SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus_openssl (Back to overview)

Zeus OpenSSL

aka: XSphinx
VTCollection    

This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.

In June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB.
In January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase")
- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)
- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)
- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase")
- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)
- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)
- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

References
2020-03-30IBMAmir Gandler, Limor Kessem
Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy
Zeus OpenSSL Zloader
2016-08-16SecurityIntelligenceDenis Laskov, Limor Kessem, Ziv Eli
Brazil Can’t Catch a Break: After Panda Comes the Sphinx
Zeus OpenSSL
Yara Rules
[TLP:WHITE] win_zeus_openssl_auto (20260504 | Detects win.zeus_openssl.)
rule win_zeus_openssl_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.zeus_openssl."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 745a 837b4000 7454 837b4400 744e 85d2 }
            // n = 6, score = 1300
            //   745a                 | je                  0x5c
            //   837b4000             | cmp                 dword ptr [ebx + 0x40], 0
            //   7454                 | je                  0x56
            //   837b4400             | cmp                 dword ptr [ebx + 0x44], 0
            //   744e                 | je                  0x50
            //   85d2                 | test                edx, edx

        $sequence_1 = { 8bf9 8b8fbc160000 83f90d 7e52 8b5708 56 }
            // n = 6, score = 1300
            //   8bf9                 | mov                 edi, ecx
            //   8b8fbc160000         | mov                 ecx, dword ptr [edi + 0x16bc]
            //   83f90d               | cmp                 ecx, 0xd
            //   7e52                 | jle                 0x54
            //   8b5708               | mov                 edx, dword ptr [edi + 8]
            //   56                   | push                esi

        $sequence_2 = { 85d2 744a 8bc6 d1e8 8bcf 8d0442 8983a4160000 }
            // n = 7, score = 1300
            //   85d2                 | test                edx, edx
            //   744a                 | je                  0x4c
            //   8bc6                 | mov                 eax, esi
            //   d1e8                 | shr                 eax, 1
            //   8bcf                 | mov                 ecx, edi
            //   8d0442               | lea                 eax, [edx + eax*2]
            //   8983a4160000         | mov                 dword ptr [ebx + 0x16a4], eax

        $sequence_3 = { 0f8547160000 83390b 7506 c7010c000000 8b500c }
            // n = 5, score = 1300
            //   0f8547160000         | jne                 0x164d
            //   83390b               | cmp                 dword ptr [ecx], 0xb
            //   7506                 | jne                 8
            //   c7010c000000         | mov                 dword ptr [ecx], 0xc
            //   8b500c               | mov                 edx, dword ptr [eax + 0xc]

        $sequence_4 = { 2bf0 0181c41b0000 8955f8 8b4140 8981c81b0000 c70116000000 }
            // n = 6, score = 1300
            //   2bf0                 | sub                 esi, eax
            //   0181c41b0000         | add                 dword ptr [ecx + 0x1bc4], eax
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   8b4140               | mov                 eax, dword ptr [ecx + 0x40]
            //   8981c81b0000         | mov                 dword ptr [ecx + 0x1bc8], eax
            //   c70116000000         | mov                 dword ptr [ecx], 0x16

        $sequence_5 = { 83feff 750a 8b1d???????? 33f6 eb03 }
            // n = 5, score = 1300
            //   83feff               | cmp                 esi, -1
            //   750a                 | jne                 0xc
            //   8b1d????????         |                     
            //   33f6                 | xor                 esi, esi
            //   eb03                 | jmp                 5

        $sequence_6 = { 83c608 03d0 895dfc 8955f8 897df0 3b75cc 72dc }
            // n = 7, score = 1300
            //   83c608               | add                 esi, 8
            //   03d0                 | add                 edx, eax
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   897df0               | mov                 dword ptr [ebp - 0x10], edi
            //   3b75cc               | cmp                 esi, dword ptr [ebp - 0x34]
            //   72dc                 | jb                  0xffffffde

        $sequence_7 = { 0f84c0000000 0fb74014 8b4e14 894d08 }
            // n = 4, score = 1300
            //   0f84c0000000         | je                  0xc6
            //   0fb74014             | movzx               eax, word ptr [eax + 0x14]
            //   8b4e14               | mov                 ecx, dword ptr [esi + 0x14]
            //   894d08               | mov                 dword ptr [ebp + 8], ecx

        $sequence_8 = { 6a01 50 8bce e8???????? 8b466c }
            // n = 5, score = 1300
            //   6a01                 | push                1
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b466c               | mov                 eax, dword ptr [esi + 0x6c]

        $sequence_9 = { 726d 8b8ea0160000 8b86a4160000 8a5660 bf01000000 66893c48 8b86a0160000 }
            // n = 7, score = 1300
            //   726d                 | jb                  0x6f
            //   8b8ea0160000         | mov                 ecx, dword ptr [esi + 0x16a0]
            //   8b86a4160000         | mov                 eax, dword ptr [esi + 0x16a4]
            //   8a5660               | mov                 dl, byte ptr [esi + 0x60]
            //   bf01000000           | mov                 edi, 1
            //   66893c48             | mov                 word ptr [eax + ecx*2], di
            //   8b86a0160000         | mov                 eax, dword ptr [esi + 0x16a0]

    condition:
        7 of them and filesize < 4546560
}
Download all Yara Rules