|
||
Researchers Center: Atmos Strategic Monitoring |
SPYWARE.CITADEL.ATMOSSample: 74e7cd6c1499bc82e7d68ef3b1f840c30d3554d5SHA256: c850fde451c23c13206282b7ec42c66f5d353bb008078ac10430f13df07472eb Request: Tayuya [2016/08/15 - 00:08:00] Callback: socrd1dw.bget.ru Gate: http://socrd1dw.bget.ru/d0usd90f80sdf8sd8f08dsf8sd0f8/file.php|file=us.xml Decryptor logs: DEBUG:root:[*] get base config & several params DEBUG:root:[*] found base config at RVA:0x000059b0, RA:0x000059b0 DEBUG:root:[*] found login key: 3533334439323236453443314345304139383135444245423139323335414534 DEBUG:root:[*] use RC4 key at (base config + 0x00000157) DEBUG:root:[*] found following xor key for AES plus: DEBUG:root:[62, 74, 187, 1, 132, 27, 178, 152, 18, 43, 181, 239, 177, 190, 209, 113] DEBUG:root:[*] found RC4 salt: 0xF2C9CDEF DEBUG:root:[*] found xor key using after Visual Decrypt: 0xF2C9CDEF DEBUG:root:C&C found: DEBUG:root:['http://socrd1dw.bget.ru/d0usd90f80sdf8sd8f08dsf8sd0f8/file.php|file=us.xml'] DEBUG:root:[*] try to unpack DEBUG:root:[*] decrypt data using following key: DEBUG:root:[88, 200, 128, 59, 80, 236, 48, 50, 42, 158, 51, 187, 68, 220, 9, 14, 193, 112, 98, 222, 188, 27, 140, 34, 96, 13, 124, 172, 214, 26, 75, 146, 237, 100, 16, 199, 253, 24, 122, 100, 224, 160, 178, 116, 255, 89, 179, 240, 93, 134, 47, 156, 210, 71, 155, 144, 61, 179, 147, 242, 77, 101, 114, 203, 30, 218, 65, 54, 167, 170, 218, 141, 56, 25, 193, 106, 86, 46, 224, 107, 187, 166, 30, 213, 213, 199, 175, 143, 145, 98, 136, 60, 26, 126, 134, 70, 57, 185, 27, 204, 105, 56, 169, 7, 34, 7, 41, 75, 161, 146, 251, 76, 24, 105, 227, 69, 67, 149, 28, 236, 166, 64, 126, 205, 107, 73, 195, 2, 150, 171, 243, 13, 7, 34, 81, 191, 164, 238, 67, 227, 94, 36, 232, 158, 120, 19, 31, 169, 128, 99, 63, 25, 192, 155, 199, 101, 229, 184, 208, 188, 184, 193, 172, 196, 131, 151, 234, 29, 52, 88, 131, 209, 36, 217, 221, 91, 119, 250, 167, 114, 13, 11, 89, 166, 33, 239, 88, 11, 155, 196, 42, 239, 197, 153, 222, 132, 251, 148, 214, 174, 218, 248, 37, 49, 134, 191, 138, 77, 199, 6, 121, 31, 65, 65, 19, 5, 149, 209, 3, 134, 190, 117, 15, 123, 151, 203, 99, 16, 247, 233, 236, 105, 154, 119, 161, 85, 14, 230, 112, 20, 142, 42, 102, 27, 90, 72, 201, 178, 116, 66, 242, 89, 220, 22, 45, 142] DEBUG:root:[*] try to AES+ decryption DEBUG:root:[*] use following AES key: DEBUG:root:[131, 99, 109, 234, 212, 214, 113, 61, 193, 63, 46, 235, 59, 120, 26, 181]Report: {'login_key_hexed': '3533334439323236453443314345304139383135444245423139323335414534', 'base_key': {'y': 104, 'x': 82, 'state': [9, 218, 56, 13, 31, 239, 20, 100, 106, 119, 214, 5, 172, 178, 14, 88, 77, 112, 98, 222, 188, 27, 140, 34, 96, 13, 124, 68, 51, 26, 75, 146, 237, 50, 16, 199, 253, 24, 122, 100, 224, 160, 178, 116, 255, 89, 179, 240, 93, 134, 47, 156, 210, 71, 155, 144, 61, 179, 147, 242, 77, 101, 114, 203, 30, 218, 65, 54, 167, 170, 218, 141, 128, 25, 193, 42, 86, 46, 224, 107, 187, 166, 30, 213, 213, 199, 175, 143, 145, 98, 136, 60, 26, 126, 134, 70, 57, 185, 27, 204, 105, 56, 169, 7, 34, 7, 41, 75, 161, 146, 251, 76, 24, 105, 227, 69, 67, 149, 28, 236, 166, 64, 126, 205, 107, 73, 195, 2, 150, 171, 243, 59, 7, 34, 81, 191, 164, 238, 67, 227, 94, 36, 232, 158, 120, 19, 31, 169, 128, 99, 63, 25, 192, 155, 199, 101, 229, 184, 208, 188, 184, 193, 172, 196, 131, 151, 234, 29, 52, 88, 131, 209, 36, 217, 221, 91, 119, 250, 167, 114, 13, 11, 89, 166, 33, 239, 88, 11, 155, 196, 42, 236, 197, 153, 222, 132, 251, 148, 214, 174, 200, 248, 37, 49, 134, 191, 138, 193, 199, 6, 121, 80, 65, 65, 19, 187, 149, 209, 3, 134, 190, 117, 15, 123, 151, 203, 99, 16, 247, 233, 236, 105, 154, 158, 161, 85, 14, 230, 112, 48, 142, 42, 102, 27, 90, 72, 201, 220, 116, 66, 242, 89, 220, 22, 45, 142], 'z': 116}, 'xor_key': '>J\xbb\x01\x84\x1b\xb2\x98\x12+\xb5\xef\xb1\xbe\xd1q', 'urls': ['http://socrd1dw.bget.ru/d0usd90f80sdf8sd8f08dsf8sd0f8/file.php|file=us.xml'], 'base_config_hexed': '1779e613a165c3d68a57206525ea7d55876e33a28be1a245191b8b04a748bb8eff9beac74341e2612f94e4ac9f9247af518d6277eb23acaf407122687474703a2f2f736f6372643164772e626765742e72752f64307573643930663830736466387364386630386473663873643066382f66696c652e7068707c66696c653d75732e786d6c0000000000000000000000000000000000000000000000000000005e728f5a04913d73939b38700e17421edc5e99d5cb971a0654e6ac1421e1dc6504000100eae533b948ea08d27439de457f30ed7802972f8f5fd2c340495b90e387702ac9f409f9cfcb0d983321c57ba6b391d5a2e2dab8fdfc477ebfbd346931166086363c000000a46eb0391ea46269ffe917fb7449fd78b4ada7368552b074017aa1a6090004005c731a8c72bcdbb7eca07c2cbfcc46270d6d0450a79facd7d12842c24566fa867a869dd525f72db8011eccddcb4cda58c8803b50ec30322a9e33bb44dc090ec17062debc1b8c22600d7cacd61a4b92ed6410c7fd187a64e0a0b274ff59b3f05d862f9cd2479b903db393f24d6572cb1eda4136a7aada8d3819c16a562ee06bbba61ed5d5c7af8f9162883c1a7e864639b91bcc6938a9072207294ba192fb4c1869e34543951ceca6407ecd6b49c30296abf30d072251bfa4ee43e35e24e89e78131fa980633f19c09bc765e5b8d0bcb8c1acc48397ea1d345883d124d9dd5b77faa7720d0b59a621ef580b9bc42aefc599de84fb94d6aedaf8253186bf8a4dc706791f4141130595d10386be750f7b97cb6310f7e9ec699a77a1550ee670148e2a661b5a48c9b27442f259dc162d8e52687474703a2f2f736f6372643164772e626765742e72752f64307573643930663830736466387364386630386473663873643066382f66696c652e7068707c66696c653d75732e786d6c00e159da891514e20ef85c7452773a0d35081af1353d1765d899791f4ba27cfb483754ef3c246d41aaf4f7f7ca07a29077e4a6f148cf07a2fc9f173a1bca3c18dac2f3543f8415f5876d5a65c5501b22cbc75cb54dc609e84476803491400800000040f2da5c94676d0c8ba4897d2c2bfa5942268f4aa69f79c67500730063006100000055d470fe2379949e5eb45e13cd43632a5581642f6339d4618fb895a379260374f7163321735b7c398e1d3742092dc4aae696ce01ca75cf65a60ad63d960e882a0a47643a235b4c5f60e2412079be6f8f8baf697b7622080004008bb94b72dab7d4928cb0fc200bf71b280416e49f6bbf8cf5bf062fe98fce6fa13d815efa02059e1d32000000c1e9081a078a1178c024318f570bbc726404b03773fc974d07faaf10de53499b771d6fddd2e5c9f077a5c2a5b9f0e6643c708e33b592c014f180519419504ca1347a989ced90d4af962986616e1f75671ffa53bd8bab9ff6c87ecad14b18040400eaca7de1f1fa5e289ac6e9fdfe3125168a45ff7eaffe9c95db63ee59a9f685e3554ea8347203a532dfca65eef7e1432808ae1e1506a3ad608164136ed52cb4e6a16d4606000300bee0dafeca704f6c5e5cd445d91956d22f57156a3236034010b76c7f1d70dc99d3853edb17d34146be687474703a2f2f736f6372643164772e626765742e72752f64307573643930663830736466387364386630386473663873643066382f66696c652e7068707c66696c653d75732e786d6c0000000000000000000000000000000000000000000000000000005a4a42af56c8b0ee4638e214de8bd3c2917b25a1b21f6699dabd934489dfdaa210a9a40eae69d370f97048b57f21a97cae47', 'salt': '\xef\xcd\xc9\xf2'}Tools: [Hybrid] [MDB] Download File |