Yara rules Zeus

rule xmlc : banker
{
    strings:
        $a = "/c del" fullword
        $b = "PostDel" fullword
        $c = ">> NUL" fullword
        $d = "LOADXML"
        $e = "lm.dat"
        $f = "---------------%s----------------"

    condition:
        filesize < 150KB and (3 of ($a,$b,$c,$d,$e,$f))
}

rule silent_banker : banker
{
    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

rule zbot : banker
{
     strings:
        $a = "__SYSTEM__" wide
        $b = "*tanentry*"
        $c = "*<option"
        $d = "*<select"
        $e = "*<input"

     condition:
        ($a and $b) or ($c and $d and $e)
}

rule banbra : banker
{
    strings:
        $a = "senha" fullword nocase
        $b = "cartao" fullword nocase
        $c = "caixa"
        $d = "login" fullword nocase
        $e = ".com.br"

     condition:
        #a > 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3
}


rule spyeye
{
        meta:
        description = "Indicates that the SpyEye Trojan is installed"

        strings:
        $a = "SPYNET"
        $b = "SpyEye"

        condition:
        ($a and $b)
}

rule tdl3
{
        meta:
        null_string = 1

        strings:
        $1 = "\\\\?\\globalroot\\"
        $2 = ".ini"

        condition:
        all of them
✅ Leaked Exploit Documentation:

https://docs.google.com/document/d/1dOCZEHS5JtM51RITOJzbS4o3hZ-__wTTRXQkV1MexNQ/edit?usp=sharing

This made me $13,000 in 2 days.

Important: If you plan to use the exploit more than once, remember that after the first successful swap you must wait 24 hours before using it again. Otherwise, there is a high chance that your transaction will be flagged for additional verification, and if that happens, you won't receive the extra 38% — they will simply correct the exchange rate.
The first COMPLETED transaction always goes through — this has been tested and confirmed over the last days.

Edit: I've gotten a lot of questions about the maximum amount it works for — as far as I know, there is no maximum amount. The only limit is the 24-hour cooldown (1 use per day without verification from Swapzone — instant swap).
✅ Leaked Exploit Documentation:

https://docs.google.com/document/d/1dOCZEHS5JtM51RITOJzbS4o3hZ-__wTTRXQkV1MexNQ/edit?usp=sharing

This made me $13,000 in 2 days.

Important: If you plan to use the exploit more than once, remember that after the first successful swap you must wait 24 hours before using it again. Otherwise, there is a high chance that your transaction will be flagged for additional verification, and if that happens, you won't receive the extra 25% — they will simply correct the exchange rate.
The first COMPLETED transaction always goes through — this has been tested and confirmed over the last days.

Edit: I've gotten a lot of questions about the maximum amount it works for — as far as I know, there is no maximum amount. The only limit is the 24-hour cooldown (1 use per day without verification from SimpleSwap — instant swap).