Dudes, I and two other fellows have dealt with an incident about a victim whose online banking account has been compromised and a huge lumpsum of money is transferred out to eastern europe. In fact, the victim is still using the old two-factor authentication token, it means we cannot identify the generated passcode is for authentication, money transfer to a specific account , bill payment, etc, attacker manipulates it indeed. Please download it from here.
goo.gl/FVFBO
Enjoy it, mate ;-)
The analysis has been updated. We have found that .zlg file extension is used by a software called e-Surveiller (http://www.e-surveiller.com/features.htm), it simply records user activities (like keystroke, screen captures...etc) and send them to remote site via FTP.
ReplyDeleteOther malware reported which connected to the same C&C "g r e a t h e l l . r u"
ReplyDeletehttp://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RZB/detailed-analysis.aspx
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=515850
C&C information recorded in MalwareGroup
http://www.malwaregroup.com/domains/details/greathell.ru#