A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13434  by Xylitol
 Sat May 26, 2012 12:25 pm
Fun
Code: Select all
00420CD8  |.  68 C0194000   PUSH 4019C0                              ; |Text = "Coded by BRIAN KREBS for personal use only. I love my job & wife."
two more C&C
Code: Select all
hxxp://inbani.com/js/res/cp.php?m=login
hxxp://inbani.com/js/res/theme/images/citadel.jpg
--
hxxp://lotosmusicfm.net/jstat/cp.php
hxxp://lotosmusicfm.net/jstat/theme/images/citadel.jpg
https://www.virustotal.com/file/6f6b5fe ... 338035569/
Attachments
infected
(265.19 KiB) Downloaded 160 times
 #13523  by obnoxiousdiablo
 Tue May 29, 2012 10:03 pm
Hi Xylitol,

Thanks a lot for sharing this info. What is the file in the zip with 140K size? Is that the cfg downloaded?

Is it possible to share the packet dump you may have?

Thank you.

Regards,
 #13527  by obnoxiousdiablo
 Wed May 30, 2012 1:36 am
Never mind. I figured out it was encrypted cfg downloaded during your analysis. It is targeting mainly European banks at the moment. Will be great if you could post more citadel with cfg as they come along.

Much appreciated,
 #16040  by Xylitol
 Tue Oct 16, 2012 12:58 pm
Some files (php/exe) dumped from Citadel 1.3.4.5 server

Image
https://zeustracker.abuse.ch/monitor.ph ... orumin.net
There is also a bleeding life v2:
Code: Select all
hxxp://fastforumin.net:808/sp/statistics/login.php
Real gate:
Code: Select all
hxxp://5.9.62.149:50800/mainsession/gate.php
C&C:
Code: Select all
hxxp://5.9.62.149:50800/mainsession/cp.php
lulz:
Code: Select all
hxxp://5.9.62.149:50800/mainsession/install/
• [0] - Connecting to MySQL as 'joe'.
• [0] - Selecting DB 'joe_bot_db1'.
• [0] - Updating table 'botnet_list'.
• [0] - Creating table 'botnet_reports'.
• [0] - Updating table 'botnet_reports_120812'.
• [0] - Updating table 'botnet_reports_120813'.
• [0] - Updating table 'botnet_reports_120814'.
• [0] - Updating table 'botnet_reports_120815'.
• [0] - Updating table 'botnet_reports_120816'.
• [0] - Updating table 'botnet_reports_120817'.
• [0] - Updating table 'botnet_reports_120818'.
• [0] - Updating table 'botnet_reports_120819'.
• [0] - Updating table 'botnet_reports_120820'.
• [0] - Updating table 'botnet_reports_120821'.
• [0] - Updating table 'botnet_reports_120822'.
• [0] - Updating table 'botnet_reports_120823'.
• [0] - Updating table 'botnet_reports_120824'.
• [0] - Updating table 'botnet_reports_120825'.
• [0] - Updating table 'botnet_reports_120826'.
• [0] - Updating table 'botnet_reports_120827'.
• [0] - Updating table 'botnet_reports_120828'.
• [0] - Updating table 'botnet_reports_120829'.
• [0] - Updating table 'botnet_reports_120830'.
• [0] - Updating table 'botnet_reports_120831'.
• [0] - Updating table 'botnet_reports_120901'.
• [0] - Updating table 'botnet_reports_120902'.
• [0] - Updating table 'botnet_reports_120903'.
• [0] - Updating table 'botnet_reports_120904'.
• [0] - Updating table 'botnet_reports_120905'.
• [0] - Updating table 'botnet_reports_120906'.
• [0] - Updating table 'botnet_reports_120907'.
• [0] - Updating table 'botnet_reports_120908'.
• [0] - Updating table 'botnet_reports_120909'.
• [0] - Updating table 'botnet_reports_120910'.
• [0] - Updating table 'botnet_reports_120911'.
• [0] - Updating table 'botnet_reports_120912'.
• [0] - Updating table 'botnet_reports_120925'.
• [0] - Updating table 'botnet_reports_120926'.
• [0] - Updating table 'botnet_reports_120929'.
• [0] - Updating table 'botnet_reports_120930'.
• [0] - Updating table 'botnet_reports_121001'.
• [0] - Updating table 'botnet_reports_121002'.
• [0] - Updating table 'botnet_reports_121003'.
• [0] - Updating table 'botnet_reports_121004'.
• [0] - Updating table 'botnet_reports_121005'.
• [0] - Updating table 'botnet_reports_121006'.
• [0] - Updating table 'botnet_reports_121007'.
• [0] - Updating table 'botnet_reports_121011'.
• [0] - Updating table 'botnet_reports_121012'.
• [0] - Updating table 'botnet_reports_121013'.
• [0] - Updating table 'botnet_reports_121014'.
• [0] - Updating table 'botnet_reports_121015'.
• [0] - Updating table 'botnet_reports_121016'.
• [0] - Filling table 'ipv4toc'.
• [1] - Creating table 'ipv4toc'.
• [3] - Updating table 'cp_users'.
• [3] - Updating table 'botnet_scripts'.
• [3] - Updating table 'botnet_scripts_stat'.
• [3] - Updating table 'botnet_software_stat'.
• [3] - Updating table 'exe_updates'.
• [3] - Updating table 'exe_updates_crypter'.
• [3] - Updating table 'botnet_rep_domains'.
• [3] - Updating table 'botnet_rep_domainlogs'.
• [3] - Updating table 'accparse_rules'.
• [3] - Updating table 'accparse_accounts'.
• [3] - Updating table 'vnc_bot_connections'.
• [3] - Updating table 'botnet_rep_dedup'.
• [3] - Updating table 'jabber_messages'.
• [3] - Updating table 'botnet_rep_iframer'.
• [3] - Updating table 'botnet_rep_filehunter'.
• [3] - Updating table 'botnet_screenshots'.
• [3] - Updating table 'botnet_rep_favorites'.
• [3] - Updating table 'botnet_activity'.
• [3] - Creating folder '_reports102979970'.
• [3] - Writing config file
• [3] - Searching for the god particle...
• [3] - Creating folder 'system/data'.
• [3] - Creating folder 'public'.
-- Update complete! --
Attachments
infected
(1.58 MiB) Downloaded 189 times
 #16150  by Xylitol
 Fri Oct 19, 2012 11:55 am
Another sample in attach.
Code: Select all
Citadel C&C - hxxp://78.46.226.50/ajax/cp.php?m=login
401 - hxxp://78.46.226.50/1/
calc.exe exploit - hxxp://78.46.226.50/ajax/t/ - hxxp://78.46.226.50/ajax/t/chk.html - hxxp://78.46.226.50/ajax/t/calc.exe
log parser - hxxp://78.46.226.50/p/
pma - hxxp://78.46.226.50/phpmyadmin/setup/
Attachments
 #16220  by Xylitol
 Mon Oct 22, 2012 10:57 pm
Leaked version of summer edition in attach (1.3.4.5)
https://www.virustotal.com/file/1a2e85e ... 350946598/
Attachments
infected
(2 MiB) Downloaded 157 times
infected
(1.05 MiB) Downloaded 158 times
infected
(668.86 KiB) Downloaded 168 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 20