API tools faq
paste
Advertisement
bartblaze

Isonet AG stolen certificate used in the Upatre/Zeus/Necurs

bartblaze
Apr 8th, 2014
598
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 6.48 KB | None | 0 0
raw download clone embed print report
  1. Isonet AG stolen certificate used in the Upatre/Zeus/Necurs campaign.
  2.  
  3. The following strings are present in each file signed with this certificate (useful for a Yara rule for example):
  4. "isonet ag"
  5. "isonet ag0"
  6. "isonet ag1>0<"
  7.  
  8. For a more in-depth look, see:
  9. https://blogs.comodo.com/e-commerce/comodo-av-labs-id-zeus-trojan/
  10.  
  11. MD5s of signed executables with the stolen certificate:
  12. 10d4587d3ec559dbce542fa0adc7a868   
  13. 125b65b3529724c58777486dde255280   
  14. 6bc3cd0aea375e24fcf57d81c760b110   
  15. 5a995c2c932567ad78c1e89ba872bc0a   
  16. d2158721a87b9f7f1e041113213a0bdc   
  17. 7a232d60366758bfd745e000a24be04b   
  18. 6c4616024bfa55605395fefa30199588   
  19. a8b3b20c0eee9a3dcf385754b6db8373   
  20.  
  21. Rootkit component (Necurs):
  22. a2f2b24bd6fa13095c319f7f61c21d2f
  23.  
  24.  
  25. Certificate:
  26.     Data:
  27.         Version: 3 (0x2)
  28.         Serial Number:
  29.             75:a3:85:07:bf:40:3b:15:21:25:b8:f5:ce:1b:97:ad
  30.         Signature Algorithm: sha1WithRSAEncryption
  31.         Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
  32.         Validity
  33.             Not Before: Dec  7 00:00:00 2012 GMT
  34.             Not After : Feb  5 23:59:59 2016 GMT
  35.         Subject: C=CH, ST=Z\xC3\xBCrich, L=Z\xC3\xBCrich, O=isonet ag, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Technik, CN=isonet ag
  36.         Subject Public Key Info:
  37.             Public Key Algorithm: rsaEncryption
  38.                 Public-Key: (2048 bit)
  39.                 Modulus:
  40.                     00:9e:73:96:ed:32:df:ca:3a:be:5d:0e:26:25:57:
  41.                     39:73:75:be:ef:4a:b1:4f:43:27:27:ae:ad:73:50:
  42.                     c2:e8:0d:98:da:ee:76:d5:af:26:b7:5d:ba:69:55:
  43.                     d5:e5:2c:e0:40:8b:f5:e0:c8:94:20:7c:43:63:83:
  44.                     48:72:3d:ee:90:8f:df:cc:25:08:dd:c6:91:cc:6c:
  45.                     94:d1:07:75:4d:5c:5d:a6:ed:64:55:a6:99:6c:4e:
  46.                     f3:a9:6b:f7:20:d8:5f:bd:8b:04:55:57:54:6d:ce:
  47.                     6c:bc:45:ac:24:ca:7b:5e:2a:eb:15:56:06:b1:82:
  48.                     d5:30:7d:b4:51:5f:2b:1e:38:5b:1e:2a:4b:20:0d:
  49.                     42:bb:51:d8:0e:0f:04:46:0c:be:30:2c:5c:3b:12:
  50.                     42:e2:be:6f:ea:1b:9f:94:b0:4c:da:56:80:17:64:
  51.                     30:a8:1c:26:85:2d:c1:a5:ee:d0:00:32:f7:20:d1:
  52.                     c4:0c:bf:d8:54:7a:4e:73:cf:de:9b:e3:0a:2d:b4:
  53.                     9c:21:ae:e9:be:45:c4:09:5e:e3:e6:68:f9:fb:49:
  54.                     08:57:c1:a0:9b:c3:c6:a6:4a:d7:a8:09:a0:0f:ee:
  55.                     f7:01:f3:1b:a1:6e:e6:1d:15:08:d7:b3:e1:25:ef:
  56.                     4e:fb:57:cb:46:dd:1e:ad:64:67:20:5a:dc:aa:d8:
  57.                     49:e7
  58.                 Exponent: 65537 (0x10001)
  59.         X509v3 extensions:
  60.             X509v3 Basic Constraints:
  61.                 CA:FALSE
  62.             X509v3 Key Usage: critical
  63.                 Digital Signature
  64.             X509v3 CRL Distribution Points:
  65.  
  66.                 Full Name:
  67.                   URI:http://csc3-2010-crl.verisign.com/CSC3-2010.crl
  68.  
  69.             X509v3 Certificate Policies:
  70.                 Policy: 2.16.840.1.113733.1.7.23.3
  71.                   CPS: https://www.verisign.com/rpa
  72.  
  73.             X509v3 Extended Key Usage:
  74.                 Code Signing
  75.             Authority Information Access:
  76.                 OCSP - URI:http://ocsp.verisign.com
  77.                 CA Issuers - URI:http://csc3-2010-aia.verisign.com/CSC3-2010.cer
  78.  
  79.             X509v3 Authority Key Identifier:
  80.                 keyid:CF:99:A9:EA:7B:26:F4:4B:C9:8E:8F:D7:F0:05:26:EF:E3:D2:A7:9D
  81.  
  82.             Netscape Cert Type:
  83.                 Object Signing
  84.             1.3.6.1.4.1.311.2.1.27:
  85.                 0.......
  86.     Signature Algorithm: sha1WithRSAEncryption
  87.         a5:fd:c9:03:e4:18:30:09:07:54:9a:d5:32:9d:31:64:06:a5:
  88.         c7:96:a3:4d:8d:04:07:3a:00:1a:c8:20:40:de:d2:c7:17:9b:
  89.         19:f2:89:e2:71:ff:59:80:80:be:6f:02:bf:b4:9b:11:47:02:
  90.         ec:2d:13:44:1c:54:31:43:f9:be:92:10:1b:c1:0a:24:ac:07:
  91.         69:83:80:8c:4a:67:5a:36:10:c3:ee:03:a8:66:60:0a:e0:b4:
  92.         12:a9:9b:71:4a:4d:48:7b:b7:d5:1a:14:46:7b:20:47:12:9d:
  93.         96:4f:43:fe:e6:2b:f9:47:32:7b:02:91:99:f7:5d:d6:2b:b7:
  94.         dc:41:40:fb:e0:05:3e:6e:eb:7c:c1:e2:c1:7a:4b:c6:97:c8:
  95.         23:cd:ec:46:38:12:92:f4:32:f6:f7:cd:86:da:09:61:ff:98:
  96.         c5:54:35:94:49:53:dd:b9:d2:b4:71:44:b7:e7:31:81:6e:56:
  97.         b4:d5:45:ac:f9:fa:76:7d:5c:cf:96:c3:e6:44:ec:a0:3e:19:
  98.         e8:2a:fa:5f:f2:2a:13:d7:36:3e:eb:9e:fa:d1:85:73:3e:77:
  99.         7a:9c:c2:8d:0a:09:95:87:7d:5d:bf:b0:e2:6e:b0:6d:db:ed:
  100.         69:33:59:f4:d8:28:c4:00:4e:09:29:92:0c:46:3c:9d:61:b1:
  101.         63:eb:8a:2e
  102. -----BEGIN CERTIFICATE-----
  103. MIIFaDCCBFCgAwIBAgIQdaOFB79AOxUhJbj1zhuXrTANBgkqhkiG9w0BAQUFADCB
  104. tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
  105. ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
  106. YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl
  107. VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xMjEyMDcw
  108. MDAwMDBaFw0xNjAyMDUyMzU5NTlaMIGrMQswCQYDVQQGEwJDSDEQMA4GA1UECAwH
  109. WsO8cmljaDEQMA4GA1UEBwwHWsO8cmljaDESMBAGA1UECgwJaXNvbmV0IGFnMT4w
  110. PAYDVQQLDDVEaWdpdGFsIElEIENsYXNzIDMgLSBNaWNyb3NvZnQgU29mdHdhcmUg
  111. VmFsaWRhdGlvbiB2MjEQMA4GA1UECwwHVGVjaG5pazESMBAGA1UEAwwJaXNvbmV0
  112. IGFnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnnOW7TLfyjq+XQ4m
  113. JVc5c3W+70qxT0MnJ66tc1DC6A2Y2u521a8mt126aVXV5SzgQIv14MiUIHxDY4NI
  114. cj3ukI/fzCUI3caRzGyU0Qd1TVxdpu1kVaaZbE7zqWv3INhfvYsEVVdUbc5svEWs
  115. JMp7XirrFVYGsYLVMH20UV8rHjhbHipLIA1Cu1HYDg8ERgy+MCxcOxJC4r5v6huf
  116. lLBM2laAF2QwqBwmhS3Bpe7QADL3INHEDL/YVHpOc8/em+MKLbScIa7pvkXECV7j
  117. 5mj5+0kIV8Ggm8PGpkrXqAmgD+73AfMboW7mHRUI17PhJe9O+1fLRt0erWRnIFrc
  118. qthJ5wIDAQABo4IBezCCAXcwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwQAYD
  119. VR0fBDkwNzA1oDOgMYYvaHR0cDovL2NzYzMtMjAxMC1jcmwudmVyaXNpZ24uY29t
  120. L0NTQzMtMjAxMC5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsG
  121. AQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBMGA1UdJQQMMAoG
  122. CCsGAQUFBwMDMHEGCCsGAQUFBwEBBGUwYzAkBggrBgEFBQcwAYYYaHR0cDovL29j
  123. c3AudmVyaXNpZ24uY29tMDsGCCsGAQUFBzAChi9odHRwOi8vY3NjMy0yMDEwLWFp
  124. YS52ZXJpc2lnbi5jb20vQ1NDMy0yMDEwLmNlcjAfBgNVHSMEGDAWgBTPmanqeyb0
  125. S8mOj9fwBSbv49KnnTARBglghkgBhvhCAQEEBAMCBBAwFgYKKwYBBAGCNwIBGwQI
  126. MAYBAQABAf8wDQYJKoZIhvcNAQEFBQADggEBAKX9yQPkGDAJB1Sa1TKdMWQGpceW
  127. o02NBAc6ABrIIEDe0scXmxnyieJx/1mAgL5vAr+0mxFHAuwtE0QcVDFD+b6SEBvB
  128. CiSsB2mDgIxKZ1o2EMPuA6hmYArgtBKpm3FKTUh7t9UaFEZ7IEcSnZZPQ/7mK/lH
  129. MnsCkZn3XdYrt9xBQPvgBT5u63zB4sF6S8aXyCPN7EY4EpL0Mvb3zYbaCWH/mMVU
  130. NZRJU9250rRxRLfnMYFuVrTVRaz5+nZ9XM+Ww+ZE7KA+Gegq+l/yKhPXNj7rnvrR
  131. hXM+d3qcwo0KCZWHfV2/sOJusG3b7WkzWfTYKMQATgkpkgxGPJ1hsWPrii4=
  132. -----END CERTIFICATE-----
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!