Researchers Center: Atmos Strategic Monitoring


SPYWARE.CITADEL.ATMOS

 Sample: 7e3f2de41d9f55dfec4c7165265d8a27363cf9c8
SHA256: e9272af4f11684ab52aaca4e5a4d8bbb45485f9586c62062c7769d9bf9a1d389
Request: Tayuya [2016/09/27 - 19:09:42]
Callback: 185.145.129.36
Gate: http://185.145.129.36/111/file.php|file=us.xml
Decryptor logs:
DEBUG:root:[*] get base config & several params
DEBUG:root:[*] found base config at RVA:0x000059b0, RA:0x000059b0
DEBUG:root:[*] found login key: 3533334439323236453443314345304139383135444245423139323335414534
DEBUG:root:[*] use RC4 key at (base config + 0x00000157)
DEBUG:root:[*] found following xor key for AES plus:
DEBUG:root:[62, 74, 187, 1, 132, 27, 178, 152, 18, 43, 181, 239, 177, 190, 209, 113]
DEBUG:root:[*] found RC4 salt: 0xF2C9CDEF
DEBUG:root:[*] found xor key using after Visual Decrypt: 0xF2C9CDEF
DEBUG:root:C&C found:
DEBUG:root:['http://185.145.129.36/111/file.php|file=us.xml']
DEBUG:root:[*] try to unpack
DEBUG:root:[*] decrypt data using following key:
DEBUG:root:[188, 171, 78, 126, 32, 23, 84, 135, 124, 172, 152, 71, 123, 42, 176, 70, 116, 29, 111, 55, 53, 25, 28, 114, 73, 54, 228, 37, 118, 68, 215, 79, 172, 99, 23, 89, 64, 191, 17, 127, 167, 160, 41, 99, 38, 92, 102, 237, 84, 125, 223, 65, 250, 59, 116, 18, 157, 32, 243, 143, 8, 101, 53, 97, 180, 208, 50, 129, 158, 106, 80, 196, 110, 180, 183, 91, 93, 219, 179, 132, 91, 127, 131, 81, 150, 166, 14, 190, 200, 67, 200, 33, 217, 206, 95, 49, 209, 241, 25, 152, 56, 220, 133, 224, 145, 30, 138, 209, 253, 41, 19, 167, 19, 214, 197, 193, 144, 49, 35, 96, 77, 178, 24, 146, 183, 221, 217, 13, 163, 117, 230, 92, 196, 193, 238, 1, 204, 87, 5, 48, 44, 105, 196, 41, 71, 186, 21, 4, 54, 15, 45, 163, 137, 126, 20, 112, 216, 145, 107, 0, 67, 201, 98, 20, 232, 162, 143, 234, 16, 72, 221, 217, 192, 212, 245, 145, 251, 215, 154, 61, 224, 13, 117, 77, 182, 76, 202, 52, 213, 95, 85, 101, 63, 17, 222, 162, 152, 235, 51, 245, 78, 109, 105, 60, 211, 69, 232, 62, 184, 176, 148, 238, 90, 31, 123, 232, 59, 189, 124, 36, 119, 55, 153, 105, 164, 58, 210, 16, 231, 135, 96, 86, 25, 190, 27, 3, 248, 231, 1, 14, 49, 8, 60, 5, 215, 97, 103, 24, 129, 43, 165, 249, 143, 200, 190, 202]
DEBUG:root:[*] try to AES+ decryption
DEBUG:root:[*] use following AES key:
DEBUG:root:[235, 240, 116, 4, 41, 124, 215, 107, 134, 21, 47, 187, 15, 211, 251, 43]
Report:
{'login_key_hexed': '3533334439323236453443314345304139383135444245423139323335414534', 'base_key': {'y': 104, 'x': 82, 'state': [188, 217, 84, 96, 163, 124, 43, 87, 245, 215, 180, 123, 71, 59, 135, 99, 0, 29, 111, 55, 53, 25, 28, 114, 73, 54, 228, 37, 118, 68, 215, 79, 172, 99, 23, 89, 64, 191, 17, 127, 167, 160, 41, 70, 38, 92, 102, 237, 84, 125, 223, 65, 250, 42, 116, 18, 157, 32, 243, 143, 8, 101, 53, 97, 180, 208, 50, 129, 158, 106, 80, 196, 110, 152, 183, 91, 93, 219, 179, 132, 91, 127, 131, 81, 150, 166, 14, 190, 200, 67, 200, 33, 217, 206, 95, 49, 209, 241, 25, 152, 56, 220, 133, 224, 145, 30, 138, 209, 253, 41, 19, 167, 19, 214, 197, 193, 144, 49, 35, 126, 77, 178, 24, 146, 183, 221, 217, 13, 163, 117, 230, 92, 196, 193, 238, 1, 204, 135, 5, 48, 44, 105, 196, 41, 71, 186, 21, 4, 54, 15, 45, 32, 137, 126, 20, 112, 216, 145, 107, 116, 67, 201, 98, 20, 232, 162, 143, 234, 16, 72, 221, 171, 192, 212, 23, 145, 251, 172, 154, 61, 224, 13, 117, 77, 182, 76, 202, 52, 213, 95, 85, 101, 63, 17, 222, 162, 152, 235, 51, 245, 78, 109, 105, 60, 211, 69, 232, 62, 184, 176, 148, 238, 90, 31, 123, 232, 59, 189, 124, 36, 119, 55, 153, 105, 164, 58, 210, 16, 231, 176, 96, 86, 25, 190, 27, 3, 248, 231, 1, 14, 49, 8, 60, 5, 215, 97, 103, 24, 129, 78, 165, 249, 143, 200, 190, 202], 'z': 116}, 'xor_key': '>J\xbb\x01\x84\x1b\xb2\x98\x12+\xb5\xef\xb1\xbe\xd1q', 'urls': ['http://185.145.129.36/111/file.php|file=us.xml'], 'base_config_hexed': '1779e613a165c3d68a57206525ea7d55876e33a28be1a245191b8b04a748bb8eff9beac74341e2612f94e4ac9f9247af518d6277eb23acaf407122687474703a2f2f3138352e3134352e3132392e33362f3131312f66696c652e7068707c66696c653d75732e786d6c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005e728f5a04913d73939b38700e17421edc5e99d5cb971a0654e6ac1421e1dc6504000100eae533b948ea08d27439de457f30ed7802972f8f5fd2c340495b90e387702ac9f409f9cfcb0d983321c57ba6b391d5a2e2dab8fdfc477ebfbd346931166086363c000000a46eb0391ea46269ffe917fb7449fd78b4ada7368552b074017aa1a6090004005c731a8c72bcdbb7eca07c2cbfcc46270d6d0450a79facd7d12842c24566fa867a869dd525f72db8011eccddcb4cdabcab4e7e201754877cac98477b2ab046741d6f3735191c724936e4257644d74fac63175940bf117fa7a02963265c66ed547ddf41fa3b74129d20f38f08653561b4d032819e6a50c46eb4b75b5ddbb3845b7f835196a60ebec843c821d9ce5f31d1f1199838dc85e0911e8ad1fd2913a713d6c5c1903123604db21892b7ddd90da375e65cc4c1ee01cc5705302c69c42947ba1504360f2da3897e1470d8916b0043c96214e8a28fea1048ddd9c0d4f591fbd79a3de00d754db64cca34d55f55653f11dea298eb33f54e6d693cd345e83eb8b094ee5a1f7be83bbd7c2477379969a43ad210e787605619be1b03f8e7010e31083c05d7616718812ba5f98fc8beca52687474703a2f2f3138352e3134352e3132392e33362f3131312f66696c652e7068707c66696c653d75732e786d6c002f806fead280f3137a59313e8cafcdcfe8b2c911bd9ffad8a189b865e159da891514e20ef85c7452773a0d35081af1353d1765d899791f4ba27cfb483754ef3c246d41aaf4f7f7ca07a29077e4a6f148cf07a2fc9f173a1bca3c18dac2f3543f8415f5876d5a65c5501b22cbc75cb54dc609e84476803491400800000040f2da5c94676d0c8ba4897d2c2bfa5942268f4aa69f79c67500730063006100000055d470fe2379949e5eb45e13cd43632a5581642f6339d4618fb895a379260374f7163321735b7c398e1d3742092dc4aae696ce01ca75cf65a60ad63d960e882a0a47643a235b4c5f60e2412079be6f8f8baf697b7622080004008bb94b72dab7d4928cb0fc200bf71b280416e49f6bbf8cf5bf062fe98fce6fa13d815efa02059e1d32000000c1e9081a078a1178c024318f570bbc726404b03773fc974d07faaf10de53499b771d6fddd2e5c9f077a5c2a5b9f0e6643c708e33b592c014f180519419504ca1347a989ced90d4af962986616e1f75671ffa53bd8bab9ff6c87ecad14b58000000eaca7de1f1fa5e289ac6e9fdfe3125168a45ff7eaffe9c95db63ee59a9f685e3554ea8347203a532dfca65eef7e1432808ae1e1506a3ad608164136ed52cb4e6a16d4606000300bee0dafeca704f6c5e5cd445d91956d22f57156a3236034010b76c7f1d70dc99d3853edb17d34146be687474703a2f2f3138352e3134352e3132392e33362f3131312f66696c652e7068707c66696c653d75732e786d6c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005a4a42af56c8b0ee4638e214de8bd3c2917b25a1b21f6699dabd934489dfdaa210a9a40eae69d370f97048b57f21a97cae47', 'salt': '\xef\xcd\xc9\xf2'}
Tools: [Hybrid] [MDB]

Download File