Researchers Center: Atmos Strategic Monitoring


SPYWARE.CITADEL.ATMOS

Sample: 380e8373f82579ef118430f2a21c889ccad1208c
SHA256: 042ff2b245d372e51b2c1015df652c184fdbfd1401c0a84c80aa2cff47dfc053
Request: Tayuya [2016/09/25 - 11:09:56]
Callback: t500is5n.bget.ru
Gate: http://t500is5n.bget.ru/fsgdfhdfhadfhadfhdhfdhadfghdfh/file.php|file=us.xml
Decryptor logs:
DEBUG:root:[*] get base config & several params
DEBUG:root:[*] found base config at RVA:0x000059b0, RA:0x000059b0
DEBUG:root:[*] found login key: 3533334439323236453443314345304139383135444245423139323335414534
DEBUG:root:[*] use RC4 key at (base config + 0x00000157)
DEBUG:root:[*] found following xor key for AES plus:
DEBUG:root:[62, 74, 187, 1, 132, 27, 178, 152, 18, 43, 181, 239, 177, 190, 209, 113]
DEBUG:root:[*] found RC4 salt: 0xF2C9CDEF
DEBUG:root:[*] found xor key using after Visual Decrypt: 0xF2C9CDEF
DEBUG:root:C&C found:
DEBUG:root:['http://t500is5n.bget.ru/fsgdfhdfhadfhadfhdhfdhadfghdfh/file.php|file=us.xml']
DEBUG:root:[*] try to unpack
DEBUG:root:[*] decrypt data using following key:
DEBUG:root:[153, 42, 94, 157, 83, 187, 13, 107, 135, 133, 231, 90, 173, 82, 0, 165, 206, 26, 201, 76, 33, 188, 200, 30, 146, 198, 100, 39, 155, 89, 255, 105, 107, 108, 119, 56, 176, 228, 2, 111, 235, 22, 161, 210, 3, 2, 57, 152, 159, 212, 240, 149, 1, 226, 254, 19, 95, 245, 34, 100, 129, 227, 123, 115, 67, 84, 169, 127, 15, 147, 17, 122, 122, 88, 106, 141, 221, 237, 209, 37, 231, 242, 103, 80, 73, 124, 73, 11, 50, 218, 31, 95, 152, 128, 134, 175, 36, 104, 127, 87, 60, 240, 178, 178, 17, 21, 152, 161, 238, 127, 188, 108, 177, 167, 193, 1, 178, 60, 125, 52, 181, 96, 217, 112, 143, 197, 177, 119, 85, 56, 195, 3, 248, 155, 144, 196, 166, 229, 248, 118, 156, 94, 33, 45, 22, 132, 62, 61, 185, 186, 10, 215, 117, 10, 40, 169, 149, 28, 81, 218, 154, 232, 206, 226, 250, 151, 211, 142, 35, 169, 247, 75, 89, 231, 249, 113, 197, 213, 135, 117, 103, 134, 58, 42, 78, 139, 230, 70, 186, 76, 159, 171, 172, 1, 44, 249, 168, 125, 66, 250, 106, 111, 157, 243, 123, 135, 242, 236, 163, 66, 129, 18, 23, 241, 26, 135, 57, 251, 187, 200, 148, 110, 85, 253, 192, 249, 186, 191, 94, 143, 192, 170, 203, 225, 139, 59, 142, 201, 142, 205, 246, 165, 80, 244, 68, 202, 50, 47, 180, 11, 151, 93, 188, 20, 126, 147]
DEBUG:root:[*] try to AES+ decryption
DEBUG:root:[*] use following AES key:
DEBUG:root:[220, 17, 213, 33, 181, 150, 116, 137, 171, 23, 235, 106, 235, 166, 145, 9]
Report:
{'login_key_hexed': '3533334439323236453443314345304139383135444245423139323335414534', 'base_key': {'y': 104, 'x': 82, 'state': [153, 161, 166, 228, 181, 149, 67, 75, 240, 42, 81, 180, 151, 47, 82, 149, 152, 26, 201, 76, 33, 188, 200, 30, 146, 198, 100, 39, 155, 89, 255, 105, 107, 108, 119, 56, 176, 157, 2, 111, 235, 22, 42, 210, 3, 2, 57, 152, 159, 212, 135, 187, 1, 226, 254, 19, 95, 245, 34, 100, 129, 227, 123, 115, 13, 84, 169, 127, 15, 147, 17, 122, 122, 88, 106, 141, 221, 237, 209, 37, 231, 242, 103, 80, 73, 124, 73, 11, 50, 218, 31, 95, 152, 128, 134, 175, 36, 104, 127, 87, 60, 240, 178, 178, 17, 21, 206, 161, 238, 127, 188, 108, 177, 167, 193, 1, 178, 60, 125, 52, 83, 96, 217, 112, 143, 197, 177, 119, 85, 56, 195, 3, 248, 155, 144, 196, 94, 229, 248, 118, 156, 94, 33, 45, 22, 132, 62, 61, 185, 186, 10, 215, 117, 10, 40, 169, 165, 28, 231, 218, 154, 232, 206, 226, 250, 173, 211, 142, 35, 169, 247, 107, 89, 231, 249, 113, 197, 213, 135, 117, 103, 134, 58, 133, 78, 139, 230, 70, 186, 76, 159, 171, 172, 1, 44, 249, 168, 125, 66, 250, 106, 111, 157, 243, 123, 135, 242, 236, 163, 66, 129, 18, 23, 241, 26, 135, 57, 251, 187, 200, 148, 110, 85, 253, 192, 249, 186, 191, 94, 143, 192, 170, 203, 225, 139, 59, 142, 201, 142, 205, 246, 165, 80, 244, 68, 202, 50, 0, 90, 11, 151, 93, 188, 20, 126, 147], 'z': 116}, 'xor_key': '>J\xbb\x01\x84\x1b\xb2\x98\x12+\xb5\xef\xb1\xbe\xd1q', 'urls': ['http://t500is5n.bget.ru/fsgdfhdfhadfhadfhdhfdhadfghdfh/file.php|file=us.xml'], 'base_config_hexed': '1779e613a165c3d68a57206525ea7d55876e33a28be1a245191b8b04a748bb8eff9beac74341e2612f94e4ac9f9247af518d6277eb23acaf407122687474703a2f2f743530306973356e2e626765742e72752f6673676466686466686164666861646668646866646861646667686466682f66696c652e7068707c66696c653d75732e786d6c00000000000000000000000000000000000000000000000000005e728f5a04913d73939b38700e17421edc5e99d5cb971a0654e6ac1421e1dc6504000100eae533b948ea08d27439de457f30ed7802972f8f5fd2c340495b90e387702ac9f409f9cfcb0d983321c57ba6b391d5a2e2dab8fdfc477ebfbd346931166086363c000000a46eb0391ea46269ffe917fb7449fd78b4ada7368552b074017aa1a6090004005c731a8c72bcdbb7eca07c2cbfcc46270d6d0450a79facd7d12842c24566fa867a869dd525f72db8011eccddcb4cda992a5e9d53bb0d6b8785e75aad5200a5ce1ac94c21bcc81e92c664279b59ff696b6c7738b0e4026feb16a1d2030239989fd4f09501e2fe135ff5226481e37b734354a97f0f93117a7a586a8dddedd125e7f26750497c490b32da1f5f988086af24687f573cf0b2b2111598a1ee7fbc6cb1a7c101b23c7d34b560d9708fc5b1775538c303f89b90c4a6e5f8769c5e212d16843e3db9ba0ad7750a28a9951c51da9ae8cee2fa97d38e23a9f74b59e7f971c5d5877567863a2a4e8be646ba4c9fabac012cf9a87d42fa6a6f9df37b87f2eca342811217f11a8739fbbbc8946e55fdc0f9babf5e8fc0aacbe18b3b8ec98ecdf6a550f444ca322fb40b975dbc147e9352687474703a2f2f743530306973356e2e626765742e72752f6673676466686466686164666861646668646866646861646667686466682f66696c652e7068707c66696c653d75732e786d6c0059da891514e20ef85c7452773a0d35081af1353d1765d899791f4ba27cfb483754ef3c246d41aaf4f7f7ca07a29077e4a6f148cf07a2fc9f173a1bca3c18dac2f3543f8415f5876d5a65c5501b22cbc75cb54dc609e84476803491400800000040f2da5c94676d0c8ba4897d2c2bfa5942268f4aa69f79c67500730063006100000055d470fe2379949e5eb45e13cd43632a5581642f6339d4618fb895a379260374f7163321735b7c398e1d3742092dc4aae696ce01ca75cf65a60ad63d960e882a0a47643a235b4c5f60e2412079be6f8f8baf697b7622080004008bb94b72dab7d4928cb0fc200bf71b280416e49f6bbf8cf5bf062fe98fce6fa13d815efa02059e1d32000000c1e9081a078a1178c024318f570bbc726404b03773fc974d07faaf10de53499b771d6fddd2e5c9f077a5c2a5b9f0e6643c708e33b592c014f180519419504ca1347a989ced90d4af962986616e1f75671ffa53bd8bab9ff6c87ecad14b18040400eaca7de1f1fa5e289ac6e9fdfe3125168a45ff7eaffe9c95db63ee59a9f685e3554ea8347203a532dfca65eef7e1432808ae1e1506a3ad608164136ed52cb4e6a16d4606000300bee0dafeca704f6c5e5cd445d91956d22f57156a3236034010b76c7f1d70dc99d3853edb17d34146be687474703a2f2f743530306973356e2e626765742e72752f6673676466686466686164666861646668646866646861646667686466682f66696c652e7068707c66696c653d75732e786d6c00000000000000000000000000000000000000000000000000005a4a42af56c8b0ee4638e214de8bd3c2917b25a1b21f6699dabd934489dfdaa210a9a40eae69d370f97048b57f21a97cae47', 'salt': '\xef\xcd\xc9\xf2'}
Tools: [Hybrid] [MDB]

Download File