Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Isonet AG stolen certificate used in the Upatre/Zeus/Necurs campaign.
- The following strings are present in each file signed with this certificate (useful for a Yara rule for example):
- "isonet ag"
- "isonet ag0"
- "isonet ag1>0<"
- For a more in-depth look, see:
- https://blogs.comodo.com/e-commerce/comodo-av-labs-id-zeus-trojan/
- MD5s of signed executables with the stolen certificate:
- 10d4587d3ec559dbce542fa0adc7a868
- 125b65b3529724c58777486dde255280
- 6bc3cd0aea375e24fcf57d81c760b110
- 5a995c2c932567ad78c1e89ba872bc0a
- d2158721a87b9f7f1e041113213a0bdc
- 7a232d60366758bfd745e000a24be04b
- 6c4616024bfa55605395fefa30199588
- a8b3b20c0eee9a3dcf385754b6db8373
- Rootkit component (Necurs):
- a2f2b24bd6fa13095c319f7f61c21d2f
- Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- 75:a3:85:07:bf:40:3b:15:21:25:b8:f5:ce:1b:97:ad
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
- Validity
- Not Before: Dec 7 00:00:00 2012 GMT
- Not After : Feb 5 23:59:59 2016 GMT
- Subject: C=CH, ST=Z\xC3\xBCrich, L=Z\xC3\xBCrich, O=isonet ag, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Technik, CN=isonet ag
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:9e:73:96:ed:32:df:ca:3a:be:5d:0e:26:25:57:
- 39:73:75:be:ef:4a:b1:4f:43:27:27:ae:ad:73:50:
- c2:e8:0d:98:da:ee:76:d5:af:26:b7:5d:ba:69:55:
- d5:e5:2c:e0:40:8b:f5:e0:c8:94:20:7c:43:63:83:
- 48:72:3d:ee:90:8f:df:cc:25:08:dd:c6:91:cc:6c:
- 94:d1:07:75:4d:5c:5d:a6:ed:64:55:a6:99:6c:4e:
- f3:a9:6b:f7:20:d8:5f:bd:8b:04:55:57:54:6d:ce:
- 6c:bc:45:ac:24:ca:7b:5e:2a:eb:15:56:06:b1:82:
- d5:30:7d:b4:51:5f:2b:1e:38:5b:1e:2a:4b:20:0d:
- 42:bb:51:d8:0e:0f:04:46:0c:be:30:2c:5c:3b:12:
- 42:e2:be:6f:ea:1b:9f:94:b0:4c:da:56:80:17:64:
- 30:a8:1c:26:85:2d:c1:a5:ee:d0:00:32:f7:20:d1:
- c4:0c:bf:d8:54:7a:4e:73:cf:de:9b:e3:0a:2d:b4:
- 9c:21:ae:e9:be:45:c4:09:5e:e3:e6:68:f9:fb:49:
- 08:57:c1:a0:9b:c3:c6:a6:4a:d7:a8:09:a0:0f:ee:
- f7:01:f3:1b:a1:6e:e6:1d:15:08:d7:b3:e1:25:ef:
- 4e:fb:57:cb:46:dd:1e:ad:64:67:20:5a:dc:aa:d8:
- 49:e7
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage: critical
- Digital Signature
- X509v3 CRL Distribution Points:
- Full Name:
- URI:http://csc3-2010-crl.verisign.com/CSC3-2010.crl
- X509v3 Certificate Policies:
- Policy: 2.16.840.1.113733.1.7.23.3
- CPS: https://www.verisign.com/rpa
- X509v3 Extended Key Usage:
- Code Signing
- Authority Information Access:
- OCSP - URI:http://ocsp.verisign.com
- CA Issuers - URI:http://csc3-2010-aia.verisign.com/CSC3-2010.cer
- X509v3 Authority Key Identifier:
- keyid:CF:99:A9:EA:7B:26:F4:4B:C9:8E:8F:D7:F0:05:26:EF:E3:D2:A7:9D
- Netscape Cert Type:
- Object Signing
- 1.3.6.1.4.1.311.2.1.27:
- 0.......
- Signature Algorithm: sha1WithRSAEncryption
- a5:fd:c9:03:e4:18:30:09:07:54:9a:d5:32:9d:31:64:06:a5:
- c7:96:a3:4d:8d:04:07:3a:00:1a:c8:20:40:de:d2:c7:17:9b:
- 19:f2:89:e2:71:ff:59:80:80:be:6f:02:bf:b4:9b:11:47:02:
- ec:2d:13:44:1c:54:31:43:f9:be:92:10:1b:c1:0a:24:ac:07:
- 69:83:80:8c:4a:67:5a:36:10:c3:ee:03:a8:66:60:0a:e0:b4:
- 12:a9:9b:71:4a:4d:48:7b:b7:d5:1a:14:46:7b:20:47:12:9d:
- 96:4f:43:fe:e6:2b:f9:47:32:7b:02:91:99:f7:5d:d6:2b:b7:
- dc:41:40:fb:e0:05:3e:6e:eb:7c:c1:e2:c1:7a:4b:c6:97:c8:
- 23:cd:ec:46:38:12:92:f4:32:f6:f7:cd:86:da:09:61:ff:98:
- c5:54:35:94:49:53:dd:b9:d2:b4:71:44:b7:e7:31:81:6e:56:
- b4:d5:45:ac:f9:fa:76:7d:5c:cf:96:c3:e6:44:ec:a0:3e:19:
- e8:2a:fa:5f:f2:2a:13:d7:36:3e:eb:9e:fa:d1:85:73:3e:77:
- 7a:9c:c2:8d:0a:09:95:87:7d:5d:bf:b0:e2:6e:b0:6d:db:ed:
- 69:33:59:f4:d8:28:c4:00:4e:09:29:92:0c:46:3c:9d:61:b1:
- 63:eb:8a:2e
- -----BEGIN CERTIFICATE-----
- MIIFaDCCBFCgAwIBAgIQdaOFB79AOxUhJbj1zhuXrTANBgkqhkiG9w0BAQUFADCB
- tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
- ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
- YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl
- VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xMjEyMDcw
- MDAwMDBaFw0xNjAyMDUyMzU5NTlaMIGrMQswCQYDVQQGEwJDSDEQMA4GA1UECAwH
- WsO8cmljaDEQMA4GA1UEBwwHWsO8cmljaDESMBAGA1UECgwJaXNvbmV0IGFnMT4w
- PAYDVQQLDDVEaWdpdGFsIElEIENsYXNzIDMgLSBNaWNyb3NvZnQgU29mdHdhcmUg
- VmFsaWRhdGlvbiB2MjEQMA4GA1UECwwHVGVjaG5pazESMBAGA1UEAwwJaXNvbmV0
- IGFnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnnOW7TLfyjq+XQ4m
- JVc5c3W+70qxT0MnJ66tc1DC6A2Y2u521a8mt126aVXV5SzgQIv14MiUIHxDY4NI
- cj3ukI/fzCUI3caRzGyU0Qd1TVxdpu1kVaaZbE7zqWv3INhfvYsEVVdUbc5svEWs
- JMp7XirrFVYGsYLVMH20UV8rHjhbHipLIA1Cu1HYDg8ERgy+MCxcOxJC4r5v6huf
- lLBM2laAF2QwqBwmhS3Bpe7QADL3INHEDL/YVHpOc8/em+MKLbScIa7pvkXECV7j
- 5mj5+0kIV8Ggm8PGpkrXqAmgD+73AfMboW7mHRUI17PhJe9O+1fLRt0erWRnIFrc
- qthJ5wIDAQABo4IBezCCAXcwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwQAYD
- VR0fBDkwNzA1oDOgMYYvaHR0cDovL2NzYzMtMjAxMC1jcmwudmVyaXNpZ24uY29t
- L0NTQzMtMjAxMC5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsG
- AQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBMGA1UdJQQMMAoG
- CCsGAQUFBwMDMHEGCCsGAQUFBwEBBGUwYzAkBggrBgEFBQcwAYYYaHR0cDovL29j
- c3AudmVyaXNpZ24uY29tMDsGCCsGAQUFBzAChi9odHRwOi8vY3NjMy0yMDEwLWFp
- YS52ZXJpc2lnbi5jb20vQ1NDMy0yMDEwLmNlcjAfBgNVHSMEGDAWgBTPmanqeyb0
- S8mOj9fwBSbv49KnnTARBglghkgBhvhCAQEEBAMCBBAwFgYKKwYBBAGCNwIBGwQI
- MAYBAQABAf8wDQYJKoZIhvcNAQEFBQADggEBAKX9yQPkGDAJB1Sa1TKdMWQGpceW
- o02NBAc6ABrIIEDe0scXmxnyieJx/1mAgL5vAr+0mxFHAuwtE0QcVDFD+b6SEBvB
- CiSsB2mDgIxKZ1o2EMPuA6hmYArgtBKpm3FKTUh7t9UaFEZ7IEcSnZZPQ/7mK/lH
- MnsCkZn3XdYrt9xBQPvgBT5u63zB4sF6S8aXyCPN7EY4EpL0Mvb3zYbaCWH/mMVU
- NZRJU9250rRxRLfnMYFuVrTVRaz5+nZ9XM+Ww+ZE7KA+Gegq+l/yKhPXNj7rnvrR
- hXM+d3qcwo0KCZWHfV2/sOJusG3b7WkzWfTYKMQATgkpkgxGPJ1hsWPrii4=
- -----END CERTIFICATE-----
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement