Researchers Center: Atmos Strategic Monitoring


SPYWARE.CITADEL.ATMOS

 Sample: 87fa4298dd836503e34c5385b2d643b0bf7c74ff
SHA256: b7075ab54545145765523bf61d2ccd76f0adc03154ba36cd641fd97cc4cfc560
Request: Tayuya [2016/09/05 - 23:09:24]
Callback: envatodevt.temp.swtest.ru
Gate: http://envatodevt.temp.swtest.ru/admin/file.php|file=us.xml
Decryptor logs:
DEBUG:root:[*] get base config & several params
DEBUG:root:[*] found base config at RVA:0x000059b0, RA:0x000059b0
DEBUG:root:[*] found login key: 3533334439323236453443314345304139383135444245423139323335414534
DEBUG:root:[*] use RC4 key at (base config + 0x00000157)
DEBUG:root:[*] found following xor key for AES plus:
DEBUG:root:[62, 74, 187, 1, 132, 27, 178, 152, 18, 43, 181, 239, 177, 190, 209, 113]
DEBUG:root:[*] found RC4 salt: 0xF2C9CDEF
DEBUG:root:[*] found xor key using after Visual Decrypt: 0xF2C9CDEF
DEBUG:root:C&C found:
DEBUG:root:['http://envatodevt.temp.swtest.ru/admin/file.php|file=us.xml']
DEBUG:root:[*] try to unpack
DEBUG:root:[*] decrypt data using following key:
DEBUG:root:[208, 214, 220, 38, 215, 13, 155, 117, 237, 122, 198, 92, 246, 18, 147, 194, 130, 106, 23, 166, 28, 175, 83, 242, 213, 4, 255, 102, 32, 138, 61, 43, 65, 54, 181, 170, 17, 248, 194, 113, 5, 110, 90, 52, 249, 220, 215, 69, 147, 155, 95, 159, 230, 107, 137, 10, 153, 32, 59, 54, 85, 237, 163, 153, 236, 195, 209, 101, 177, 149, 97, 19, 18, 65, 216, 120, 50, 85, 58, 189, 57, 154, 88, 40, 179, 56, 87, 45, 247, 15, 113, 26, 24, 168, 139, 221, 176, 222, 96, 171, 45, 94, 8, 212, 168, 203, 167, 133, 167, 247, 49, 162, 155, 159, 107, 72, 161, 31, 80, 71, 148, 19, 164, 31, 99, 51, 218, 79, 51, 236, 73, 89, 146, 197, 184, 251, 207, 0, 30, 240, 187, 212, 169, 75, 184, 213, 143, 98, 92, 55, 129, 217, 243, 232, 188, 193, 121, 40, 21, 187, 239, 150, 170, 41, 195, 210, 7, 119, 221, 162, 241, 125, 111, 170, 110, 213, 116, 171, 50, 188, 30, 64, 47, 35, 172, 113, 153, 231, 227, 182, 124, 197, 253, 230, 120, 172, 203, 77, 224, 122, 210, 176, 75, 228, 242, 251, 3, 250, 198, 254, 142, 34, 95, 6, 240, 13, 22, 196, 37, 67, 112, 199, 235, 247, 144, 88, 127, 254, 138, 218, 43, 138, 63, 11, 232, 129, 78, 252, 195, 9, 254, 151, 38, 155, 174, 87, 41, 224, 56, 188, 183, 106, 191, 112, 12, 68]
DEBUG:root:[*] try to AES+ decryption
DEBUG:root:[*] use following AES key:
DEBUG:root:[207, 209, 184, 201, 172, 163, 154, 54, 222, 1, 183, 84, 74, 20, 166, 19]
Report:
{'login_key_hexed': '3533334439323236453443314345304139383135444245423139323335414534', 'base_key': {'y': 104, 'x': 82, 'state': [208, 240, 50, 22, 213, 227, 45, 242, 113, 159, 188, 56, 120, 168, 254, 220, 230, 106, 23, 166, 28, 175, 83, 242, 213, 4, 255, 102, 32, 138, 61, 43, 65, 54, 181, 170, 17, 248, 194, 113, 5, 110, 90, 52, 249, 220, 215, 69, 147, 155, 95, 122, 130, 107, 137, 10, 153, 32, 59, 54, 85, 237, 163, 153, 236, 195, 209, 101, 177, 149, 97, 19, 18, 65, 216, 246, 50, 85, 58, 189, 57, 154, 88, 40, 179, 92, 87, 155, 247, 15, 113, 26, 24, 18, 139, 221, 176, 222, 96, 171, 45, 94, 8, 212, 168, 203, 167, 133, 167, 247, 49, 162, 155, 159, 107, 72, 161, 31, 80, 71, 148, 19, 164, 31, 99, 51, 218, 79, 51, 236, 73, 89, 146, 197, 184, 251, 207, 0, 30, 240, 187, 212, 169, 75, 184, 213, 143, 98, 92, 55, 129, 217, 243, 232, 188, 193, 121, 40, 21, 187, 239, 150, 170, 41, 195, 210, 7, 119, 221, 162, 241, 125, 111, 170, 110, 215, 116, 171, 194, 188, 30, 64, 47, 35, 172, 237, 153, 231, 13, 182, 124, 197, 253, 230, 120, 172, 203, 77, 224, 122, 210, 176, 75, 228, 117, 251, 3, 250, 198, 254, 142, 34, 95, 6, 214, 13, 38, 196, 37, 67, 112, 199, 235, 247, 144, 88, 127, 254, 138, 218, 43, 138, 63, 11, 232, 129, 78, 252, 195, 9, 147, 151, 38, 155, 174, 87, 41, 224, 56, 198, 183, 106, 191, 112, 12, 68], 'z': 116}, 'xor_key': '>J\xbb\x01\x84\x1b\xb2\x98\x12+\xb5\xef\xb1\xbe\xd1q', 'urls': ['http://envatodevt.temp.swtest.ru/admin/file.php|file=us.xml'], 'base_config_hexed': '1779e613a165c3d68a57206525ea7d55876e33a28be1a245191b8b04a748bb8eff9beac74341e2612f94e4ac9f9247af518d6277eb23acaf407122687474703a2f2f656e7661746f646576742e74656d702e7377746573742e72752f61646d696e2f66696c652e7068707c66696c653d75732e786d6c0000000000000000000000000000000000000000000000000000000000000000000000000000000000005e728f5a04913d73939b38700e17421edc5e99d5cb971a0654e6ac1421e1dc6504000100eae533b948ea08d27439de457f30ed7802972f8f5fd2c340495b90e387702ac9f409f9cfcb0d983321c57ba6b391d5a2e2dab8fdfc477ebfbd346931166086363c000000a46eb0391ea46269ffe917fb7449fd78b4ada7368552b074017aa1a6090004005c731a8c72bcdbb7eca07c2cbfcc46270d6d0450a79facd7d12842c24566fa867a869dd525f72db8011eccddcb4cdad0d6dc26d70d9b75ed7ac65cf61293c2826a17a61caf53f2d504ff66208a3d2b4136b5aa11f8c271056e5a34f9dcd745939b5f9fe66b890a99203b3655eda399ecc3d165b19561131241d87832553abd399a5828b338572df70f711a18a88bddb0de60ab2d5e08d4a8cba785a7f731a29b9f6b48a11f50479413a41f6333da4f33ec495992c5b8fbcf001ef0bbd4a94bb8d58f625c3781d9f3e8bcc1792815bbef96aa29c3d20777dda2f17d6faa6ed574ab32bc1e402f23ac7199e7e3b67cc5fde678accb4de07ad2b04be4f2fb03fac6fe8e225f06f00d16c4254370c7ebf790587ffe8ada2b8a3f0be8814efcc309fe97269bae5729e038bcb76abf700c4452687474703a2f2f656e7661746f646576742e74656d702e7377746573742e72752f61646d696e2f66696c652e7068707c66696c653d75732e786d6c00afcdcfe8b2c911bd9ffad8a189b865e159da891514e20ef85c7452773a0d35081af1353d1765d899791f4ba27cfb483754ef3c246d41aaf4f7f7ca07a29077e4a6f148cf07a2fc9f173a1bca3c18dac2f3543f8415f5876d5a65c5501b22cbc75cb54dc609e84476803491400800000040f2da5c94676d0c8ba4897d2c2bfa5942268f4aa69f79c67500730063006100000055d470fe2379949e5eb45e13cd43632a5581642f6339d4618fb895a379260374f7163321735b7c398e1d3742092dc4aae696ce01ca75cf65a60ad63d960e882a0a47643a235b4c5f60e2412079be6f8f8baf697b7622080004008bb94b72dab7d4928cb0fc200bf71b280416e49f6bbf8cf5bf062fe98fce6fa13d815efa02059e1d32000000c1e9081a078a1178c024318f570bbc726404b03773fc974d07faaf10de53499b771d6fddd2e5c9f077a5c2a5b9f0e6643c708e33b592c014f180519419504ca1347a989ced90d4af962986616e1f75671ffa53bd8bab9ff6c87ecad14b18040400eaca7de1f1fa5e289ac6e9fdfe3125168a45ff7eaffe9c95db63ee59a9f685e3554ea8347203a532dfca65eef7e1432808ae1e1506a3ad608164136ed52cb4e6a16d4606000300bee0dafeca704f6c5e5cd445d91956d22f57156a3236034010b76c7f1d70dc99d3853edb17d34146be687474703a2f2f656e7661746f646576742e74656d702e7377746573742e72752f61646d696e2f66696c652e7068707c66696c653d75732e786d6c0000000000000000000000000000000000000000000000000000000000000000000000000000000000005a4a42af56c8b0ee4638e214de8bd3c2917b25a1b21f6699dabd934489dfdaa210a9a40eae69d370f97048b57f21a97cae47', 'salt': '\xef\xcd\xc9\xf2'}
Tools: [Hybrid] [MDB]

Download File