1. To visit protected / private sections of the forum you must be connected with your user account. If you are not yet a member of our forum, you can create it now for free!.

User Tag List

Thread: Sphinx Zeus Over Tor

Results 1 to 9 of 9

  1. #1
    Member
    Join Date Aug 2015
    Posts 7
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    0 Post(s)

    Cool Sphinx Zeus Over Tor

    We have given our software for verification a long while ago and have been given permission to post and sell in the mean time provided we make this clear in the thread that we have not yet been given 100% verification. We will provide a demo panel and uncrypted bot upon request by serious potential buyers. We are successful sellers on 0day and siph0n also.

    Why Z0t?
    ------------------
    EXTREME RESILIENCE
    ------------------
    Zeus Over Tor cannot be shut down by Spamhaus or Zeus-Tracker or any methods currently employed by organizations hell bent on removing the zeus threat. It can't be shut down because you cannot find the ip address of the hosting from the hidden service address and so thus cannot report to the hosting company that you are indeed hosting malware. Furthermore Zeus Over Tor does not require you to register a domain, you have a hidden service address and as such you can easily move your botnet within one hour and your hidden service domain cannot be shut down because with hidden service there is no domain registration. The domain is generated dynamically when you create your hidden service. This feature alone makes Zeus Over Tor the most resilient and easy to maintain financial malware currently available on the market, bar none.
    Sphinx banking trojan - Zeus over Tor




    A trojan based on ZeuS 2.0.8.9 source-code that has been in active development for 10 months in C++ by a full-time malware developer. Sphinx uses Tor Hidden service technology to evade blacklists, zeus tracker and requirement for bulletproof hosting and domain. Tor hidden service addresses are generated automatically by Tor and are free of charge. We recommend using multiple Bridges for your command and control to improve privacy. By using Bridges your server ISP wont even know you're running Tor. Sphinx uses the latest stable Tor version (currently: 0.2.7.6) and it is injected in svchost.exe at runtime. Bot is coded to work with the lowest privilegies. It does not need UAC and works even on Guest accounts. All import table is hashed and strings are encrypted with different output for hash and strings on each version. Even with the large feature list we have made sure that Sphinx works with almost ALL crypters. Bot is packed using our own Position-independent code, self-decrypting packer. Being Position-independent code it means the crypter does not even have to handle relocations so crypting Sphinx cannot get any more easier than this but the output still requires it to have .reloc section.

    Features

    Webinjects
    Using browser hooks Sphinx is able to modify response content from the browser while still bypassing SSL certificate. Browser response content modification is done within config file which is downloaded by bot on execution and stored locally to not slow down browser. You can create Auto-tranfer-system (Avtozaliv) or simple injects to get Fullz, CC, etc. Webinjects use the familiar ZeuS format which all Inject and ATS developers are familiar with. Supported browsers are Microsoft Internet Explorer and Mozilla Firefox. Google Chrome support is coming soon.

    Webfakes
    Using browser hooks Sphinx is able to redirect a site of your choosing to your phish site transparently. This means it will still look like the legit site (even SSL certificate) but the content will be your phish site. Only Internet Explorer and Mozilla Firefox are supported. Google Chrome support is coming soon.

    Formgrabber
    Using browser hooks Sphinx is able to grab ALL entered data from the browser. All grabbed data are uploaded to comamnd and control instantly with full header so you get data + full information including User-Agent. Sphinx grabbs both GET and POST, both HTTP and HTTPS. Supported browsers are Microsoft Internet Explorer, Mozilla Firefox and Google Chrome.

    Track 2 grabber
    Using System Wide Injection Sphinx is able to scan local memory of every process instead of remote memory like competitor point-of-sales malware have done in the past (Dexter, Alina, etc). Scanning local memory is much faster, less resource intensive and more stealth. Unlike Dexter/Alina, Sphinx wont miss a single Track 2 because Sphinx does not scan memory as 3072 byte blocks but as whole region.

    Keylogger
    Using System Wide Injection Sphinx is able to capture all key strokes entered by the user. This feature is only active with the Formgrabber. All entered keystrokes will be uploaded to command and control with Formgrabber report. Does not use GetKeyAsyncState or SetWindowsHookEx.

    Cookies grabber
    Grabs cookies from Internet Explorer upon execution and reports them to command and control.
    Mozilla Firefox and Google Chrome support is coming soon.

    SOCKS 4/4a/5
    Use your bot IP address to access their accounts and do transfers. Be sure to use the User-Agent you get from Formgrabber Reports. This feature also uses the hidden service technology and will cause a firewall popup from explorer.exe on startup. Hidden service technology bypasses NAT and will not require your bots to port-forward. This feature can be disabled.

    Backconnect SOCKS 4/4a/5
    Alternative to SOCKS 4/4a/5 but does not cause a firewall popup on your bots. Tor hidden service technology is disabled for this feature and will require you to run the Backconnect server on a windows server which allows you to port-forward. Do not run the Backconnect Server on same server where you're hosting the Panel behind Tor hidden service because this feature does expose the IP address of your backconnect server to your bots.

    Backconnect Hidden VNC
    Use VNC to remote-control your bots to access their accounts and do transfers directly from their computer on a different hidden desktop. Tor hidden service technology is disabled for this feature and will require you to run the Backconnect server on a windows server which allows you to port-forward. Do not run the Backconnect Server on same server where you're hosting the Panel behind Tor hidden service because this feature does expose the IP address of your backconnect server to your bots. Hidden VNC currently only works properly on Windows XP and Vista. In future versions this feature will be fully working on Windows 7, 8 and 10.

    Certificate grabber
    Using certificate import hooks Sphinx is able to grab certificates before they are used. This is useful because it can be used for campaigns to sign your malware.

    FTP/POP3 sniffer
    By using WinSock hooks, Sphinx is able to grab FTP and POP3 data before they even reach their destination.

    Software grabber
    Windows Mail
    Outlook,
    Macromedia Flash,
    Windows Address Book,
    Windows Contacts,
    FTP Flash Exp 3,
    FTP Total Commander,
    WsFTP,
    FileZilla,
    FTP Far Manager,
    FTP WinScp
    FTP Commander,
    SmartFTP

    DDoS
    Launch distributed denial-of-service attacks on anything you want. Supported methods are - UDP, Rapid connect/disconnect, HTTP-GET. Both RCD and HTTP-GET support .onion targets. You can run attacks for the time of your choosing or unlimited - until bot_ddos_stop is executed.

    Zombie Process
    Sphinx will inject itself in a digitally signed process before running its malicious functions such as System-wide-injection and Installation to bypass runtime detections.

    System-Wide-Injection
    Sphinx will inject itself in all running processes so it can know when a new process is created and hook it at the very very start.

    Installation
    Sphinx will create a folder in ProgramData under random name and copy itself from a digitally signed process to it also under a random name. It will then create a registry key in HKCU to run on every startup. The original executable is deleted. This feature can be disabled on request.

    File Persistence
    If user finds and deletes the executable held in ProgramData, it will be automatically and almost instantly written back.

    Registry Persistence
    IF user finds the HKCU key and deletes it, it will be automatically and almost instantly written back.

    Communication
    Winsock is used to communicate with command and control and to download config.

    Download-Execute
    Files are downloaded using WinSock and dropped in Temp and executed using WriteFile and CreateProcess respectively. Onion addresses are supported.

    Update bot
    Same as Download-Execute but after execution bot will remove itself.

    Uninstall
    Bot will remove itself.



    Panel Feature List

    Statistics
    You can see in a graph the following information - Bots by country, Bots, Bots by Operating System, Online Bots, Total Bots, Total Reports, Total active bots in 24 hours.
    You can also split botnets by botnet name and see individual statistics for each botnet.

    Bot List
    You can filter botlist by botnet names, specifical bots, Ip addresses and countrys. Also NAT status, show only online bots, only new bots, used status and comment. The botlist shows the following information - Bot ID, Botnet name, Version, IPv4, Hidden Service (for SOCKS), Country, Online time, Latency and Comment.

    You can select individual or all bots and check all their SOCKS if they are working with a single click. You can create a command for selected bots. You can view Today reports. You can see last 7 days reports. You can see their full information and full information with current screenshot. The screenshot feature only works if you have enabled SOCKS in your build and user has hit "Allow" for firewall.

    The full information page shows the following information - Bot ID, Botnet name, OS version, OS language, GMT, Country, IPv4, Hidden Service address, Latency, SOCKS port, Time of first report, Time of last report, Online time, if its In the list of new bots, if its in list of used and comment. In this same page you can create a comment for the bot. And of course the screenshot.

    Commands (Scripts)
    You can Enable/Disable active commands and reset them. You can create new commands. You can see the current commands by their name, status(Enabled/Disabled), Creation time, Limit of sends(amount of bots that will execute it), Sended, Executes and Errors (bot reports if command failed).

    You can create a command for specific bots, specific botnet names, specific countrys, you can limit the amount of bots that will execute it.

    Reports
    You can view all your reports starting from Formgrabber and ending with Track 2 data. The formgrabber data are splitted by HTTP GET, HTTP POST, HTTPS GET, HTTPS POST.

    You can filter the search by Date (from, to), Bots, Botnets, IP Addresses and Countrys. You can search for a string and also filter by type of report.

    Reports can be shown as plain text or normal - Bot name + IP + URL.

    Jabber notifier
    Use this feature to get announcements when a bot enters a site of your choosing on your jabber.
    This feature requires you to setup an account on some jabber server and enter the details + your contact jabber.


    Purchase

    Price
    $800.00 USD.
    You can purchase Sphinx using only Bitcoin.

    Contact:

    SphinxTrojan@exploit.im
    m0zz@exploit.im
    zeusovertor@exploit.im
  2. Likes pafke, VOLKOV liked this post
  3. #2
    Member
    Join Date Aug 2015
    Posts 7
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    0 Post(s)
    Today is a sale day. If you buy today is $500
  4. #3
    pafke's Avatar
    Member
    Join Date Nov 2010
    Location Balkan
    Posts 85
    Like (Stats)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    10 Post(s)
    I know you from 0day...
    How big is bin?
  5. #4
    root's Avatar
    Boss
    Join Date Dec 2009
    Posts 244
    Like (Stats)
    Mentioned
    29 Post(s)
    Tagged
    2 Thread(s)
    Quoted
    72 Post(s)
    Verified.
  6. Dislikes NoNh disliked this post
  7. #5
    Member
    Join Date Aug 2015
    Posts 7
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    0 Post(s)
    2.2mb due to tor we recommend always using a loader. Smoke andromeda and gaudox all tested and working various customers use these
  8. #6
    Member
    Join Date Aug 2015
    Posts 7
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    0 Post(s)
    Or you can go and get Scylex. You can call that sphinx 2.0 beta.. Big budgets only
  9. Likes ghostdanks liked this post
  10. #7
    Dazlord's Avatar
    Junior Member
    Join Date May 2009
    Posts 15
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    4 Post(s)
    Verified for selling.? any one with feedbacks can post
  11. #8
    root's Avatar
    Boss
    Join Date Dec 2009
    Posts 244
    Like (Stats)
    Mentioned
    29 Post(s)
    Tagged
    2 Thread(s)
    Quoted
    72 Post(s)
    Verified for selling.? any one with feedbacks can post
    he will be back, please keep online and check regularly.
    if you serious buyer, send pm to me.
  12. #9
    root's Avatar
    Boss
    Join Date Dec 2009
    Posts 244
    Like (Stats)
    Mentioned
    29 Post(s)
    Tagged
    2 Thread(s)
    Quoted
    72 Post(s)
    Topic closed.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 4
    Last Post: 13-06-2016, 17:31
  2. Sphinx Trojan--Zeus Over Tor
    By m0zzie in forum Malware Binaries
    Replies: 0
    Last Post: 10-06-2016, 10:55
  3. Sphinx Trojan -- Zeus Over Tor
    By SphinxTrojan in forum Malware Binaries
    Replies: 0
    Last Post: 28-01-2016, 21:36

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts