Researchers Center: Atmos Strategic Monitoring


SPYWARE.CITADEL.ATMOS

Sample: a6c66eaed52e96a48c39997c18970fed78a50210
SHA256: eb67512a15416e4ea0f07b8a480028d1f539d9186d0710c371196265042bb4e7
Request: Tayuya [2016/12/17 - 20:12:40]
Callback: www.donttrustbitches.tk
Gate: http://www.donttrustbitches.tk/file.php|file=us.xml
Decryptor logs:
DEBUG:root:[*] get base config & several params
DEBUG:root:[*] found base config at RVA:0x000059b0, RA:0x000059b0
DEBUG:root:[*] found login key: 3533334439323236453443314345304139383135444245423139323335414534
DEBUG:root:[*] use RC4 key at (base config + 0x00000157)
DEBUG:root:[*] found following xor key for AES plus:
DEBUG:root:[62, 74, 187, 1, 132, 27, 178, 152, 18, 43, 181, 239, 177, 190, 209, 113]
DEBUG:root:[*] found RC4 salt: 0xF2C9CDEF
DEBUG:root:[*] found xor key using after Visual Decrypt: 0xF2C9CDEF
DEBUG:root:C&C found:
DEBUG:root:['http://www.donttrustbitches.tk/file.php|file=us.xml']
DEBUG:root:[*] try to unpack
DEBUG:root:[*] decrypt data using following key:
DEBUG:root:[245, 23, 36, 194, 53, 21, 0, 160, 15, 226, 71, 34, 75, 58, 211, 197, 132, 28, 54, 131, 68, 234, 7, 38, 109, 209, 97, 128, 219, 76, 151, 187, 2, 123, 173, 105, 158, 210, 194, 153, 26, 25, 14, 113, 185, 177, 118, 144, 164, 68, 252, 148, 246, 121, 114, 28, 183, 95, 75, 123, 115, 40, 45, 109, 94, 14, 19, 206, 236, 172, 198, 223, 197, 82, 201, 117, 234, 155, 218, 73, 243, 83, 43, 212, 96, 10, 230, 136, 240, 39, 113, 192, 31, 77, 24, 179, 128, 47, 60, 145, 76, 87, 21, 188, 250, 245, 42, 167, 190, 187, 145, 96, 162, 140, 87, 157, 251, 211, 168, 186, 41, 98, 181, 226, 35, 205, 180, 63, 140, 143, 117, 85, 167, 101, 139, 54, 101, 241, 96, 244, 210, 31, 64, 114, 212, 90, 10, 120, 121, 126, 126, 0, 184, 148, 214, 118, 52, 217, 215, 239, 111, 41, 243, 240, 71, 70, 130, 14, 133, 175, 55, 92, 178, 198, 199, 16, 153, 153, 192, 74, 91, 45, 37, 98, 124, 181, 49, 32, 17, 146, 33, 190, 64, 162, 90, 156, 193, 62, 62, 154, 230, 26, 128, 78, 196, 93, 153, 139, 252, 119, 66, 174, 223, 160, 129, 231, 57, 111, 184, 2, 95, 0, 209, 130, 10, 199, 205, 222, 27, 18, 158, 233, 25, 195, 246, 45, 144, 221, 31, 51, 244, 107, 89, 161, 58, 34, 110, 101, 84, 231, 157, 23, 189, 114, 15, 200]
DEBUG:root:[*] try to AES+ decryption
DEBUG:root:[*] use following AES key:
DEBUG:root:[7, 173, 27, 226, 104, 155, 191, 112, 90, 51, 79, 41, 250, 125, 179, 232]
Report:
{'login_key_hexed': '3533334439323236453443314345304139383135444245423139323335414534', 'base_key': {'y': 104, 'x': 82, 'state': [245, 38, 123, 114, 252, 223, 21, 233, 110, 57, 187, 14, 210, 62, 148, 24, 205, 28, 54, 131, 68, 234, 7, 23, 109, 209, 97, 128, 219, 76, 151, 71, 2, 123, 173, 105, 158, 210, 194, 153, 26, 25, 14, 113, 185, 177, 118, 144, 164, 68, 53, 148, 246, 121, 114, 28, 183, 95, 75, 36, 115, 40, 45, 109, 94, 34, 19, 206, 236, 172, 198, 0, 197, 82, 201, 117, 234, 155, 218, 73, 243, 83, 43, 212, 96, 10, 230, 136, 240, 39, 113, 192, 31, 77, 197, 179, 128, 47, 60, 145, 76, 87, 21, 188, 250, 245, 42, 167, 190, 187, 145, 96, 162, 140, 87, 157, 251, 211, 168, 186, 41, 98, 181, 226, 35, 205, 180, 63, 140, 143, 117, 85, 167, 101, 139, 54, 101, 241, 96, 244, 75, 31, 64, 114, 212, 90, 10, 120, 121, 126, 126, 0, 184, 211, 214, 118, 52, 217, 215, 239, 111, 41, 243, 240, 71, 70, 130, 14, 133, 175, 55, 92, 178, 198, 199, 16, 153, 153, 192, 74, 91, 45, 37, 98, 124, 181, 49, 32, 17, 146, 33, 190, 64, 162, 90, 156, 193, 62, 58, 154, 230, 26, 128, 78, 196, 93, 153, 139, 252, 119, 66, 174, 223, 160, 129, 231, 226, 111, 184, 2, 95, 0, 209, 130, 10, 199, 132, 222, 27, 18, 158, 160, 25, 195, 246, 45, 144, 221, 31, 51, 244, 107, 89, 161, 58, 34, 15, 101, 84, 231, 157, 23, 189, 194, 15, 200], 'z': 116}, 'xor_key': '>Jxbbx01x84x1bxb2x98x12+xb5xefxb1xbexd1q', 'urls': ['http://www.donttrustbitches.tk/file.php|file=us.xml'], 'base_config_hexed': '1779e613a165c3d68a57206525ea7d55876e33a28be1a245191b8b04a748bb8eff9beac74341e2612f94e4ac9f9247af518d6277eb23acaf407122687474703a2f2f7777772e646f6e747472757374626974636865732e746b2f66696c652e7068707c66696c653d75732e786d6c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005e728f5a04913d73939b38700e17421edc5e99d5cb971a0654e6ac1421e1dc6504000100eae533b948ea08d27439de457f30ed7802972f8f5fd2c340495b90e387702ac9f409f9cfcb0d983321c57ba6b391d5a2e2dab8fdfc477ebfbd346931166086363c000000a46eb0391ea46269ffe917fb7449fd78b4ada7368552b074017aa1a6090004005c731a8c72bcdbb7eca07c2cbfcc46270d6d0450a79facd7d12842c24566fa867a869dd525f72db8011eccddcb4cdaf51724c2351500a00fe247224b3ad3c5841c368344ea07266dd16180db4c97bb027bad699ed2c2991a190e71b9b17690a444fc94f679721cb75f4b7b73282d6d5e0e13ceecacc6dfc552c975ea9bda49f3532bd4600ae688f02771c01f4d18b3802f3c914c5715bcfaf52aa7bebb9160a28c579dfbd3a8ba2962b5e223cdb43f8c8f7555a7658b3665f160f4d21f4072d45a0a78797e7e00b894d67634d9d7ef6f29f3f04746820e85af375cb2c6c7109999c04a5b2d25627cb53120119221be40a25a9cc13e3e9ae61a804ec45d998bfc7742aedfa081e7396fb8025f00d1820ac7cdde1b129ee919c3f62d90dd1f33f46b59a13a226e6554e79d17bd720fc852687474703a2f2f7777772e646f6e747472757374626974636865732e746b2f66696c652e7068707c66696c653d75732e786d6c0080f3137a59313e8cafcdcfe8b2c911bd9ffad8a189b865e159da891514e20ef85c7452773a0d35081af1353d1765d899791f4ba27cfb483754ef3c246d41aaf4f7f7ca07a29077e4a6f148cf07a2fc9f173a1bca3c18dac2f3543f8415f5876d5a65c5501b22cbc75cb54dc609e84476803491400800000040f2da5c94676d0c8ba4897d2c2bfa5942268f4aa69f79c67500730063006100000055d470fe2379949e5eb45e13cd43632a5581642f6339d4618fb895a379260374f7163321735b7c398e1d3742092dc4aae696ce01ca75cf65a60ad63d960e882a0a47643a235b4c5f60e2412079be6f8f8baf697b7622080004008bb94b72dab7d4928cb0fc200bf71b280416e49f6bbf8cf5bf062fe98fce6fa13d815efa02059e1d32000000c1e9081a078a1178c024318f570bbc726404b03773fc974d07faaf10de53499b771d6fddd2e5c9f077a5c2a5b9f0e6643c708e33b592c014f180519419504ca1347a989ced90d4af962986616e1f75671ffa53bd8bab9ff6c87ecad14b18040400eaca7de1f1fa5e289ac6e9fdfe3125168a45ff7eaffe9c95db63ee59a9f685e3554ea8347203a532dfca65eef7e1432808ae1e1506a3ad608164136ed52cb4e6a16d4606000300bee0dafeca704f6c5e5cd445d91956d22f57156a3236034010b76c7f1d70dc99d3853edb17d34146be687474703a2f2f7777772e646f6e747472757374626974636865732e746b2f66696c652e7068707c66696c653d75732e786d6c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005a4a42af56c8b0ee4638e214de8bd3c2917b25a1b21f6699dabd934489dfdaa210a9a40eae69d370f97048b57f21a97cae47', 'salt': 'xefxcdxc9xf2', 'remote_config': {}}
Tools: [Hybrid] [MDB]

Download File