A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27695  by Xylitol
 Tue Jan 19, 2016 3:55 pm
1.3.5.1 spotted yesterday on zeus tracker, using fastflux and custom panel design
The payload can be found from the url yalitest4.info/c_be4/files/soft.exe
Code: Select all
Key: 7C BB 17 F9 7C 49 21 C6 F0 0B 55 4E ED 1F 4F F2
15 37 58 08 CC 1A CD 48 3F 18 28 5A CB F3 E1 4F 6E 6D C6 DC C4 63 51 DE E4 55 15 13 D7 6A 88 5E 32 79 4A 60 CA 21 BD E7 84 DF B6 92 FD 39 21 4C 85 71 B2 E8 96 62 07 4A 00 9D 43 3E DE B5 81 FA B1 8E C7 47 5F 1D 30 AC 36 44 6F F6 47 AC 24 B0 31 03 A9 5F 24 3D 0C 2B 3E E1 8D E2 9E 10 79 69 60 1E FF CA E9 C2 C9 78 02 01 45 2A BC 51 AF 32 7E D5 A3 45 4F 8C C8 42 0C BD AD D2 BB 7D 2D 27 99 68 D7 5B 82 B8 7A 63 C7 B7 9C DB 93 5B 19 0C 52 98 9F A4 FC 09 46 16 92 17 6C B8 F1 F2 E0 D5 AB A4 FE 15 B2 88 78 FB FE FF 3F 09 E3 C1 94 AA 78 9B BC 18 7A 0E 3C DD D1 26 D9 6B 3B 7F 0F 76 1F 4C 83 88 41 1C 7D A2 A1 EB DA A9 F0 8F 39 77 EE AF 00 B2 6B 12 2A 56 77 FB C3 68 5A D4 5D 9C EC 0B 26 8C EF 2D CE 2C 19 6C 32 AF 7B 91 91 58 FA 2B E7 EC F7 81 D0 BB D6 7C 3D 8F C5 A6 EA 8D
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Targeting european banks.
Attachments
infected
(281.35 KiB) Downloaded 94 times
 #27798  by benkow_
 Sun Jan 31, 2016 10:31 pm
Another Citadel fork (or version idk).
Image
Code: Select all
http://googleupdate.epac.to/shop/system/
http://googleupdate.epac.to/shop/public/
http://googleupdate.epac.to/shop/files/
http://googleupdate.epac.to/shop/images/
http://googleupdate.epac.to/shop/t.php
http://googleupdate.epac.to/shop/api.php
http://googleupdate.epac.to/shop/index.php
http://googleupdate.epac.to/shop/webmaster.php

some js dif from Citadel 1.3.5.1
http://googleupdate.epac.to/shop/theme/js/page-botinfo.js 
http://googleupdate.epac.to/shop/theme/js/page-botnet_tokenspy-editpage.js
http://googleupdate.epac.to/shop/theme/js/page-botnet_tokenspy-edittpl.js
http://googleupdate.epac.to/shop/theme/js/page-botnet_tokenspy-index.js
http://googleupdate.epac.to/shop/theme/js/page-botnet_tokenspy-ts-infowin.js
http://googleupdate.epac.to/shop/theme/js/page-botnet_tokenspy-ts-load.js
http://googleupdate.epac.to/shop/theme/js/page-botnet_tokenspy-ts.js
If anyone has a sample related to this panel, I'm curious :)
 #27888  by Xylitol
 Wed Feb 17, 2016 12:55 pm
Banking Trojan “Citadel” Returns ~ JP - EN
https://github.com/JPCERTCC/aa-tools/tr ... _decryptor
Code: Select all
C:\Python27>citadel_decryptor.py -v -d root.xml citadel_main.bin
[*] start to decrypt root.xml
[*] get base config & several params
[*] found base config at RVA:0x00002a20, RA:0x00002a20
[*] found login key: 258C804A6C32A4EE66E786A111B32901
[*] use RC4 key at (base config + 0x00000192)
[*] found following xor key for AES plus:
[16, 206, 158, 63, 170, 159, 151, 166, 60, 175, 144, 209, 159, 58, 244, 79]
[*] found RC4 salt: 0xEE9FF2AB
[*] found xor key using after Visual Decrypt: 0xEE9FF2AB
[*] try to unpack
[*] decrypt data using following key:
[129, 239, 136, 131, 168, 64, 94, 167, 31, 38, 18, 250, 98, 136, 1, 43, 25, 193,
 216, 153, 146, 119, 176, 146, 250, 156, 131, 137, 185, 3, 49, 25, 38, 179, 194,
 235, 54, 169, 204, 97, 226, 159, 227, 115, 223, 133, 59, 93, 14, 55, 69, 176, 2
53, 191, 44, 174, 73, 56, 29, 183, 215, 42, 140, 69, 163, 187, 126, 4, 17, 109,
39, 113, 26, 37, 255, 73, 69, 17, 190, 208, 83, 230, 241, 98, 2, 245, 55, 160, 1
69, 24, 157, 157, 114, 73, 73, 103, 16, 177, 232, 184, 84, 5, 195, 5, 18, 210, 9
2, 14, 149, 253, 116, 222, 201, 151, 201, 110, 255, 129, 76, 86, 43, 121, 152, 2
54, 151, 74, 178, 129, 122, 81, 237, 172, 164, 47, 13, 132, 236, 176, 203, 143,
225, 138, 65, 198, 189, 91, 213, 74, 113, 163, 247, 7, 220, 59, 159, 155, 46, 18
1, 161, 121, 11, 4, 238, 83, 103, 218, 147, 32, 206, 216, 115, 59, 147, 174, 20,
 0, 86, 248, 197, 182, 180, 195, 191, 227, 230, 26, 48, 225, 27, 35, 35, 126, 1,
 46, 253, 79, 65, 233, 56, 221, 187, 168, 192, 156, 48, 11, 173, 88, 190, 113, 1
68, 28, 178, 95, 231, 85, 195, 118, 70, 34, 192, 128, 80, 11, 101, 85, 10, 177,
80, 208, 75, 64, 32, 130, 40, 112, 41, 140, 211, 220, 97, 39, 244, 141, 7, 143,
122, 236, 143, 224, 79, 188, 204, 14, 53, 116]
[*] try to AES+ decryption
[*] use following AES key:
[170, 238, 167, 50, 247, 201, 15, 248, 23, 40, 250, 207, 223, 146, 40, 197]
[*] parse decrypted data... OK
[*] decompress decrypted data
[*] wrote decrypted data to root_decrypted.bin
Additionally...
"• Citadel Decryptor is only available for 32bit environment"

Compiled ucl.dll in attachment and result from r3shl4k1sh sample (https://www.virustotal.com/en/file/722a ... 421090299/)
+ another sample from november 2015.

unpacked/decrypted:
sample: https://www.virustotal.com/en/file/2e4a ... 455727447/
atmos_ffcookie.module: https://www.virustotal.com/en/file/b7a1 ... 455726676/
atmos_hvnc.module: https://www.virustotal.com/en/file/ece7 ... 455726681/
atmos_video.module: https://www.virustotal.com/en/file/f9a4 ... 455726686/
Attachments
infected
(1.4 MiB) Downloaded 117 times
infected
(3.97 KiB) Downloaded 80 times
(28.54 KiB) Downloaded 81 times
 #27904  by Xylitol
 Fri Feb 19, 2016 7:18 pm
Attachments
infected
(798.91 KiB) Downloaded 89 times
infected
(4.66 MiB) Downloaded 108 times
 #27916  by Xylitol
 Mon Feb 22, 2016 12:29 pm
no obfuscation, plain text.
In attach Citadel 1.3.5.1
Code: Select all
http://109.203.100.122/fifo/file.php|file=soft.exe
http://109.203.100.122/fifo/gate.php
http://109.203.100.122/fifo/file.php
http://s186598balooba125.com/djamel/file.php|file=config.bin
http://baladzabiviongaalkdce.com/xxx/file.php|file=config.bin
http://tenknafabalojsgdhincv.com/xxx/file.php|file=config.bin
https://www.virustotal.com/en/file/7f22 ... 456144010/
Attachments
infected
(147.26 KiB) Downloaded 79 times
 #27975  by Xylitol
 Tue Mar 01, 2016 6:18 pm
Citadel 0.0.1.1 "Tesla" according to footer/header.
Indicator of command and control:
Code: Select all
/theme/resources/TokenSpy/img/One-Ring-65x60.png
/theme/footer.html
/theme/header.html
Image Image Image

https://zeustracker.abuse.ch/monitor.ph ... aiwqoww.ru
• dns: 10 ›› ip: 91.211.175.7 - adress: LAJHDILAIWQOWW.RU
-- addr: LAJHDILAIWQOWW.RU -- ip: 193.106.221.225
-- addr: LAJHDILAIWQOWW.RU -- ip: 178.167.68.127
-- addr: LAJHDILAIWQOWW.RU -- ip: 178.137.186.180
-- addr: LAJHDILAIWQOWW.RU -- ip: 178.74.203.125
-- addr: LAJHDILAIWQOWW.RU -- ip: 109.225.44.200
-- addr: LAJHDILAIWQOWW.RU -- ip: 91.211.175.7
-- addr: LAJHDILAIWQOWW.RU -- ip: 89.105.255.208
-- addr: LAJHDILAIWQOWW.RU -- ip: 86.125.127.144
-- addr: LAJHDILAIWQOWW.RU -- ip: 79.118.9.16
-- addr: LAJHDILAIWQOWW.RU -- ip: 77.120.181.156

Samples in attach.
Actually alive at ioewruowierhkld123lakssfh.com, still in fastflux, same number of dns.
https://www.virustotal.com/en/file/e858 ... 457037182/

Edit: Roman added the .com domain to ZT: https://zeustracker.abuse.ch/monitor.ph ... akssfh.com
Edit2: Malwarebytes added the signature "Spyware.Citadel.Atmos"
Attachments
infected
(1.06 MiB) Downloaded 98 times
infected
(186.47 KiB) Downloaded 89 times
 #27995  by Bry_Campbell
 Thu Mar 03, 2016 11:22 pm
I analysed the following doc https://www.virustotal.com/en/file/2b16 ... /analysis/ It then drops https://www.virustotal.com/en/file/8564 ... /analysis/

I observed some HTTP trafffic to ( but not exluding ) hxxp://huaweideviceng.com/huawei/wp-includes/js/crop/.cache/entry.jpg

Files all here - http://www.filedropper.com/potentialzeus

Thanks to MMD for this http://blog.malwaremustdie.org/2015/07/ ... v2000.html which identified the .jpg as the IOC i needed :D
  • 1
  • 16
  • 17
  • 18
  • 19
  • 20