{
	"id": "7b11c41c-55c2-409b-a962-2e78f7788a8f",
	"created_at": "2026-04-06T00:07:03.972227Z",
	"updated_at": "2026-04-10T03:20:19.678564Z",
	"deleted_at": null,
	"sha1_hash": "30ec003df5d6e9a0119110ffed2ce44b4a15ec9a",
	"title": "New ZeuS binary | eternal-todo.com",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34137,
	"plain_text": "New ZeuS binary | eternal-todo.com\r\nArchived: 2026-04-05 22:04:40 UTC\r\nBotnet\r\ne-crime\r\nMalware\r\nZeuS\r\nThe evolution continues. Some days ago a new ZeuS binary appeared with the version number 1.3.0.26. This new\r\ndevelopment is an attempt to improve the stealth techniques used to date, as stated in one of the TODO files found\r\nsome time ago. After just a quick look, one can notice the following changes:\r\nWhen it's executed and the system isn't infected yet, it copies itself in the directory\r\n%SystemRoot%/system32, but with a different filename in each execution. Also it gets the basic file\r\ninformation from the %SystemRoot%/system32/ntdll.dll file (creation, last access and modification dates).\r\nIf it finds a previous ZeuS version installed it deletes the binary, leaves and shows the hidden files in the\r\nnext reboot. To give an idea of the situation, one of the latest samples with sdra64.exe as executable\r\nfilename is the 1.2.12 one.\r\nApparently the configuration and data files are not stored on disk anymore but they're exclusively stored in\r\nmemory.\r\nIn addition to these important modifications, it’s worth mentioning the use of an IP instead of a domain name in\r\nthe dropzone URL. Also, there doesn't seem to be a complete panel in the URL directory, but a small PHP file –\r\nprobably a redirection. This is not something new, but maybe it's this version’s new way to hide and make difficult\r\nthe analysis.\r\nHowever, we've seen some samples with the version number 1.3.1.1 but featuring the usual behaviour (except\r\ndeleting previous binaries): sdra64.exe as binary filename and storing configuration and data files on disk. Perhaps\r\nthis is due to multiple options when creating the binary (builder) or to the existence of different authors.\r\nAs you can see, some of the techniques posted on this blog for detecting ZeuS have slightly changed in this case.\r\nBasically, all of them are still valid with the exception of the location of hidden configuration and data files\r\nfunction, which apparently don’t exist anymore.\r\nThis is only a preliminary analysis of this new binary, but we'll post more details as soon as we have them. Tune in\r\nagain!\r\nSubmitted by jesparza on Fri, 2009/11/06 - 13:25\r\nSource: http://eternal-todo.com/blog/new-zeus-binary\r\nhttp://eternal-todo.com/blog/new-zeus-binary\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"http://eternal-todo.com/blog/new-zeus-binary"
	],
	"report_names": [
		"new-zeus-binary"
	],
	"threat_actors": [],
	"ts_created_at": 1775434023,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/30ec003df5d6e9a0119110ffed2ce44b4a15ec9a.pdf",
		"text": "https://archive.orkl.eu/30ec003df5d6e9a0119110ffed2ce44b4a15ec9a.txt",
		"img": "https://archive.orkl.eu/30ec003df5d6e9a0119110ffed2ce44b4a15ec9a.jpg"
	}
}