SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus (Back to overview)

Zeus

aka: Zbot
URLhaus      

There is no description at this point.

References
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020SecureworksSecureWorks
@online{secureworks:2020:gold:cbab642, author = {SecureWorks}, title = {{GOLD EVERGREEN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-evergreen}, language = {English}, urldate = {2020-05-23} } GOLD EVERGREEN
CryptoLocker Pony Zeus
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:f48e53c, author = {SecureWorks}, title = {{BRONZE WOODLAND}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland}, language = {English}, urldate = {2020-05-23} } BRONZE WOODLAND
PlugX Zeus Roaming Tiger
2014-07-02Trend MicroKervin Alintanahin, Ronnie Giagone
@online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
PLEAD Zeus
2012-12-24Contagio DumpMila Parkour
@online{parkour:20121224:dec:927ddb9, author = {Mila Parkour}, title = {{Dec 2012 Linux.Chapro - trojan Apache iframer}}, date = {2012-12-24}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html}, language = {English}, urldate = {2019-12-20} } Dec 2012 Linux.Chapro - trojan Apache iframer
Chapro Zeus
2010-09-07S21secMikel Gastesi
@online{gastesi:20100907:zeus:330336f, author = {Mikel Gastesi}, title = {{ZeuS: The missing link}}, date = {2010-09-07}, organization = {S21sec}, url = {https://www.s21sec.com/en/zeus-the-missing-link/}, language = {English}, urldate = {2020-01-17} } ZeuS: The missing link
Zeus
2010-08-01Contagio DumpMila Parkour
@online{parkour:20100801:zeus:3a2cfe8, author = {Mila Parkour}, title = {{Zeus Trojan Research Links}}, date = {2010-08-01}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html}, language = {English}, urldate = {2019-12-04} } Zeus Trojan Research Links
Zeus
2010-07-24SophosJames Wyke
@online{wyke:20100724:why:17e044c, author = {James Wyke}, title = {{Why won’t my sample run?}}, date = {2010-07-24}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2010/07/24/sample-run/}, language = {English}, urldate = {2020-01-13} } Why won’t my sample run?
Zeus
2010-07-14Contagiodump BlogMila Parkour
@online{parkour:20100714:zeus:996ba0d, author = {Mila Parkour}, title = {{ZeuS Version scheme by the trojan author}}, date = {2010-07-14}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html}, language = {English}, urldate = {2019-12-20} } ZeuS Version scheme by the trojan author
Zeus
2010-05-03SymantecKarthik Selvaraj
@online{selvaraj:20100503:brief:d35dcb7, author = {Karthik Selvaraj}, title = {{A Brief Look at Zeus/Zbot 2.0}}, date = {2010-05-03}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20}, language = {English}, urldate = {2019-12-06} } A Brief Look at Zeus/Zbot 2.0
Zeus
2010-04-26SymantecPeter Coogan
@online{coogan:20100426:spyeyes:fb53c77, author = {Peter Coogan}, title = {{SpyEye’s "Kill Zeus" Bark is Worse Than its Bite}}, date = {2010-04-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite}, language = {English}, urldate = {2019-12-16} } SpyEye’s "Kill Zeus" Bark is Worse Than its Bite
Zeus
2010-04-19MalwareIntelligenceJorge Mieres
@online{mieres:20100419:zeus:5a230a6, author = {Jorge Mieres}, title = {{ZeuS on IRS Scam remains actively exploited}}, date = {2010-04-19}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html}, language = {English}, urldate = {2019-11-27} } ZeuS on IRS Scam remains actively exploited
Zeus
2010-03-15MalwareIntelligenceMalwareIntelligence
@online{malwareintelligence:20100315:new:d307b96, author = {MalwareIntelligence}, title = {{New phishing campaign against Facebook led by Zeus}}, date = {2010-03-15}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html}, language = {English}, urldate = {2020-01-07} } New phishing campaign against Facebook led by Zeus
Zeus
2010-03-10SecureworksKevin Stevens, Don Jackson
@online{stevens:20100310:zeus:be8ff11, author = {Kevin Stevens and Don Jackson}, title = {{ZeuS Banking Trojan Report}}, date = {2010-03-10}, organization = {Secureworks}, url = {https://www.secureworks.com/research/zeus?threat=zeus}, language = {English}, urldate = {2020-01-13} } ZeuS Banking Trojan Report
Zeus
2010-02-20MalwareIntelligenceJorge Mieres
@online{mieres:20100220:facebook:13a2eb5, author = {Jorge Mieres}, title = {{Facebook & VISA phishing campaign proposed by ZeuS}}, date = {2010-02-20}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html}, language = {English}, urldate = {2020-01-06} } Facebook & VISA phishing campaign proposed by ZeuS
Zeus
2010-02-02EternalTODO BlogJose Miguel Esparza
@online{esparza:20100202:zeus:c1a8f1f, author = {Jose Miguel Esparza}, title = {{ZeuS spreading via Facebook}}, date = {2010-02-02}, organization = {EternalTODO Blog}, url = {http://eternal-todo.com/blog/zeus-spreading-facebook}, language = {English}, urldate = {2019-07-11} } ZeuS spreading via Facebook
Zeus
2010-01-25Ernesto Martin
@online{martin:20100125:leveraging:2c0f7d8, author = {Ernesto Martin}, title = {{Leveraging ZeuS to send spam through social networks}}, date = {2010-01-25}, url = {http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html}, language = {English}, urldate = {2019-10-28} } Leveraging ZeuS to send spam through social networks
Zeus
2009-11-06Eternal TodoJose Miguel Esparza
@online{esparza:20091106:new:f49d94c, author = {Jose Miguel Esparza}, title = {{New ZeuS binary}}, date = {2009-11-06}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/new-zeus-binary}, language = {English}, urldate = {2020-01-08} } New ZeuS binary
Zeus
2009-10-01Eternal TodoJose Miguel Esparza
@online{esparza:20091001:detecting:3586ef7, author = {Jose Miguel Esparza}, title = {{Detecting ZeuS}}, date = {2009-10-01}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/detecting-zeus}, language = {English}, urldate = {2020-01-10} } Detecting ZeuS
Zeus
2009-07-11MalwareIntelligenceMalwareIntelligence
@online{malwareintelligence:20090711:special:df61090, author = {MalwareIntelligence}, title = {{Special!!! ZeuS Botnet for Dummies}}, date = {2009-07-11}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html}, language = {English}, urldate = {2020-01-07} } Special!!! ZeuS Botnet for Dummies
Zeus
2009SymantecNicolas Falliere, Eric Chien
@techreport{falliere:2009:zeus:73559c2, author = {Nicolas Falliere and Eric Chien}, title = {{Zeus: King of the Bots}}, date = {2009}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf}, language = {English}, urldate = {2020-01-07} } Zeus: King of the Bots
Zeus
2006-11-13Secure Science CorporationMicael Ligh
@techreport{ligh:20061113:malware:d305d70, author = {Micael Ligh}, title = {{Malware Case Study - ZeusMalware}}, date = {2006-11-13}, institution = {Secure Science Corporation}, url = {https://www.mnin.org/write/ZeusMalware.pdf}, language = {English}, urldate = {2019-11-23} } Malware Case Study - ZeusMalware
Zeus
Yara Rules
[TLP:WHITE] win_zeus_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_zeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb58 833f00 7651 8b5f08 }
            // n = 4, score = 700
            //   eb58                 | jmp                 0x5a
            //   833f00               | cmp                 dword ptr [edi], 0
            //   7651                 | jbe                 0x53
            //   8b5f08               | mov                 ebx, dword ptr [edi + 8]

        $sequence_1 = { e8???????? 8d85f8fdffff 50 6a01 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   50                   | push                eax
            //   6a01                 | push                1

        $sequence_2 = { e8???????? 8945fc 3bc7 0f8484030000 8b75e0 53 bf???????? }
            // n = 7, score = 600
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   3bc7                 | cmp                 eax, edi
            //   0f8484030000         | je                  0x38a
            //   8b75e0               | mov                 esi, dword ptr [ebp - 0x20]
            //   53                   | push                ebx
            //   bf????????           |                     

        $sequence_3 = { a1???????? 85c0 0f8440ffffff 50 ff15???????? 8325????????00 }
            // n = 6, score = 600
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8440ffffff         | je                  0xffffff46
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8325????????00       |                     

        $sequence_4 = { ff15???????? 83f801 751e 807dff05 7410 }
            // n = 5, score = 600
            //   ff15????????         |                     
            //   83f801               | cmp                 eax, 1
            //   751e                 | jne                 0x20
            //   807dff05             | cmp                 byte ptr [ebp - 1], 5
            //   7410                 | je                  0x12

        $sequence_5 = { 7502 2106 c20400 55 8bec }
            // n = 5, score = 600
            //   7502                 | jne                 4
            //   2106                 | and                 dword ptr [esi], eax
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_6 = { 83780c04 7507 b900008000 eb02 33c9 }
            // n = 5, score = 600
            //   83780c04             | cmp                 dword ptr [eax + 0xc], 4
            //   7507                 | jne                 9
            //   b900008000           | mov                 ecx, 0x800000
            //   eb02                 | jmp                 4
            //   33c9                 | xor                 ecx, ecx

        $sequence_7 = { 2975ec c60000 897df0 8bd6 8b45ec 8a0c10 }
            // n = 6, score = 600
            //   2975ec               | sub                 dword ptr [ebp - 0x14], esi
            //   c60000               | mov                 byte ptr [eax], 0
            //   897df0               | mov                 dword ptr [ebp - 0x10], edi
            //   8bd6                 | mov                 edx, esi
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8a0c10               | mov                 cl, byte ptr [eax + edx]

        $sequence_8 = { 8bf3 6810270000 ff35???????? ff15???????? }
            // n = 4, score = 500
            //   8bf3                 | mov                 esi, ebx
            //   6810270000           | push                0x2710
            //   ff35????????         |                     
            //   ff15????????         |                     

        $sequence_9 = { e8???????? 84c0 7442 6a10 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7442                 | je                  0x44
            //   6a10                 | push                0x10

        $sequence_10 = { 891d???????? 891d???????? ffd6 68???????? }
            // n = 4, score = 500
            //   891d????????         |                     
            //   891d????????         |                     
            //   ffd6                 | call                esi
            //   68????????           |                     

        $sequence_11 = { 8d8db0fdffff e8???????? 8ad8 84db }
            // n = 4, score = 400
            //   8d8db0fdffff         | lea                 ecx, [ebp - 0x250]
            //   e8????????           |                     
            //   8ad8                 | mov                 bl, al
            //   84db                 | test                bl, bl

        $sequence_12 = { ff15???????? 5e 8ac3 5b c20800 55 }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   8ac3                 | mov                 al, bl
            //   5b                   | pop                 ebx
            //   c20800               | ret                 8
            //   55                   | push                ebp

        $sequence_13 = { e8???????? 84c0 0f84ac000000 b809080002 3945f4 7713 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f84ac000000         | je                  0xb2
            //   b809080002           | mov                 eax, 0x2000809
            //   3945f4               | cmp                 dword ptr [ebp - 0xc], eax
            //   7713                 | ja                  0x15

        $sequence_14 = { 81f309080002 81fb5d515047 7410 81fb4f4d4156 }
            // n = 4, score = 200
            //   81f309080002         | xor                 ebx, 0x2000809
            //   81fb5d515047         | cmp                 ebx, 0x4750515d
            //   7410                 | je                  0x12
            //   81fb4f4d4156         | cmp                 ebx, 0x56414d4f

        $sequence_15 = { c707000e0000 c7470809080002 e8???????? 83674200 6a78 }
            // n = 5, score = 200
            //   c707000e0000         | mov                 dword ptr [edi], 0xe00
            //   c7470809080002       | mov                 dword ptr [edi + 8], 0x2000809
            //   e8????????           |                     
            //   83674200             | and                 dword ptr [edi + 0x42], 0
            //   6a78                 | push                0x78

        $sequence_16 = { e8???????? 68e6010000 68???????? 6809080002 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   68e6010000           | push                0x1e6
            //   68????????           |                     
            //   6809080002           | push                0x2000809

        $sequence_17 = { 2501000080 7905 48 83c8fe 40 ff75f4 f7d8 }
            // n = 7, score = 200
            //   2501000080           | and                 eax, 0x80000001
            //   7905                 | jns                 7
            //   48                   | dec                 eax
            //   83c8fe               | or                  eax, 0xfffffffe
            //   40                   | inc                 eax
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   f7d8                 | neg                 eax

        $sequence_18 = { ff750c 51 ff7508 ff15???????? 8bf8 3bfe 744a }
            // n = 7, score = 200
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   51                   | push                ecx
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   3bfe                 | cmp                 edi, esi
            //   744a                 | je                  0x4c

        $sequence_19 = { 6813270000 6a04 5b 8bc6 c745f809080002 }
            // n = 5, score = 200
            //   6813270000           | push                0x2713
            //   6a04                 | push                4
            //   5b                   | pop                 ebx
            //   8bc6                 | mov                 eax, esi
            //   c745f809080002       | mov                 dword ptr [ebp - 8], 0x2000809

        $sequence_20 = { 6a14 eb18 81fb5a5c4156 740c }
            // n = 4, score = 200
            //   6a14                 | push                0x14
            //   eb18                 | jmp                 0x1a
            //   81fb5a5c4156         | cmp                 ebx, 0x56415c5a
            //   740c                 | je                  0xe

        $sequence_21 = { 3509080002 3d5c5b4550 740b 3d59495351 }
            // n = 4, score = 200
            //   3509080002           | xor                 eax, 0x2000809
            //   3d5c5b4550           | cmp                 eax, 0x50455b5c
            //   740b                 | je                  0xd
            //   3d59495351           | cmp                 eax, 0x51534959

        $sequence_22 = { 8d470c 50 c707000e0000 c7470809080002 }
            // n = 4, score = 200
            //   8d470c               | lea                 eax, [edi + 0xc]
            //   50                   | push                eax
            //   c707000e0000         | mov                 dword ptr [edi], 0xe00
            //   c7470809080002       | mov                 dword ptr [edi + 8], 0x2000809

    condition:
        7 of them and filesize < 319488
}
Download all Yara Rules