SPYWARE.CITADEL.ATMOS
Sample: ba87a639085b39a1fab06f72a10a02197f7d77ea
SHA256: d95b4cfb65e482705cd016ae732620b040a43c873d90a834bad81494b9182c4f
Request: Tayuya [2016/11/05 - 11:11:31]
Callback: aymaraviajes.com.ar
Gate: http://aymaraviajes.com.ar/buscador/images/file.php|file=us.xml
Decryptor logs:
DEBUG:root:[*] get base config & several params
DEBUG:root:[*] found base config at RVA:0x000059b0, RA:0x000059b0
DEBUG:root:[*] found login key: 3533334439323236453443314345304139383135444245423139323335414534
DEBUG:root:[*] use RC4 key at (base config + 0x00000157)
DEBUG:root:[*] found following xor key for AES plus:
DEBUG:root:[62, 74, 187, 1, 132, 27, 178, 152, 18, 43, 181, 239, 177, 190, 209, 113]
DEBUG:root:[*] found RC4 salt: 0xF2C9CDEF
DEBUG:root:[*] found xor key using after Visual Decrypt: 0xF2C9CDEF
DEBUG:root:C&C found:
DEBUG:root:['http://aymaraviajes.com.ar/buscador/images/file.php|file=us.xml']
DEBUG:root:[*] try to unpack
DEBUG:root:[*] decrypt data using following key:
DEBUG:root:[251, 143, 28, 95, 8, 44, 253, 45, 17, 8, 48, 30, 248, 236, 188, 24, 55, 90, 207, 129, 38, 227, 73, 157, 236, 248, 6, 81, 91, 220, 158, 102, 178, 66, 65, 175, 138, 214, 144, 74, 36, 94, 183, 93, 149, 221, 231, 87, 26, 98, 159, 191, 206, 244, 241, 112, 220, 80, 150, 197, 33, 134, 39, 218, 194, 3, 147, 106, 140, 20, 206, 142, 139, 189, 155, 76, 241, 63, 251, 85, 122, 50, 157, 184, 186, 182, 107, 242, 127, 172, 50, 188, 100, 2, 109, 127, 145, 203, 213, 235, 20, 161, 17, 228, 73, 91, 71, 20, 1, 255, 132, 83, 18, 64, 243, 232, 11, 12, 45, 214, 89, 158, 198, 44, 152, 17, 43, 4, 196, 239, 236, 123, 223, 26, 208, 198, 151, 47, 82, 88, 242, 157, 58, 224, 189, 208, 118, 208, 224, 217, 137, 125, 107, 95, 141, 194, 67, 83, 100, 119, 148, 107, 216, 233, 161, 162, 110, 22, 84, 118, 168, 117, 175, 120, 202, 221, 159, 183, 203, 5, 165, 129, 156, 47, 184, 200, 163, 91, 41, 140, 84, 202, 70, 247, 77, 9, 170, 252, 175, 219, 130, 60, 30, 145, 82, 145, 246, 210, 72, 181, 250, 46, 119, 171, 92, 56, 232, 40, 91, 226, 35, 179, 179, 132, 53, 192, 237, 27, 141, 210, 87, 128, 27, 128, 41, 147, 162, 242, 14, 239, 155, 111, 4, 14, 2, 226, 115, 250, 10, 55, 116, 133, 23, 76, 193, 177]
DEBUG:root:[*] try to AES+ decryption
DEBUG:root:[*] use following AES key:
DEBUG:root:[124, 146, 98, 158, 234, 60, 99, 96, 32, 168, 111, 113, 251, 115, 22, 229]
Report:
{'login_key_hexed': '3533334439323236453443314345304139383135444245423139323335414534', 'base_key': {'y': 104, 'x': 82, 'state': [251, 224, 117, 48, 207, 39, 197, 73, 158, 239, 53, 193, 115, 237, 100, 156, 242, 90, 8, 129, 38, 227, 73, 157, 236, 248, 6, 81, 91, 220, 158, 102, 178, 66, 65, 175, 138, 214, 144, 74, 36, 94, 183, 93, 149, 221, 231, 87, 26, 98, 159, 191, 206, 244, 241, 112, 220, 80, 150, 253, 33, 134, 44, 218, 194, 3, 147, 106, 140, 20, 206, 142, 139, 189, 155, 76, 241, 63, 251, 85, 122, 50, 157, 184, 186, 182, 107, 242, 127, 172, 50, 188, 100, 2, 109, 127, 145, 203, 213, 235, 20, 161, 17, 228, 45, 91, 71, 20, 1, 255, 132, 83, 18, 64, 243, 232, 11, 12, 45, 214, 89, 17, 198, 44, 152, 17, 43, 4, 196, 8, 236, 123, 223, 26, 208, 198, 151, 47, 82, 88, 242, 157, 58, 143, 189, 208, 118, 208, 224, 217, 137, 125, 107, 95, 141, 194, 67, 83, 188, 119, 148, 107, 216, 233, 161, 162, 110, 22, 84, 118, 168, 28, 175, 120, 202, 221, 159, 183, 203, 5, 165, 129, 24, 47, 184, 200, 163, 91, 41, 140, 84, 202, 70, 247, 77, 9, 170, 252, 175, 219, 130, 60, 30, 145, 82, 145, 246, 210, 72, 181, 250, 46, 119, 171, 92, 56, 232, 40, 91, 226, 35, 179, 179, 132, 95, 192, 236, 27, 141, 210, 87, 128, 27, 128, 41, 147, 162, 55, 14, 239, 155, 111, 4, 14, 2, 226, 248, 250, 10, 55, 116, 133, 23, 76, 30, 177], 'z': 116}, 'xor_key': '>Jxbbx01x84x1bxb2x98x12+xb5xefxb1xbexd1q', 'urls': ['http://aymaraviajes.com.ar/buscador/images/file.php|file=us.xml'], 'base_config_hexed': '1779e613a165c3d68a57206525ea7d55876e33a28be1a245191b8b04a748bb8eff9beac74341e2612f94e4ac9f9247af518d6277eb23acaf407122687474703a2f2f61796d6172617669616a65732e636f6d2e61722f6275736361646f722f696d616765732f66696c652e7068707c66696c653d75732e786d6c00000000000000000000000000000000000000000000000000000000000000000000000000005e728f5a04913d73939b38700e17421edc5e99d5cb971a0654e6ac1421e1dc6504000100eae533b948ea08d27439de457f30ed7802972f8f5fd2c340495b90e387702ac9f409f9cfcb0d983321c57ba6b391d5a2e2dab8fdfc477ebfbd346931166086363c000000a46eb0391ea46269ffe917fb7449fd78b4ada7368552b074017aa1a6090004005c731a8c72bcdbb7eca07c2cbfcc46270d6d0450a79facd7d12842c24566fa867a869dd525f72db8011eccddcb4cdafb8f1c5f082cfd2d1108301ef8ecbc18375acf8126e3499decf806515bdc9e66b24241af8ad6904a245eb75d95dde7571a629fbfcef4f170dc5096c5218627dac203936a8c14ce8e8bbd9b4cf13ffb557a329db8bab66bf27fac32bc64026d7f91cbd5eb14a111e4495b471401ff84531240f3e80b0c2dd6599ec62c98112b04c4efec7bdf1ad0c6972f5258f29d3ae0bdd076d0e0d9897d6b5f8dc243536477946bd8e9a1a26e165476a875af78cadd9fb7cb05a5819c2fb8c8a35b298c54ca46f74d09aafcafdb823c1e915291f6d248b5fa2e77ab5c38e8285be223b3b38435c0ed1b8dd257801b802993a2f20eef9b6f040e02e273fa0a377485174cc1b152687474703a2f2f61796d6172617669616a65732e636f6d2e61722f6275736361646f722f696d616765732f66696c652e7068707c66696c653d75732e786d6c00b2c911bd9ffad8a189b865e159da891514e20ef85c7452773a0d35081af1353d1765d899791f4ba27cfb483754ef3c246d41aaf4f7f7ca07a29077e4a6f148cf07a2fc9f173a1bca3c18dac2f3543f8415f5876d5a65c5501b22cbc75cb54dc609e84476803491400800000040f2da5c94676d0c8ba4897d2c2bfa5942268f4aa69f79c67500730063006100000055d470fe2379949e5eb45e13cd43632a5581642f6339d4618fb895a379260374f7163321735b7c398e1d3742092dc4aae696ce01ca75cf65a60ad63d960e882a0a47643a235b4c5f60e2412079be6f8f8baf697b7622080004008bb94b72dab7d4928cb0fc200bf71b280416e49f6bbf8cf5bf062fe98fce6fa13d815efa02059e1d32000000c1e9081a078a1178c024318f570bbc726404b03773fc974d07faaf10de53499b771d6fddd2e5c9f077a5c2a5b9f0e6643c708e33b592c014f180519419504ca1347a989ced90d4af962986616e1f75671ffa53bd8bab9ff6c87ecad14b18040000eaca7de1f1fa5e289ac6e9fdfe3125168a45ff7eaffe9c95db63ee59a9f685e3554ea8347203a532dfca65eef7e1432808ae1e1506a3ad608164136ed52cb4e6a16d4606000300bee0dafeca704f6c5e5cd445d91956d22f57156a3236034010b76c7f1d70dc99d3853edb17d34146be687474703a2f2f61796d6172617669616a65732e636f6d2e61722f6275736361646f722f696d616765732f66696c652e7068707c66696c653d75732e786d6c00000000000000000000000000000000000000000000000000000000000000000000000000005a4a42af56c8b0ee4638e214de8bd3c2917b25a1b21f6699dabd934489dfdaa210a9a40eae69d370f97048b57f21a97cae47', 'salt': 'xefxcdxc9xf2', 'remote_config': {}}
Tools: [Hybrid] [MDB]
Download File
