Researchers Center: Atmos Strategic Monitoring


SPYWARE.CITADEL.ATMOS

 Sample: b7f5115036adb79e788df1e451538bb24383b4fa
SHA256: cb263b292758cbb56ee9d052b7971c1e1d7b345bf7c1ff77240dc6e8314160a3
Request: Tayuya [2017/11/17 - 16:11:17]
Callback: 193.0.178.194
Gate: http://193.0.178.194/u2bzUNCwdNXU/file.php|file=usa.xml
Decryptor logs:
DEBUG:root:[*] get base config & several params
DEBUG:root:[*] found base config at RVA:0x000059b0, RA:0x000059b0
DEBUG:root:[*] found login key: 3533334439323236453443314345304139383135444245423139323335414534
DEBUG:root:[*] use RC4 key at (base config + 0x00000157)
DEBUG:root:[*] found following xor key for AES plus:
DEBUG:root:[62, 74, 187, 1, 132, 27, 178, 152, 18, 43, 181, 239, 177, 190, 209, 113]
DEBUG:root:[*] found RC4 salt: 0xF2C9CDEF
DEBUG:root:[*] found xor key using after Visual Decrypt: 0xF2C9CDEF
DEBUG:root:C&C found:
DEBUG:root:['http://193.0.178.194/u2bzUNCwdNXU/file.php|file=usa.xml', 'http://freeresv.ru/u2bzUNCwdNXU/file.php|file=usa.xml']
DEBUG:root:[*] try to unpack
DEBUG:root:[*] decrypt data using following key:
DEBUG:root:[26, 193, 63, 139, 168, 131, 255, 221, 118, 20, 41, 120, 147, 164, 102, 21, 128, 149, 79, 151, 222, 251, 104, 64, 40, 32, 184, 74, 135, 215, 72, 167, 17, 48, 43, 212, 58, 22, 93, 160, 6, 179, 125, 122, 4, 198, 225, 34, 121, 89, 253, 39, 39, 150, 236, 127, 179, 174, 143, 83, 148, 143, 150, 56, 182, 46, 194, 97, 46, 222, 119, 198, 93, 160, 191, 36, 105, 95, 64, 206, 16, 66, 214, 24, 115, 11, 197, 99, 70, 165, 200, 224, 173, 103, 235, 181, 21, 87, 23, 94, 176, 23, 84, 0, 215, 246, 83, 109, 203, 113, 229, 211, 64, 25, 10, 88, 245, 152, 33, 55, 237, 161, 128, 13, 213, 15, 153, 194, 231, 75, 47, 25, 236, 120, 130, 142, 195, 61, 232, 177, 194, 40, 101, 227, 44, 64, 113, 175, 211, 182, 185, 132, 172, 175, 42, 58, 133, 71, 224, 79, 84, 157, 26, 231, 72, 126, 91, 144, 119, 125, 162, 73, 92, 187, 100, 192, 166, 24, 103, 32, 185, 2, 195, 133, 30, 27, 81, 60, 12, 74, 131, 100, 210, 104, 147, 108, 83, 192, 209, 161, 106, 59, 157, 69, 158, 195, 36, 10, 255, 16, 179, 215, 35, 124, 137, 176, 116, 196, 129, 222, 56, 203, 254, 186, 226, 166, 204, 7, 45, 84, 111, 131, 34, 190, 117, 228, 221, 121, 230, 118, 114, 123, 4, 235, 239, 110, 234, 233, 14, 101, 231, 18, 20, 210, 243, 172]
DEBUG:root:[*] try to AES+ decryption
DEBUG:root:[*] use following AES key:
DEBUG:root:[156, 231, 121, 172, 37, 25, 14, 96, 224, 57, 120, 130, 124, 32, 145, 81]
Report:
{'login_key_hexed': '3533334439323236453443314345304139383135444245423139323335414534', 'base_key': {'y': 104, 'x': 82, 'state': [63, 104, 26, 177, 39, 195, 2, 113, 118, 135, 222, 74, 16, 239, 200, 211, 118, 149, 79, 151, 222, 251, 104, 64, 40, 32, 184, 74, 20, 215, 72, 167, 17, 48, 43, 212, 58, 22, 93, 160, 6, 179, 125, 122, 4, 198, 225, 34, 121, 89, 253, 168, 39, 150, 236, 127, 179, 174, 143, 83, 148, 143, 150, 56, 182, 46, 194, 97, 46, 41, 119, 198, 93, 160, 191, 36, 105, 95, 64, 206, 147, 66, 214, 24, 115, 11, 197, 99, 70, 165, 102, 224, 173, 103, 235, 181, 21, 87, 23, 94, 176, 23, 84, 0, 215, 246, 83, 109, 203, 113, 229, 21, 64, 25, 10, 88, 245, 152, 33, 55, 237, 161, 128, 13, 213, 15, 153, 194, 231, 75, 47, 25, 236, 120, 130, 142, 195, 61, 232, 139, 194, 40, 101, 227, 44, 64, 221, 175, 211, 182, 185, 132, 172, 175, 42, 58, 133, 71, 224, 79, 84, 157, 26, 231, 72, 126, 91, 144, 119, 125, 162, 73, 92, 187, 100, 192, 166, 24, 103, 32, 185, 255, 131, 133, 30, 27, 81, 60, 12, 120, 131, 100, 210, 193, 147, 108, 83, 192, 209, 161, 106, 59, 157, 69, 158, 195, 36, 10, 255, 16, 179, 215, 35, 124, 137, 176, 116, 196, 129, 222, 56, 203, 254, 186, 226, 166, 204, 7, 45, 84, 111, 131, 34, 190, 117, 228, 221, 121, 230, 128, 114, 123, 4, 235, 164, 110, 234, 233, 14, 101, 231, 18, 20, 210, 243, 172], 'z': 116}, 'xor_key': '>Jxbbx01x84x1bxb2x98x12+xb5xefxb1xbexd1q', 'urls': ['http://193.0.178.194/u2bzUNCwdNXU/file.php|file=usa.xml', 'http://freeresv.ru/u2bzUNCwdNXU/file.php|file=usa.xml'], 'base_config_hexed': '1779e613a165c3d68a57206525ea7d55876e33a28be1a245191b8b04a748bb8eff9beac74341e2612f94e4ac9f9247af518d6277eb23acaf407122687474703a2f2f66726565726573762e72752f7532627a554e4377644e58552f66696c652e7068707c66696c653d7573612e786d6c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005e728f5a04913d73939b38700e17421edc5e99d5cb971a0654e6ac1421e1dc6504000100eae533b948ea08d27439de457f30ed7802972f8f5fd2c340495b90e387702ac9f409f9cfcb0d983321c57ba6b391d5a2e2dab8fdfc477ebfbd346931166086363c000000a46eb0391ea46269ffe917fb7449fd78b4ada7368552b074017aa1a6050002005c731a8c72bcdbb7eca07c2cbfcc46270d6d0450a79facd7d12842c24566fa867a869dd525f72db8011eccddcb4cda1ac13f8ba883ffdd7614297893a4661580954f97defb68402820b84a87d748a711302bd43a165da006b37d7a04c6e1227959fd272796ec7fb3ae8f53948f9638b62ec2612ede77c65da0bf24695f40ce1042d618730bc56346a5c8e0ad67ebb51557175eb0175400d7f6536dcb71e5d340190a58f5982137eda1800dd50f99c2e74b2f19ec78828ec33de8b1c22865e32c4071afd3b6b984acaf2a3a8547e04f549d1ae7487e5b90777da2495cbb64c0a6186720b902c3851e1b513c0c4a8364d268936c53c0d1a16a3b9d459ec3240aff10b3d7237c89b074c481de38cbfebae2a6cc072d546f8322be75e4dd79e676727b04ebef6eeae90e65e71214d2f3ac52687474703a2f2f3139332e302e3137382e3139342f7532627a554e4377644e58552f66696c652e7068707c66696c653d7573612e786d6c0059313e8cafcdcfe8b2c911bd9ffad8a189b865e159da891514e20ef85c7452773a0d35081af1353d1765d899791f4ba27cfb483754ef3c246d41aaf4f7f7ca07a29077e4a6f148cf07a2fc9f173a1bca3c18dac2f3543f8415f5876d5a65c5501b22cbc75cb54dc609e84476803491400200000040f2da5c94676d0c8ba4897d2c2bfa5942268f4aa69f79c6760061006c006900640020006e006500770000005e13cd43632a5581642f6339d4618fb895a379260374f7163321735b7c398e1d3742092dc4aae696ce01ca75cf65a60ad63d960e882a0a47643a235b4c5f60e2412079be6f8f8baf697b7622010002008bb94b72dab7d4928cb0fc200bf71b280416e49f6bbf8cf5bf062fe98fce6fa13d815efa02059e1d32000000c1e9081a078a1178c024318f570bbc726404b03773fc974d07faaf10de53499b771d6fddd2e5c9f077a5c2a5b9f0e6643c708e33b592c014f180519419504ca1347a989ced90d4af962986616e1f75671ffa53bd8bab9ff6c87ecad14f58000000eaca7de1f1fa5e289ac6e9fdfe3125168a45ff7eaffe9c95db63ee59a9f685e3554ea8347203a532dfca65eef7e1432808ae1e1506a3ad608164136ed52cb4e6a16d4603000100bee0dafeca704f6c5e5cd445d91956d22f57156a3236034010b76c7f1d70dc99d3853edb17d34146be00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005a4a42af56c8b0ee4638e214de8bd3c2917b25a1b21f6699dabd934489dfdaa210a9a40eae69d370f97048b57f21a97cae47', 'salt': 'xefxcdxc9xf2', 'remote_config': {}}
Tools: [Hybrid] [MDB]

Download File