zeus
2009SymantecNicolas Falliere, Eric Chien
@techreport{falliere:2009:zeus:73559c2, author = {Nicolas Falliere and Eric Chien}, title = {{Zeus: King of the Bots}}, date = {2009}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf}, language = {English}, urldate = {2020-01-07} } Zeus: King of the Bots
Zeus
2006-11-13Secure Science CorporationMicael Ligh
@techreport{ligh:20061113:malware:d305d70, author = {Micael Ligh}, title = {{Malware Case Study - ZeusMalware}}, date = {2006-11-13}, institution = {Secure Science Corporation}, url = {https://www.mnin.org/write/ZeusMalware.pdf}, language = {English}, urldate = {2019-11-23} } Malware Case Study - ZeusMalware
Zeus
Yara Rules
[TLP:WHITE] win_zeus_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_zeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb58 833f00 7651 8b5f08 }
            // n = 4, score = 700
            //   eb58                 | jmp                 0x5a
            //   833f00               | cmp                 dword ptr [edi], 0
            //   7651                 | jbe                 0x53
            //   8b5f08               | mov                 ebx, dword ptr [edi + 8]

        $sequence_1 = { 50 e8???????? 8d4dac 8d554c }
            // n = 4, score = 600
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d4dac               | lea                 ecx, [ebp - 0x54]
            //   8d554c               | lea                 edx, [ebp + 0x4c]

        $sequence_2 = { 8b06 e8???????? 832600 33c0 ebee 56 }
            // n = 6, score = 600
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   e8????????           |                     
            //   832600               | and                 dword ptr [esi], 0
            //   33c0                 | xor                 eax, eax
            //   ebee                 | jmp                 0xfffffff0
            //   56                   | push                esi

        $sequence_3 = { 8911 8b4d0c 8901 8b442418 894608 }
            // n = 5, score = 600
            //   8911                 | mov                 dword ptr [ecx], edx
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   894608               | mov                 dword ptr [esi + 8], eax

        $sequence_4 = { 50 68???????? 8d85a4fdffff 50 ff15???????? 837d7411 }
            // n = 6, score = 600
            //   50                   | push                eax
            //   68????????           |                     
            //   8d85a4fdffff         | lea                 eax, [ebp - 0x25c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   837d7411             | cmp                 dword ptr [ebp + 0x74], 0x11

        $sequence_5 = { 5e 8bc3 5b c20400 5f 5e }
            // n = 6, score = 600
            //   5e                   | pop                 esi
            //   8bc3                 | mov                 eax, ebx
            //   5b                   | pop                 ebx
            //   c20400               | ret                 4
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_6 = { ff75f4 ff30 ff15???????? 85c0 7515 }
            // n = 5, score = 600
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff30                 | push                dword ptr [eax]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7515                 | jne                 0x17

        $sequence_7 = { 33db e8???????? 57 8bf0 }
            // n = 4, score = 600
            //   33db                 | xor                 ebx, ebx
            //   e8????????           |                     
            //   57                   | push                edi
            //   8bf0                 | mov                 esi, eax

        $sequence_8 = { 891d???????? 891d???????? ffd6 68???????? }
            // n = 4, score = 500
            //   891d????????         |                     
            //   891d????????         |                     
            //   ffd6                 | call                esi
            //   68????????           |                     

        $sequence_9 = { e8???????? 84c0 7442 6a10 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7442                 | je                  0x44
            //   6a10                 | push                0x10

        $sequence_10 = { 8bf3 6810270000 ff35???????? ff15???????? }
            // n = 4, score = 500
            //   8bf3                 | mov                 esi, ebx
            //   6810270000           | push                0x2710
            //   ff35????????         |                     
            //   ff15????????         |                     

        $sequence_11 = { 8d8db0fdffff e8???????? 8ad8 84db }
            // n = 4, score = 400
            //   8d8db0fdffff         | lea                 ecx, [ebp - 0x250]
            //   e8????????           |                     
            //   8ad8                 | mov                 bl, al
            //   84db                 | test                bl, bl

        $sequence_12 = { ff15???????? 5e 8ac3 5b c20800 55 8bec }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   8ac3                 | mov                 al, bl
            //   5b                   | pop                 ebx
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_13 = { c20400 55 8bec f6451802 }
            // n = 4, score = 300
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   f6451802             | test                byte ptr [ebp + 0x18], 2

        $sequence_14 = { c707000e0000 c7470809080002 e8???????? 83674200 6a78 }
            // n = 5, score = 200
            //   c707000e0000         | mov                 dword ptr [edi], 0xe00
            //   c7470809080002       | mov                 dword ptr [edi + 8], 0x2000809
            //   e8????????           |                     
            //   83674200             | and                 dword ptr [edi + 0x42], 0
            //   6a78                 | push                0x78

        $sequence_15 = { 740c 81fb45415356 0f85b2000000 b365 6a15 8d742418 58 }
            // n = 7, score = 200
            //   740c                 | je                  0xe
            //   81fb45415356         | cmp                 ebx, 0x56534145
            //   0f85b2000000         | jne                 0xb8
            //   b365                 | mov                 bl, 0x65
            //   6a15                 | push                0x15
            //   8d742418             | lea                 esi, [esp + 0x18]
            //   58                   | pop                 eax

        $sequence_16 = { 0f873d020000 83fe06 0f86e3000000 8b03 3509080002 3d5c5b4550 }
            // n = 6, score = 200
            //   0f873d020000         | ja                  0x243
            //   83fe06               | cmp                 esi, 6
            //   0f86e3000000         | jbe                 0xe9
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   3509080002           | xor                 eax, 0x2000809
            //   3d5c5b4550           | cmp                 eax, 0x50455b5c

        $sequence_17 = { 8b1b 81f309080002 81fb5d515047 7410 81fb4f4d4156 7408 81fb59495354 }
            // n = 7, score = 200
            //   8b1b                 | mov                 ebx, dword ptr [ebx]
            //   81f309080002         | xor                 ebx, 0x2000809
            //   81fb5d515047         | cmp                 ebx, 0x4750515d
            //   7410                 | je                  0x12
            //   81fb4f4d4156         | cmp                 ebx, 0x56414d4f
            //   7408                 | je                  0xa
            //   81fb59495354         | cmp                 ebx, 0x54534959

        $sequence_18 = { 7506 b364 6a14 eb18 81fb5a5c4156 740c 81fb45415356 }
            // n = 7, score = 200
            //   7506                 | jne                 8
            //   b364                 | mov                 bl, 0x64
            //   6a14                 | push                0x14
            //   eb18                 | jmp                 0x1a
            //   81fb5a5c4156         | cmp                 ebx, 0x56415c5a
            //   740c                 | je                  0xe
            //   81fb45415356         | cmp                 ebx, 0x56534145

        $sequence_19 = { b9???????? 56 57 33f6 56 50 }
            // n = 6, score = 200
            //   b9????????           |                     
            //   56                   | push                esi
            //   57                   | push                edi
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi
            //   50                   | push                eax

        $sequence_20 = { 3d59495351 0f85ca000000 807b0420 0f85c0000000 }
            // n = 4, score = 200
            //   3d59495351           | cmp                 eax, 0x51534959
            //   0f85ca000000         | jne                 0xd0
            //   807b0420             | cmp                 byte ptr [ebx + 4], 0x20
            //   0f85c0000000         | jne                 0xc6

        $sequence_21 = { 57 8d75f4 e8???????? 84c0 0f84ac000000 b809080002 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   8d75f4               | lea                 esi, [ebp - 0xc]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f84ac000000         | je                  0xb2
            //   b809080002           | mov                 eax, 0x2000809

        $sequence_22 = { 6809080002 8bc6 50 8d45fc 50 }
            // n = 5, score = 200
            //   6809080002           | push                0x2000809
            //   8bc6                 | mov                 eax, esi
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 319488
}
Download all Yara Rules