root-me-dans-ton.onion

1. **************************************************
2. ZBot : ZEUS 2.0.8.9
3. Process : dwm.exe
4. Pid : 1420
5. Address : 5898240
6. URL 0 : http://root-me-dans-ton.onion/zeus/config.bin
7. Identifier : WIN-NUQF2VNU127_E532648A6C634B47
8. Mutant key : 3563994927
9. XOR key : 2570630120
10. Registry : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ohto
11. Value 1 : Efavati
12. Value 2 : Uqelmyzi
13. Value 3 : Xygauhty
14. Executable : Oquspo\itsu.exe
15. Data file : Hyilw\ylril.qok
16. Config RC4 key :
17. 0x005a0000 3a 2e 92 ce 8a cc a2 3d 45 05 b8 4d 83 e8 5e e1 :......=E..M..^.
18. 0x005a0010 48 47 38 55 fe a1 ff 13 17 7f c2 c6 75 4b 4e 7c HG8U........uKN|
19. 0x005a0020 9b 68 73 1e 65 bf 0d 04 93 b9 98 cf c3 d7 3f d3 .hs.e.........?.
20. 0x005a0030 6a 2c 06 c7 a0 99 82 58 d8 31 b3 1b ee 00 e9 87 j,.....X.1......
21. 0x005a0040 90 a7 50 42 81 be 7e db a4 96 18 5b b4 6d 63 9d ..PB..~....[.mc.
22. 0x005a0050 88 64 62 fa 32 89 bd af 6c f4 20 d9 80 51 52 59 .db.2...l....QRY
23. 0x005a0060 bb 40 b2 f2 4f 8f 8d 41 aa e7 e3 4c 03 24 9f 16 [email protected].$..
24. 0x005a0070 a5 b5 72 e0 da 22 c8 ad 8c 27 ef f9 fb ae 10 f6 ..r.."...'......
25. 0x005a0080 b1 df 7d ac d5 53 3c 60 ed 1f ca 14 dc d0 8e 69 ..}..S<`.......i
26. 0x005a0090 f8 43 91 fc 6f 1a 25 3e 84 2b 9a a3 a6 19 1c 2a .C..o.%>.+.....*
27. 0x005a00a0 d2 f3 a9 09 4a e2 ab 11 5a c5 9c 02 37 76 01 5d ....J...Z...7v.]
28. 0x005a00b0 77 e4 b0 1d 94 2d 3b 29 39 6e f7 97 e6 f0 56 85 w....-;)9n....V.
29. 0x005a00c0 49 ec ea 07 cd 0b 6b 15 0a b7 12 0e dd 7b 23 c9 I.....k......{#.
30. 0x005a00d0 5c 2f 0f 78 9e c4 66 7a 30 b6 79 c1 70 35 74 95 \/.x..fz0.y.p5t.
31. 0x005a00e0 a8 26 e5 21 d1 de 0c 5f f1 fd c0 54 ba cb 61 67 .&.!..._...T..ag
32. 0x005a00f0 f5 86 bc 71 8b 34 44 08 28 46 57 d6 eb 36 d4 33 ...q.4D.(FW..6.3
33. 0x005a0100 00 00 ..
34. Credential RC4 key :
35. 0x005a0000 84 80 85 9b 4a 67 70 5a 07 03 d4 0e 30 79 eb 55 ....JgpZ....0y.U
36. 0x005a0010 a6 1a 5f 01 9f 2d ca 3f b3 af 7b d5 31 5e 7d 9c .._..-.?..{.1^}.
37. 0x005a0020 e7 cc ce 75 2a b0 1c 2c 94 fc e1 50 8d 4d a5 96 ...u*..,...P.M..
38. 0x005a0030 7e 9e 52 91 0a 9a 92 c8 4c 87 59 15 ba b5 68 b4 ~.R.....L.Y...h.
39. 0x005a0040 99 29 39 be 3b b9 2b 73 d0 44 62 db 25 e8 95 f3 .)9.;.+s.Db.%...
40. 0x005a0050 97 e0 32 cb f6 c6 b2 a3 38 63 78 1f cf da fa 65 ..2.....8cx....e
41. 0x005a0060 83 e6 22 36 47 d1 60 10 bd ab d8 a4 09 8a 46 9d .."6G.`.......F.
42. 0x005a0070 72 7a 17 6e 8f 35 2e dd a2 51 27 1d 14 81 90 a0 rz.n.5...Q'.....
43. 0x005a0080 f9 02 8c 13 de c1 ae aa 4b fe bf c5 3e 05 ad c7 ........K...>...
44. 0x005a0090 54 df 37 40 86 7f 1b c2 6c 3d a8 00 6b 06 16 bc [email protected]=..k...
45. 0x005a00a0 88 b7 e9 41 3a 6f 19 ed 66 c9 6a 24 4f 48 53 0c ...A:o..f.j$OHS.
46. 0x005a00b0 7c ff b6 74 33 cd 77 e2 d3 45 e5 5d 0d 26 4e ac |..t3.w..E.].&N.
47. 0x005a00c0 c3 0f c0 93 f8 ec dc 3c 71 f5 43 2f 28 61 ea ef .......<q.C/(a..
48. 0x005a00d0 d2 f4 ee b1 89 f7 bb 6d 11 0b 34 8e d9 76 57 e3 .......m..4..vW.
49. 0x005a00e0 a9 18 5c 64 08 23 fb b8 fd 8b f2 20 f0 d7 1e 12 ..\d.#..........
50. 0x005a00f0 42 c4 69 98 a7 d6 e4 58 04 f1 49 21 56 5b a1 82 B.i....X..I!V[..
51. 0x005a0100 00 00 ..
52.  
53. Config RC4 key in hexa
54. 3a2e92ce8acca23d4505b84d83e85ee148473855fea1ff13177fc2c6754b4e7c9b68731e65bf0d0493b998cfc3d73fd36a2c06c7a0998258d831b31bee00e98790a7504281be7edba496185bb46d639d886462fa3289bdaf6cf420d980515259bb40b2f24f8f8d41aae7e34c03249f16a5b572e0da22c8ad8c27eff9fbae10f6b1df7dacd5533c60ed1fca14dcd08e69f84391fc6f1a253e842b9aa3a6191c2ad2f3a9094ae2ab115ac59c023776015d77e4b01d942d3b29396ef797e6f0568549ecea07cd0b6b150ab7120edd7b23c95c2f0f789ec4667a30b679c170357495a826e521d1de0c5ff1fdc054bacb6167f586bc718b344408284657d6eb36d433
55.  
56.  
57. base config:
58. {
59. "keys": {
60. "rc4_key": ":.\u0092\u00ce\u008a\u00cc\u00a2=E\u0005\u00b8M\u0083\u00e8^\u00e1HG8U\u00fe\u00a1\u00ff\u0013\u0017\u007f\u00c2\u00c6uKN|\u009bhs\u001ee\u00bf\r\u0004\u0093\u00b9\u0098\u00cf\u00c3\u00d7?\u00d3j,\u0006\u00c7\u00a0\u0099\u0082X\u00d81\u00b3\u001b\u00ee\u0000\u00e9\u0087\u0090\u00a7PB\u0081\u00be~\u00db\u00a4\u0096\u0018[\u00b4mc\u009d\u0088db\u00fa2\u0089\u00bd\u00afl\u00f4 \u00d9\u0080QRY\u00bb@\u00b2\u00f2O\u008f\u008dA\u00aa\u00e7\u00e3L\u0003$\u009f\u0016\u00a5\u00b5r\u00e0\u00da\"\u00c8\u00ad\u008c'\u00ef\u00f9\u00fb\u00ae\u0010\u00f6\u00b1\u00df}\u00ac\u00d5S<`\u00ed\u001f\u00ca\u0014\u00dc\u00d0\u008ei\u00f8C\u0091\u00fco\u001a%>\u0084+\u009a\u00a3\u00a6\u0019\u001c*\u00d2\u00f3\u00a9\tJ\u00e2\u00ab\u0011Z\u00c5\u009c\u00027v\u0001]w\u00e4\u00b0\u001d\u0094-;)9n\u00f7\u0097\u00e6\u00f0V\u0085I\u00ec\u00ea\u0007\u00cd\u000bk\u0015\n\u00b7\u0012\u000e\u00dd{#\u00c9\\/\u000fx\u009e\u00c4fz0\u00b6y\u00c1p5t\u0095\u00a8&\u00e5!\u00d1\u00de\f_\u00f1\u00fd\u00c0T\u00ba\u00cbag\u00f5\u0086\u00bcq\u008b4D\b(FW\u00d6\u00eb6\u00d43\u0000\u0000"
61. },
62. "urls": [
63. "http://root-me-dans-ton.onion/zeus/config.bin"
64. ],
65. "botnet": ""
66. }
67.  
68. dynamic config:
69. {
70. "size": 351,
71. "flags": 0,
72. "count": 6,
73. "md5_hash": "c27f560453aa31cc711d71f60e30116a",
74. "sections": [
75. {
76. "id": 20001,
77. "cfgid": "CFGID_LAST_VERSION",
78. "data": "0x2000809"
79. },
80. {
81. "id": 20002,
82. "cfgid": "CFGID_LAST_VERSION_URL",
83. "data": "http://root-me-dans-ton.onion/zeus/bot.exe"
84. },
85. {
86. "id": 20003,
87. "cfgid": "CFGID_URL_SERVER_0",
88. "data": "http://root-me-dans-ton.onion/zeus/gate.php"
89. },
90. {
91. "id": 20005,
92. "cfgid": "CFGID_HTTP_FILTER",
93. "data": [
94. "!*FLAG.IS:*****/*"
95. ]
96. },
97. {
98. "id": 20007,
99. "cfgid": "CFGID_HTTP_INJECTS_LIST",
100. "data": "1 webinjects"
101. }
102. ]
103. }
104.  
105. webinject:
106. {
107. "1": {
108. "pieces": {
109. "1_data_before": "</body>",
110. "1_data_after": "",
111. "1_data_inject": "<center>\"Injected!!!</center>"
112. },
113. "flags": "IS_INJECT,REQUEST_POST,REQUEST_GET",
114. "set_url": "http://root-me-dans-ton.onion*"
115. }
116. }