2 replies to this topic

[ltheonel]

Since noboy is interested, thread can be deleted please.

Attached Files

•  zbot.zip   229.13K   17 downloads

Edited by ltheonel, 28 August 2011 - 05:20 AM.
Attached sample to post...

[ltheonel]

ltheonel, on 12 August 2011 - 05:25 PM, said:

ATTENTION: THIS IS A MALEWARE SAMPLE AND EXECUTION/ANALYSING IS ON OWN RISK!!!!!!!!!

Hello, i got this Zeus bot sample this should connect to your local lan, there seems to be some selfchecking done inside it, that i dont understand.
I obscured it with a simple crypter to analyse behavior but failed.
If you have some interest tips for me just post, doing research now maybe a week

You can break befor execution of resumethread and manipulate the entry of new created process thats where the maleware got deobfuscated in first layer.

this is bot samlpe:
crypted.bot:http://www.mediafire.com/?qryeecrg3j3se3c
uncrypted.bot:http://www.mediafire.com/?idcx6gy3xmntd3j

ATTENTION: THIS IS A MALEWARE SAMPLE AND EXECUTION/ANALYSING IS ON OWN RISC!!!!!!!!!

[Teddy Rogers]

Is it looking for specific processes before injection?

What is the password to the archive?

Ted.