|
||
Researchers Center: Atmos Strategic Monitoring |
SPYWARE.CITADEL.ATMOSSample: c334de5d49db49bbce8498b0cbd52365423c7a58SHA256: 257f81b86b92bf9953062ad5af2c2c6c0fc130b5f5520ca34ea91e7ab1c26b62 Request: Tayuya [2017/04/05 - 22:04:04] Callback: 31.201.140.167:888 Gate: http://31.201.140.167:888/webadmin/file.php|file=usagold.xml Decryptor logs: DEBUG:root:[*] get base config & several params DEBUG:root:[*] found base config at RVA:0x000059b0, RA:0x000059b0 DEBUG:root:[*] found login key: 3533334439323236453443314345304139383135444245423139323335414534 DEBUG:root:[*] use RC4 key at (base config + 0x00000157) DEBUG:root:[*] found following xor key for AES plus: DEBUG:root:[62, 74, 187, 1, 132, 27, 178, 152, 18, 43, 181, 239, 177, 190, 209, 113] DEBUG:root:[*] found RC4 salt: 0xF2C9CDEF DEBUG:root:[*] found xor key using after Visual Decrypt: 0xF2C9CDEF DEBUG:root:C&C found: DEBUG:root:['http://31.201.140.167:888/webadmin/file.php|file=usagold.xml'] DEBUG:root:[*] try to unpack DEBUG:root:[*] decrypt data using following key: DEBUG:root:[52, 34, 211, 148, 151, 3, 242, 13, 82, 60, 126, 119, 58, 32, 49, 231, 65, 99, 123, 65, 116, 97, 184, 35, 3, 20, 176, 157, 107, 76, 24, 158, 235, 226, 201, 79, 169, 169, 200, 29, 85, 72, 33, 42, 177, 55, 101, 125, 192, 162, 209, 77, 251, 28, 20, 245, 67, 21, 62, 146, 134, 225, 118, 1, 86, 50, 125, 201, 21, 86, 218, 145, 148, 214, 150, 181, 157, 183, 226, 209, 100, 156, 156, 84, 23, 242, 36, 247, 119, 245, 199, 226, 184, 89, 65, 99, 131, 5, 80, 190, 212, 56, 107, 57, 228, 52, 214, 30, 19, 51, 253, 193, 136, 193, 122, 164, 242, 208, 83, 88, 139, 23, 86, 235, 83, 64, 95, 155, 125, 210, 222, 139, 95, 39, 10, 214, 93, 212, 154, 171, 62, 105, 51, 67, 1, 46, 189, 221, 17, 121, 175, 187, 161, 165, 52, 51, 243, 102, 180, 244, 222, 88, 16, 15, 101, 221, 59, 186, 28, 181, 48, 216, 2, 197, 67, 22, 51, 41, 32, 102, 241, 243, 88, 175, 63, 37, 223, 217, 196, 238, 119, 11, 79, 239, 6, 174, 193, 237, 43, 92, 182, 182, 134, 7, 224, 154, 241, 251, 81, 184, 120, 19, 121, 12, 143, 196, 191, 142, 105, 204, 47, 120, 85, 38, 92, 153, 76, 184, 230, 134, 164, 105, 219, 14, 243, 241, 202, 251, 188, 45, 122, 205, 151, 205, 54, 81, 231, 246, 135, 157, 18, 197, 189, 66, 55, 211] DEBUG:root:[*] try to AES+ decryption DEBUG:root:[*] use following AES key: DEBUG:root:[222, 235, 9, 120, 206, 37, 51, 168, 27, 240, 252, 230, 30, 12, 214, 132]Report: {'login_key_hexed': '3533334439323236453443314345304139383135444245423139323335414534', 'base_key': {'y': 104, 'x': 82, 'state': [52, 201, 81, 212, 235, 79, 97, 34, 242, 51, 101, 221, 38, 211, 192, 35, 119, 99, 123, 65, 116, 242, 184, 231, 3, 20, 176, 157, 107, 76, 24, 158, 151, 226, 13, 3, 169, 169, 200, 29, 85, 72, 33, 42, 177, 55, 126, 125, 49, 162, 209, 77, 251, 28, 20, 245, 67, 21, 62, 146, 134, 225, 118, 1, 86, 50, 125, 201, 21, 86, 218, 145, 148, 214, 150, 181, 157, 183, 226, 209, 100, 156, 156, 84, 23, 242, 36, 247, 65, 245, 199, 226, 184, 89, 65, 99, 131, 5, 80, 190, 212, 56, 107, 57, 228, 52, 214, 30, 19, 51, 253, 193, 136, 193, 122, 164, 82, 208, 83, 88, 139, 23, 86, 235, 83, 64, 95, 155, 125, 210, 222, 139, 95, 39, 10, 214, 93, 148, 154, 171, 62, 105, 51, 67, 1, 46, 189, 221, 17, 121, 175, 187, 161, 165, 52, 51, 243, 102, 180, 244, 222, 88, 16, 15, 101, 119, 59, 186, 28, 181, 48, 216, 2, 197, 67, 22, 60, 41, 32, 102, 241, 243, 88, 175, 63, 37, 223, 217, 196, 238, 119, 11, 79, 239, 6, 174, 193, 237, 43, 92, 182, 182, 134, 7, 224, 154, 241, 251, 81, 184, 120, 19, 121, 12, 143, 196, 191, 142, 105, 204, 47, 120, 85, 58, 92, 153, 76, 184, 230, 134, 164, 105, 219, 14, 243, 241, 202, 251, 188, 45, 122, 205, 151, 205, 54, 211, 231, 246, 135, 157, 18, 197, 189, 66, 55, 32], 'z': 116}, 'xor_key': '>Jxbbx01x84x1bxb2x98x12+xb5xefxb1xbexd1q', 'urls': ['http://31.201.140.167:888/webadmin/file.php|file=usagold.xml'], 'base_config_hexed': '1779e613a165c3d68a57206525ea7d55876e33a28be1a245191b8b04a748bb8eff9beac74341e2612f94e4ac9f9247af518d6277eb23acaf407122687474703a2f2f33312e3230312e3134302e3136373a3838382f77656261646d696e2f66696c652e7068707c66696c653d757361676f6c642e786d6c00000000000000000000000000000000000000000000000000000000000000000000000000000000005e728f5a04913d73939b38700e17421edc5e99d5cb971a0654e6ac1421e1dc6504000100eae533b948ea08d27439de457f30ed7802972f8f5fd2c340495b90e387702ac9f409f9cfcb0d983321c57ba6b391d5a2e2dab8fdfc477ebfbd346931166086363c000000a46eb0391ea46269ffe917fb7449fd78b4ada7368552b074017aa1a6090004005c731a8c72bcdbb7eca07c2cbfcc46270d6d0450a79facd7d12842c24566fa867a869dd525f72db8011eccddcb4cda3422d3949703f20d523c7e773a2031e741637b417461b8230314b09d6b4c189eebe2c94fa9a9c81d5548212ab137657dc0a2d14dfb1c14f543153e9286e1760156327dc91556da9194d696b59db7e2d1649c9c5417f224f777f5c7e2b8594163830550bed4386b39e434d61e1333fdc188c17aa4f2d053588b1756eb53405f9b7dd2de8b5f270ad65dd49aab3e693343012ebddd1179afbba1a53433f366b4f4de58100f65dd3bba1cb530d802c5431633292066f1f358af3f25dfd9c4ee770b4fef06aec1ed2b5cb6b68607e09af1fb51b87813790c8fc4bf8e69cc2f7855265c994cb8e686a469db0ef3f1cafbbc2d7acd97cd3651e7f6879d12c5bd4237d352687474703a2f2f33312e3230312e3134302e3136373a3838382f77656261646d696e2f66696c652e7068707c66696c653d757361676f6c642e786d6c00cdcfe8b2c911bd9ffad8a189b865e159da891514e20ef85c7452773a0d35081af1353d1765d899791f4ba27cfb483754ef3c246d41aaf4f7f7ca07a29077e4a6f148cf07a2fc9f173a1bca3c18dac2f3543f8415f5876d5a65c5501b22cbc75cb54dc609e84476803491400800000040f2da5c94676d0c8ba4897d2c2bfa5942268f4aa69f79c67500730063006100000055d470fe2379949e5eb45e13cd43632a5581642f6339d4618fb895a379260374f7163321735b7c398e1d3742092dc4aae696ce01ca75cf65a60ad63d960e882a0a47643a235b4c5f60e2412079be6f8f8baf697b7622080004008bb94b72dab7d4928cb0fc200bf71b280416e49f6bbf8cf5bf062fe98fce6fa13d815efa02059e1d32000000c1e9081a078a1178c024318f570bbc726404b03773fc974d07faaf10de53499b771d6fddd2e5c9f077a5c2a5b9f0e6643c708e33b592c014f180519419504ca1347a989ced90d4af962986616e1f75671ffa53bd8bab9ff6c87ecad14b18040400eaca7de1f1fa5e289ac6e9fdfe3125168a45ff7eaffe9c95db63ee59a9f685e3554ea8347203a532dfca65eef7e1432808ae1e1506a3ad608164136ed52cb4e6a16d4606000300bee0dafeca704f6c5e5cd445d91956d22f57156a3236034010b76c7f1d70dc99d3853edb17d34146be687474703a2f2f33312e3230312e3134302e3136373a3838382f77656261646d696e2f66696c652e7068707c66696c653d757361676f6c642e786d6c00000000000000000000000000000000000000000000000000000000000000000000000000000000005a4a42af56c8b0ee4638e214de8bd3c2917b25a1b21f6699dabd934489dfdaa210a9a40eae69d370f97048b57f21a97cae47', 'salt': 'xefxcdxc9xf2', 'remote_config': {}}Tools: [Hybrid] [MDB] Download File |