Skip navigation.

Decrypting traffic from twex.exe (a variant of Zeus Crimeware Suite)


I am working on a case where the client machine was infected with a variant of the following:

We traced it back to Zeus crimeware suite:

We are trying to ascertain what data was stolen, which can be gleaned from network traffic, malware storage files (local.ds, user.ds, and user.ds.lll), and system restore files created from previous instances of (local.ds, user.ds, and user.ds.lll), if only we could identify the encryption key.

Here are the hash values of the malware that we found, which I uploaded to this site:

We have looked into decryption methods of previous instances of this, but they do not work on this version. Has anyone had any luck with this?

Thanks in advance,



you can try to reverse/debug the malware with ida and debugger like olly or immunity ...

Hello, please post a comment

Hello, please post a comment if you do not need the information anymore, but I will look at it tonight and let you know if I can recover keys.

Yes! Please!

Yes, we do need the info. I had one of our programmers look at it and try to debug it, but they could not find the key. If you could help, that would be great!



I just finished looking at

I just finished looking at it... Yeah... You won't find what you want.

This is far from the small-time malware. If I had to take a guess they are using advanced crypto (not stupid XORing or even simple symetric keys).

If you really need the information you will need to pay some good people some good money and some time.

Sorry, I had no idea what this malware was and was hoping for a simple one-night project...

Encryption changed

the encryption changed to RC4, so you need to extract the 256bits key from the binary. I can help you with that

how can I contact you.

Hi tomac,

Is there any way I can contact you (email/IM/etc.)?


looking for samples


Im looking for as many Zeus exes that have this feature.

Contact me off list if you have any more :)