Researchers Center: Atmos Strategic Monitoring


SPYWARE.CITADEL.ATMOS

Sample: 553bc774a0ef82319c9239218b1e5bbdd847acef
SHA256: ef4c782e124da79e0bea05895096816f94c119820a258b0ba8e3ee66033abfe7
Request: Tayuya [2016/08/28 - 14:08:14]
Callback: www.goodgirlsnow.in
Gate: http://www.goodgirlsnow.in/atm/file.php|file=us.xml
Decryptor logs:
DEBUG:root:[*] get base config & several params
DEBUG:root:[*] found base config at RVA:0x000059b0, RA:0x000059b0
DEBUG:root:[*] found login key: 3533334439323236453443314345304139383135444245423139323335414534
DEBUG:root:[*] use RC4 key at (base config + 0x00000157)
DEBUG:root:[*] found following xor key for AES plus:
DEBUG:root:[62, 74, 187, 1, 132, 27, 178, 152, 18, 43, 181, 239, 177, 190, 209, 113]
DEBUG:root:[*] found RC4 salt: 0xF2C9CDEF
DEBUG:root:[*] found xor key using after Visual Decrypt: 0xF2C9CDEF
DEBUG:root:C&C found:
DEBUG:root:['http://www.goodgirlsnow.in/atm/file.php|file=us.xml']
DEBUG:root:[*] try to unpack
DEBUG:root:[*] decrypt data using following key:
DEBUG:root:[103, 157, 5, 201, 29, 11, 245, 209, 92, 63, 64, 138, 51, 90, 199, 24, 24, 65, 17, 49, 16, 108, 97, 191, 148, 124, 71, 31, 146, 121, 20, 247, 206, 21, 194, 210, 25, 69, 251, 99, 43, 117, 73, 160, 117, 234, 18, 77, 98, 162, 244, 145, 162, 136, 135, 94, 203, 99, 176, 219, 105, 107, 57, 166, 123, 224, 123, 51, 78, 192, 56, 194, 237, 214, 75, 30, 73, 187, 174, 250, 87, 175, 169, 97, 23, 77, 40, 120, 127, 54, 203, 130, 83, 161, 15, 40, 193, 167, 211, 106, 72, 233, 78, 220, 14, 154, 229, 255, 74, 251, 182, 183, 1, 116, 30, 101, 33, 113, 204, 48, 124, 106, 126, 108, 171, 226, 95, 21, 232, 141, 139, 15, 172, 229, 150, 90, 130, 112, 70, 235, 2, 102, 28, 239, 184, 9, 23, 165, 115, 96, 207, 34, 71, 151, 226, 61, 19, 213, 231, 91, 126, 109, 255, 65, 109, 131, 112, 186, 8, 74, 193, 89, 45, 139, 222, 17, 169, 238, 63, 132, 140, 194, 254, 195, 62, 110, 124, 13, 154, 49, 195, 226, 141, 119, 190, 180, 244, 184, 137, 164, 139, 252, 116, 141, 247, 23, 43, 208, 136, 35, 230, 72, 28, 147, 131, 253, 234, 129, 98, 14, 40, 172, 14, 73, 65, 199, 142, 152, 5, 114, 107, 230, 128, 201, 177, 23, 194, 93, 239, 151, 38, 130, 49, 66, 211, 32, 76, 254, 156, 209, 141, 113, 190, 182, 252, 42]
DEBUG:root:[*] try to AES+ decryption
DEBUG:root:[*] use following AES key:
DEBUG:root:[49, 95, 102, 253, 251, 96, 120, 169, 203, 198, 80, 57, 175, 43, 20, 176]
Report:
{'login_key_hexed': '3533334439323236453443314345304139383135444245423139323335414534', 'base_key': {'y': 104, 'x': 82, 'state': [103, 213, 255, 255, 130, 165, 29, 54, 194, 211, 162, 195, 130, 30, 17, 73, 123, 65, 199, 49, 16, 108, 97, 191, 148, 124, 71, 31, 146, 121, 20, 247, 206, 21, 194, 210, 25, 69, 251, 99, 43, 117, 24, 160, 117, 234, 18, 77, 98, 162, 244, 145, 64, 136, 135, 94, 203, 99, 176, 219, 105, 107, 57, 166, 123, 224, 24, 51, 78, 192, 56, 194, 237, 214, 75, 90, 73, 187, 174, 250, 87, 175, 169, 97, 23, 77, 40, 120, 127, 209, 203, 130, 83, 161, 15, 40, 193, 167, 211, 106, 72, 233, 78, 220, 14, 154, 229, 201, 74, 251, 182, 183, 1, 116, 30, 101, 33, 113, 204, 48, 124, 106, 126, 108, 171, 226, 95, 21, 232, 141, 139, 15, 172, 229, 150, 90, 245, 112, 70, 235, 2, 102, 28, 239, 184, 9, 23, 11, 115, 96, 207, 34, 71, 151, 226, 61, 19, 157, 231, 91, 126, 109, 5, 65, 109, 131, 112, 186, 8, 74, 193, 89, 45, 139, 222, 17, 169, 238, 63, 132, 140, 92, 254, 195, 62, 110, 124, 13, 154, 49, 138, 226, 141, 119, 190, 180, 244, 184, 137, 164, 139, 252, 116, 141, 247, 23, 43, 208, 136, 35, 230, 72, 28, 147, 131, 253, 234, 129, 98, 14, 40, 172, 14, 73, 65, 199, 142, 152, 5, 114, 107, 230, 128, 201, 177, 23, 194, 93, 239, 151, 38, 51, 49, 66, 63, 32, 76, 254, 156, 209, 141, 113, 190, 182, 252, 42], 'z': 116}, 'xor_key': '>J\xbb\x01\x84\x1b\xb2\x98\x12+\xb5\xef\xb1\xbe\xd1q', 'urls': ['http://www.goodgirlsnow.in/atm/file.php|file=us.xml'], 'base_config_hexed': '1779e613a165c3d68a57206525ea7d55876e33a28be1a245191b8b04a748bb8eff9beac74341e2612f94e4ac9f9247af518d6277eb23acaf407122687474703a2f2f7777772e676f6f646769726c736e6f772e696e2f61746d2f66696c652e7068707c66696c653d75732e786d6c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005e728f5a04913d73939b38700e17421edc5e99d5cb971a0654e6ac1421e1dc6504000100eae533b948ea08d27439de457f30ed7802972f8f5fd2c340495b90e387702ac9f409f9cfcb0d983321c57ba6b391d5a2e2dab8fdfc477ebfbd346931166086363c000000a46eb0391ea46269ffe917fb7449fd78b4ada7368552b074017aa1a6090004005c731a8c72bcdbb7eca07c2cbfcc46270d6d0450a79facd7d12842c24566fa867a869dd525f72db8011eccddcb4cda679d05c91d0bf5d15c3f408a335ac71818411131106c61bf947c471f927914f7ce15c2d21945fb632b7549a075ea124d62a2f491a288875ecb63b0db696b39a67be07b334ec038c2edd64b1e49bbaefa57afa961174d28787f36cb8253a10f28c1a7d36a48e94edc0e9ae5ff4afbb6b701741e652171cc307c6a7e6cabe25f15e88d8b0face5965a827046eb02661cefb80917a57360cf224797e23d13d5e75b7e6dff416d8370ba084ac1592d8bde11a9ee3f848cc2fec33e6e7c0d9a31c3e28d77beb4f4b889a48bfc748df7172bd08823e6481c9383fdea81620e28ac0e4941c78e9805726be680c9b117c25def9726823142d3204cfe9cd18d71beb6fc2a52687474703a2f2f7777772e676f6f646769726c736e6f772e696e2f61746d2f66696c652e7068707c66696c653d75732e786d6c0080f3137a59313e8cafcdcfe8b2c911bd9ffad8a189b865e159da891514e20ef85c7452773a0d35081af1353d1765d899791f4ba27cfb483754ef3c246d41aaf4f7f7ca07a29077e4a6f148cf07a2fc9f173a1bca3c18dac2f3543f8415f5876d5a65c5501b22cbc75cb54dc609e84476803491400800000040f2da5c94676d0c8ba4897d2c2bfa5942268f4aa69f79c67500730063006100000055d470fe2379949e5eb45e13cd43632a5581642f6339d4618fb895a379260374f7163321735b7c398e1d3742092dc4aae696ce01ca75cf65a60ad63d960e882a0a47643a235b4c5f60e2412079be6f8f8baf697b7622080004008bb94b72dab7d4928cb0fc200bf71b280416e49f6bbf8cf5bf062fe98fce6fa13d815efa02059e1d32000000c1e9081a078a1178c024318f570bbc726404b03773fc974d07faaf10de53499b771d6fddd2e5c9f077a5c2a5b9f0e6643c708e33b592c014f180519419504ca1347a989ced90d4af962986616e1f75671ffa53bd8bab9ff6c87ecad14b18040400eaca7de1f1fa5e289ac6e9fdfe3125168a45ff7eaffe9c95db63ee59a9f685e3554ea8347203a532dfca65eef7e1432808ae1e1506a3ad608164136ed52cb4e6a16d4606000300bee0dafeca704f6c5e5cd445d91956d22f57156a3236034010b76c7f1d70dc99d3853edb17d34146be687474703a2f2f7777772e676f6f646769726c736e6f772e696e2f61746d2f66696c652e7068707c66696c653d75732e786d6c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005a4a42af56c8b0ee4638e214de8bd3c2917b25a1b21f6699dabd934489dfdaa210a9a40eae69d370f97048b57f21a97cae47', 'salt': '\xef\xcd\xc9\xf2'}
Tools: [Hybrid] [MDB]

Download File