A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22142  by tildedennis
 Wed Feb 05, 2014 3:00 pm
Code: Select all
Sample: https://www.virustotal.com/en/file/b68c4482be662067edef0147b2a0e4c7723458fc2f3606a2c15ab9676f3b5dd7/analysis/
Version: 1.3.5.1
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Config URL: http://shalafantasy.com/panel/file.php|file=config.dll
Config attached.
You do not have the required permissions to view the files attached to this post.
 #22143  by tildedennis
 Wed Feb 05, 2014 3:06 pm
Code: Select all
Sample: https://www.virustotal.com/en/file/ee3222d84e9cc647e1d615cf49c3786787c582b1bed4d3a4000ec08a032e9e5c/analysis/
Version: 1.3.5.1
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Config URL: http://5.56.133.73/office/drgoody/server/file.php|file=config.dll
Config attached.
You do not have the required permissions to view the files attached to this post.
 #22149  by tildedennis
 Thu Feb 06, 2014 6:50 pm
VirusTotal: https://www.virustotal.com/en/file/63f4 ... /analysis/
Zeus Tracker: https://zeustracker.abuse.ch/monitor.ph ... radings.ru
Version: 1.3.5.1
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Config URL: htxp://jj-tradings.ru/image/file.php|file=config.dll

Config attached.
You do not have the required permissions to view the files attached to this post.
 #22153  by tildedennis
 Fri Feb 07, 2014 1:45 pm
Code: Select all
VirusTotal: https://www.virustotal.com/en/file/1375b480e3a7683e864433dd1bc2f886688696bfb69e6614b1cb555f113b6895/analysis/ 
Zeus Tracker: https://zeustracker.abuse.ch/monitor.php?host=www.gminalubiewo.pl
Version: 1.3.5.1
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Config URL: http://www.gminalubiewo.pl/images/files/file.php|file=config.dll

Config attached.
You do not have the required permissions to view the files attached to this post.
 #22166  by Xylitol
 Sun Feb 09, 2014 1:40 pm
Citadel targeting France.
Code: Select all
Drop: hxtp://alinaposlogger.biz/nsa/rs8.php
Update: hxtp://alinaposlogger.biz/nsa/file.php|file=boom.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: B5 D2 C7 CD C7 BD E1 0B 7C BB 8E 22 E7 FF DC 60
https://www.virustotal.com/en/file/aefa ... 391953135/
You do not have the required permissions to view the files attached to this post.
 #22183  by patriq
 Mon Feb 10, 2014 10:12 pm
Found this url in the logs of another Citadel server.

Attached is a binary found on there.

I'm a shitty reverser. No idea what it is, FUD. I'm guessing Citadel because thats where I found it.

https://malwr.com/analysis/ODcwY2FlYmZi ... RjNjlhNmU/
You do not have the required permissions to view the files attached to this post.
 #22192  by patriq
 Tue Feb 11, 2014 10:49 pm
Been working on a group of Citadel servers.

http://protectyournet.blogspot.com/2014 ... ts-nl.html

8ea39404a066258550b49d14149b3e15
474af7ac6f494a9c5ba1dcd97c72dc6a
4f33e7d127ac8e8f501df2830124da65
c7ab916ca4245e6fbfe5542b62577ec7
ebf99d36f2680c219ce14c749fadcd6b

https://malwr.com/analysis/ZTE1OGFkNTJk ... E5ODUxOTU/
https://malwr.com/analysis/NGIyNWJlMWRj ... NlYjczYjY/
https://malwr.com/analysis/YzE2MmI3MTA1 ... UyZTM2MmY/
https://malwr.com/analysis/ZjE0MzBlM2Qw ... I5MjY1YzQ/
https://malwr.com/analysis/NjlmMDliOGZm ... E0NjgyMjk/


Samples attached.
You do not have the required permissions to view the files attached to this post.
 #22203  by patriq
 Thu Feb 13, 2014 2:29 pm
First time I've seen "Kingtools" Citadel re-branding.

http://protectyournet.blogspot.com/2014 ... tadel.html

anyone seen any other knock offs like this?

I would guess the bins are the same as Cit v1.3.5.1.. but I couldn't find a sample for this one.
Code: Select all
C&C was at:

http://taking.no-ip.biz/ogenew/on/cp.php?m=login
 #22213  by g0r_
 Fri Feb 14, 2014 3:28 am
patriq wrote:First time I've seen "Kingtools" Citadel re-branding.

http://protectyournet.blogspot.com/2014 ... tadel.html

anyone seen any other knock offs like this?

I would guess the bins are the same as Cit v1.3.5.1.. but I couldn't find a sample for this one.
Code: Select all
C&C was at:

http://taking.no-ip.biz/ogenew/on/cp.php?m=login
hxxp://taking.no-ip.biz/ogenew/server/ has a binary that might be related.
  • 1
  • 14
  • 15
  • 16
  • 17
  • 18
  • 20