Description

• Probable Name: Zbot at first, then others probably.
• Binary used: yL0T.exe
• MD5: e1090d7126dd88d0d1d39b68ea3aae11
• SHA1: e0513664515eacc65e9530afe665619f2bce3802
  
• SHA256: 3fc6bef5eac0656be77f8e96f2b7e08cadb418c11430e8c3d53b33788a93c86a
  
• VirusTotal
• HybridAnalysis
• RobotHash

• Infected Machines:
  • Windows Name: Win6, IP: 10.0.2.106
• Duration: 57.9 days

Analysis of DNS tuples

• 10.0.2.106-8.8.4.4-53-udp (From-Botnet-UDP-DNS--2201)
  • At least 3000 Flows
• 10.0.2.106-8.8.8.8-53-udp (From-Botnet-UDP-DNS--2202)
  • At least 3000 Flows

Timeline

Mon Sep 9 17:15:36 CEST 2013

Win6 infected

Malware has deleted itself and a lot of encrypted communication has started. Keep experiment running..

Wed Nov 6 15:29:06 CET 2013

stopped win6