Researchers Center: Atmos Strategic Monitoring


SPYWARE.CITADEL.ATMOS

Sample: 78af8cfc196584f6ebbf8ba6591d54d5a1489584
SHA256: f30d5a016c470b315fa1792fe4454afedf3e5c12a1c35901c2c0852724e31e74
Request: Tayuya [2016/09/28 - 03:09:45]
Callback: 169.239.129.118
Gate: http://169.239.129.118/scryba/file.php|file=us.xml
Decryptor logs:
DEBUG:root:[*] get base config & several params
DEBUG:root:[*] found base config at RVA:0x000059b0, RA:0x000059b0
DEBUG:root:[*] found login key: 3533334439323236453443314345304139383135444245423139323335414534
DEBUG:root:[*] use RC4 key at (base config + 0x00000157)
DEBUG:root:[*] found following xor key for AES plus:
DEBUG:root:[62, 74, 187, 1, 132, 27, 178, 152, 18, 43, 181, 239, 177, 190, 209, 113]
DEBUG:root:[*] found RC4 salt: 0xF2C9CDEF
DEBUG:root:[*] found xor key using after Visual Decrypt: 0xF2C9CDEF
DEBUG:root:C&C found:
DEBUG:root:['http://169.239.129.118/scryba/file.php|file=us.xml']
DEBUG:root:[*] try to unpack
DEBUG:root:[*] decrypt data using following key:
DEBUG:root:[17, 65, 137, 164, 246, 212, 1, 250, 78, 154, 116, 42, 250, 98, 39, 73, 102, 225, 51, 229, 50, 109, 228, 102, 64, 115, 194, 76, 182, 132, 38, 2, 166, 137, 204, 210, 248, 83, 124, 222, 82, 173, 4, 4, 183, 160, 92, 68, 116, 255, 95, 237, 156, 72, 65, 155, 188, 235, 130, 105, 243, 63, 67, 216, 176, 0, 71, 231, 127, 77, 209, 119, 95, 252, 113, 223, 31, 232, 128, 144, 9, 16, 9, 103, 25, 194, 62, 145, 77, 182, 144, 204, 81, 219, 101, 10, 99, 61, 79, 173, 29, 120, 146, 9, 161, 8, 213, 36, 86, 148, 26, 217, 134, 11, 24, 78, 92, 134, 154, 246, 4, 149, 13, 61, 174, 53, 142, 200, 170, 49, 140, 171, 216, 18, 188, 148, 209, 74, 227, 125, 63, 41, 30, 88, 149, 195, 36, 12, 1, 229, 170, 162, 144, 88, 252, 101, 242, 22, 32, 80, 18, 141, 205, 45, 226, 26, 220, 141, 187, 71, 97, 166, 20, 163, 201, 57, 104, 68, 189, 254, 233, 198, 72, 170, 112, 238, 152, 128, 51, 136, 180, 63, 231, 57, 119, 252, 84, 214, 0, 83, 180, 118, 195, 191, 75, 90, 127, 221, 210, 39, 8, 86, 145, 184, 169, 168, 202, 187, 46, 138, 177, 246, 198, 220, 204, 253, 229, 52, 141, 133, 232, 84, 225, 242, 225, 152, 194, 56, 77, 71, 171, 157, 206, 5, 167, 28, 54, 157, 232, 80, 105, 160, 34, 223, 14, 20]
DEBUG:root:[*] try to AES+ decryption
DEBUG:root:[*] use following AES key:
DEBUG:root:[110, 93, 89, 67, 199, 179, 26, 117, 50, 3, 171, 141, 14, 3, 127, 181]
Report:
{'login_key_hexed': '3533334439323236453443314345304139383135444245423139323335414534', 'base_key': {'y': 104, 'x': 82, 'state': [17, 0, 195, 26, 29, 188, 235, 237, 49, 76, 88, 238, 254, 109, 243, 18, 152, 225, 51, 229, 50, 98, 228, 102, 64, 115, 194, 154, 182, 132, 38, 2, 166, 137, 204, 210, 248, 83, 124, 222, 82, 173, 4, 4, 183, 160, 92, 68, 116, 255, 95, 250, 156, 72, 65, 155, 212, 1, 130, 105, 39, 63, 67, 216, 176, 65, 71, 231, 127, 77, 209, 119, 95, 252, 113, 223, 31, 232, 128, 144, 9, 16, 9, 103, 25, 194, 62, 145, 77, 182, 144, 204, 81, 219, 101, 10, 99, 61, 79, 173, 246, 120, 146, 9, 161, 8, 213, 36, 86, 148, 164, 217, 134, 11, 24, 78, 92, 134, 154, 246, 4, 149, 13, 61, 174, 53, 142, 200, 170, 78, 140, 171, 216, 73, 188, 148, 209, 74, 227, 125, 63, 41, 30, 116, 149, 195, 36, 12, 1, 229, 170, 162, 144, 88, 252, 101, 242, 22, 32, 80, 18, 141, 205, 45, 226, 26, 220, 141, 187, 71, 97, 166, 20, 163, 201, 57, 104, 68, 189, 250, 233, 198, 72, 170, 112, 42, 152, 128, 51, 136, 180, 63, 231, 57, 119, 252, 84, 214, 0, 83, 180, 118, 137, 191, 75, 90, 127, 221, 210, 39, 8, 86, 145, 184, 169, 168, 202, 187, 46, 138, 177, 246, 198, 220, 204, 253, 229, 52, 141, 133, 232, 84, 225, 242, 225, 102, 194, 56, 77, 71, 171, 157, 206, 5, 167, 28, 54, 157, 232, 80, 105, 160, 34, 223, 14, 20], 'z': 116}, 'xor_key': '>J\xbb\x01\x84\x1b\xb2\x98\x12+\xb5\xef\xb1\xbe\xd1q', 'urls': ['http://169.239.129.118/scryba/file.php|file=us.xml'], 'base_config_hexed': '1779e613a165c3d68a57206525ea7d55876e33a28be1a245191b8b04a748bb8eff9beac74341e2612f94e4ac9f9247af518d6277eb23acaf407122687474703a2f2f3136392e3233392e3132392e3131382f7363727962612f66696c652e7068707c66696c653d75732e786d6c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005e728f5a04913d73939b38700e17421edc5e99d5cb971a0654e6ac1421e1dc6504000100eae533b948ea08d27439de457f30ed7802972f8f5fd2c340495b90e387702ac9f409f9cfcb0d983321c57ba6b391d5a2e2dab8fdfc477ebfbd346931166086363c000000a46eb0391ea46269ffe917fb7449fd78b4ada7368552b074017aa1a6090004005c731a8c72bcdbb7eca07c2cbfcc46270d6d0450a79facd7d12842c24566fa867a869dd525f72db8011eccddcb4cda114189a4f6d401fa4e9a742afa62274966e133e5326de4664073c24cb6842602a689ccd2f8537cde52ad0404b7a05c4474ff5fed9c48419bbceb8269f33f43d8b00047e77f4dd1775ffc71df1fe880900910096719c23e914db690cc51db650a633d4fad1d789209a108d52456941ad9860b184e5c869af604950d3dae358ec8aa318cabd812bc94d14ae37d3f291e5895c3240c01e5aaa29058fc65f2162050128dcd2de21adc8dbb4761a614a3c9396844bdfee9c648aa70ee98803388b43fe73977fc54d60053b476c3bf4b5a7fddd227085691b8a9a8cabb2e8ab1f6c6dcccfde5348d85e854e1f2e198c2384d47ab9dce05a71c369de85069a022df0e1452687474703a2f2f3136392e3233392e3132392e3131382f7363727962612f66696c652e7068707c66696c653d75732e786d6c00d280f3137a59313e8cafcdcfe8b2c911bd9ffad8a189b865e159da891514e20ef85c7452773a0d35081af1353d1765d899791f4ba27cfb483754ef3c246d41aaf4f7f7ca07a29077e4a6f148cf07a2fc9f173a1bca3c18dac2f3543f8415f5876d5a65c5501b22cbc75cb54dc609e84476803491400800000040f2da5c94676d0c8ba4897d2c2bfa5942268f4aa69f79c67500730063006100000055d470fe2379949e5eb45e13cd43632a5581642f6339d4618fb895a379260374f7163321735b7c398e1d3742092dc4aae696ce01ca75cf65a60ad63d960e882a0a47643a235b4c5f60e2412079be6f8f8baf697b7622080004008bb94b72dab7d4928cb0fc200bf71b280416e49f6bbf8cf5bf062fe98fce6fa13d815efa02059e1d32000000c1e9081a078a1178c024318f570bbc726404b03773fc974d07faaf10de53499b771d6fddd2e5c9f077a5c2a5b9f0e6643c708e33b592c014f180519419504ca1347a989ced90d4af962986616e1f75671ffa53bd8bab9ff6c87ecad14b18040400eaca7de1f1fa5e289ac6e9fdfe3125168a45ff7eaffe9c95db63ee59a9f685e3554ea8347203a532dfca65eef7e1432808ae1e1506a3ad608164136ed52cb4e6a16d4606000300bee0dafeca704f6c5e5cd445d91956d22f57156a3236034010b76c7f1d70dc99d3853edb17d34146be687474703a2f2f3136392e3233392e3132392e3131382f7363727962612f66696c652e7068707c66696c653d75732e786d6c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005a4a42af56c8b0ee4638e214de8bd3c2917b25a1b21f6699dabd934489dfdaa210a9a40eae69d370f97048b57f21a97cae47', 'salt': '\xef\xcd\xc9\xf2'}
Tools: [Hybrid] [MDB]

Download File