A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22430  by Xylitol
 Tue Mar 11, 2014 5:28 pm
I don't have the raw decode since i've not decoded it.
edit: i asked a little birdy, it's attached.

I've found these domains in relation:
raphclickable.com/foh/file.php
onepagegrinsd.com/foh/file.php
unstandardclo.net/foh/file.php
measuredtrick.com/foh/file.php
opportunitiess.su/foh/file.php
upanddownrein.com/foh/file.php
Possibly also in relation:
omituniversit.com/adu/file.php
zopapublishedn.su/adu/file.php
eagencygraphp.net/adu/file.php
demandmeticul.net/adu/file.php
dollarsremons.com/adu/file.php
onestopinstru.net/adu/file.php
--
http://www.spamhaus.org/sbl/query/SBL193024
ewsoulelysejh.com/wel/file.php

And malwr seem to know a dropper: https://malwr.com/analysis/OTNkZTMyMTVm ... MxYzM0YWI/
behavioral analysis is interesting: 86734234434.exe -> fnmod_32.exe i've already see this user_execute on ZeusVM (36CE0A33.zip unpacked payload)
S21 guys observed an involution of the 3.1.0.0, maybe because actors switched on ZeusVM :?:
one ZeusVM use the same ASN of a Citadel 3.1.0.0: http://www.urlquery.net/report.php?id=7654694 and guess what, it's the one who download fnmod_32.exe

Some others 3.1.0.0 in attachement.
https://www.virustotal.com/en/file/3202 ... 394564044/
https://www.virustotal.com/en/file/b71b ... 394564049/
https://www.virustotal.com/en/file/f45b ... 394564053/
Attachments
infected
(60.43 KiB) Downloaded 88 times
infected
(846.59 KiB) Downloaded 124 times
 #22443  by g0r_
 Thu Mar 13, 2014 1:45 am
Apart from dumping memory and using a hex editor, is there an easy way to decrypt these configs? Are there any (semi) public tools that can be used if you have the config keys for a sample?
With the volume of samples we're seeing, it's becoming hard to keep up. I'd like to be able to use something maybe python based to decrypt the config to save time instead of spinning up VM's and checking memory, etc. Any help/pointers appreciated.
 #22603  by reverser
 Tue Apr 01, 2014 10:36 pm
g0r_ wrote:Apart from dumping memory and using a hex editor, is there an easy way to decrypt these configs? Are there any (semi) public tools that can be used if you have the config keys for a sample?
With the volume of samples we're seeing, it's becoming hard to keep up. I'd like to be able to use something maybe python based to decrypt the config to save time instead of spinning up VM's and checking memory, etc. Any help/pointers appreciated.
Try contacting JPCERT/CC, it seems they have a tool: http://blog.jpcert.or.jp/2014/03/jpcert ... -ac8c.html
 #22873  by Xylitol
 Thu May 15, 2014 10:04 am
Slight panel modification integrating secpassword stored in SQL db instead of PHP like in Zeus Evolution, otherwise sample is a 1.3.5.1 bot not interesting. (generic wells fargo config)
Image Image Image
[syntax="sql"]INSERT INTO `cp_users` (`id`, `name`, `pass`, `secpass`, `language`, `flag_enabled`, `comment`, `ss_format`, `ss_quality`, `r_edit_bots`, `r_stats_main`, `r_stats_main_reset`, `r_stats_os`, `r_botnet_bots`, `r_botnet_webinjects_admin`, `r_botnet_webinjects_coder`, `r_botnet_scripts`, `r_botnet_scripts_edit`, `r_reports_db`, `r_reports_db_edit`, `r_reports_files`, `r_reports_files_edit`, `r_reports_jn`, `r_reports_db_cmd`, `r_svc_notes`, `r_svc_crypter_crypt`, `r_svc_crypter_pay`, `r_system_info`, `r_system_options`, `r_system_user`, `r_system_users`) VALUES
(1, 'admin', '472a84ce7f8d3ee6b25253204092e262', '472a84ce7f8d3ee6b25253204092e262', 'en', 1, 'Default user', 'jpeg', 30, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1);
[/syntax]
Code: Select all
{
    "_id" : ObjectId("53748884a47c204d73f1c32b"),
    "zbotscan" : {
        "zbotscan" : {
            "data" : {
                "injected_process" : {
                    "xor_key" : "0",
                    "executable" : "Ybhoy\\ynfy.exe",
                    "comm_rc4_key_plaintext" : "2ace2cb9dfca415a89b669211257fbaf7f94388de1610fdd82fc04b4e5dd739a1690f02b424ada544cc937754868d066bd1191e07c4ba6db56856e911a3cf8040027584fa50725281cafe695d46cad8a21ac72b5fe4e0c6c440f66052c5a10e8c0253fec783ba2c06f2397fb6b7639e2b5ba816760c68dfc17a1b83cef1b57abcf756a883336ed7f139c5351d5e407f714f2d445f6fdfdc9a27ee1563ea800cf7b10ac69d3392a97311530dc63e2a8309f71d176921ea50ba741c04151a69bbb193288d320e9cdcd0a53869b2d8163b3c249b4081df7058601bf84390e3471d8708d20efbb405fc36de89efd46457a01f4eb56a0ccc5559cb88a95eec4d0bc5e",
                    "aes_key" : "63E7D8908429A95CD2542F26A99E7E78",
                    "config_rc4_keystream_plaintext" : "c78bb50e2c64713af82487dd354983231229e0ef79baf6473214721d5a68e44a5907db4e46d274bb6b09fb0f94627fd8e3b7cbf684ee5b419f63d1602fb81b27034ee9c09da5a51905765868741fa4beb0c0aadee02a0ceb8fa762c84067a2e660cd09751a95ac356ee1cf94f6e5065fea912ad1013e8ff7f0caea51e6c9bf85b387f2b6a1ae7954902050118ad01728bd54ae328c9655cd976c14fe10a3751b728632ff71ad1e840656d04d00c3df82f7c892ce2bc2faed0a3b37b4c47f33040bced66347704a17f965a08afb13a3e95fa0fd209c36866b4dddd39a413477d6437e217a2e2d314c9e575d9b3c6d3b255c9bddb38193005728184cb8efafc9dc",
                    "malware_zbot" : "CITADEL",
                    "process_name" : "explorer.exe",
                    "mutant_key" : "1835366737",
                    "computer_identifier" : "COMPUTER_1_7875768F1E829C61",
                    "aes_xor_key" : "FCA4C13246F5C8ABD0C5CFDC7350AB42",
                    "process_id" : 1500,
                    "process_address" : "34865152",
                    "login_key" : "C1F20D2340B519056A7D89B7DF4B0FFF",
                    "urls" : [ 
                        "http://54.208.246.4/webalizer/opt/ningga.php|file=config.dll", 
                        "http://54.208.246.4/webalizer/opt/ningga.php|file=config.dll"
                    ],
                    "zbot_version" : " 1.3.5.1",
                    "registry" : "{'Value3': 'Kuyfce', 'key_path': 'HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Qinuy', 'Value1': 'Ceqou', 'Value2': 'Enukak'}"
                }
            },
            "config" : {}
        }
    }
}
http://vxvault.siri-urz.net/ViriFiche.php?ID=26458
https://zeustracker.abuse.ch/monitor.ph ... .208.246.4
Attachments
infected
(5.81 KiB) Downloaded 95 times
infected
(143.01 KiB) Downloaded 109 times
infected
(3.81 MiB) Downloaded 125 times
 #24061  by Xylitol
 Mon Oct 06, 2014 8:33 am
retrieved this old sample on my hdd, Citadel targeting France, sample courtesy of kafeine.
https://zeustracker.abuse.ch/monitor.ph ... kguides.su
https://www.virustotal.com/en/file/e188 ... 412584484/
Code: Select all
#*banquepostale.com/*
#*banquepostale.fr/*
#*caisse-epargne.fr/*
#*bnpparibas.net/*
#*societegenerale.fr/*
#*credit-agricole.fr/
#*lcl.fr/*
#*axabanque.fr/*
#*groupama.fr/*
#*banquepopulaire.fr*
decoded and stuff in attachement as usual.
Attachments
infected
(202.84 KiB) Downloaded 105 times
 #26519  by tildedennis
 Fri Aug 14, 2015 7:20 pm
last month, i started seeing (new to me) citadel samples with the following details. the configs can be decrypted and parsed like citadel 3.1.0.0, but at this point i don't know what other differences there are (if any).

version: 1.0
bot names: 2015, apple, ATM, DM5, DM6, max, stains, usca
login keys: 258C804A6C32A4EE66E786A111B32901, A9B0A3F1522313D46F7A3D00A5F3C5FE, D8F3A28A92E53179A3EC2100B314A5CB
compilation dates (for what they're worth): 2014-12-18 14:51:49 -> 2015-07-17 19:39:59
couple of config urls:
Code: Select all
hXXp://ablackjob3.ru/max/file.php|file=max.xml
hXXp://adwords-shoping.ru/adwords/file.php|file=td.dll
hXXp://buseneujob2.ru/usca/file.php|file=usca.xml
hXXp://lucoilosa2.ru/usca/file.php|file=usca.xml
hXXps://anormalnoejavlenieprimer.net/bmbmbm/file.php|file=ati.xml
---

version: 1.1
bot names: black3, DM5, mac, root, usca
login keys: 258C804A6C32A4EE66E786A111B32901, D8F3A28A92E53179A3EC2100B314A5CB
compilation dates (for what they're worth): 2015-05-09 19:48:01 -> 2015-07-29 17:25:51
couple of config urls:
Code: Select all
hXXp://genmjob3.ru/black3/file.php|file=black3.xml
hXXp://genmjob3.ru/mac/file.php|file=mac.xml
hXXp://lucoilosa.ru/usca/file.php|file=usca.xml
hXXp://somethinfresh.ru/file.php|file=td.dll
samples and configs for the latest compile times are attached.
Attachments
(771.87 KiB) Downloaded 107 times
 #27386  by Xylitol
 Thu Dec 10, 2015 3:20 pm
Signed AutoIt Citadel https://www.virustotal.com/en/file/c294 ... /analysis/
Thanks to siri for the heads up.
Code: Select all
Key: 34 99 69 16 D4 BA 8B 06 D8 B6 EB 8E 72 E1 1B 71
login key: C1F20D2340B519056A7D89B7DF4B0FFF
1.3.5.1 version targeting France, non-exclusive list:
!https://smetrics.sfr.fr*
!https://adsl.free.fr*
!https://extranet.sfrbusinessteam.fr*
#*.societegenerale.fr/*
#*.bnpparibas.net/*
#*cic.fr/*
#*edi05.cedricom.fr/*
#*.credit-agricole.fr/*
#*entreprises.ca-languedoc.fr/*
#*creditmutuel.fr/*
#*labanquepostale.fr/*
#*.lcl.fr/*
#*hsbc.fr/*
#*edibanque.com.fr/*
#*.banquepopulaire.fr/*
#*banque-courtois.fr/*
#*credit-du-nord.fr/*
#*fortuneo.fr/*
#*cmb.fr/*
#*cmmc.fr/*
#*bpe.fr/*
#*cofinoga.fr/*
#*hellobank.fr/*
#*arkeabanqueprivee.fr/*
#*axabanque.fr/*
#*bemix.fr/*
#*banque-accord.fr/*
#*.caisse-epargne.fr/*
There is also a mitb for LBP (la banque postale) but the C2 seem offline...

Edit: https://www.virustotal.com/en/file/5bd4 ... 459494348/
same guy ? http://vxvault.net/ViriFiche.php?ID=29587
http://vxvault.net/ViriFiche.php?ID=29580
And https://virustotal.com/en/file/15e17a41 ... /analysis/ (from agemiel.com/4.exe)

Domains in relation:
https://www.virustotal.com/en/domain/be ... formation/
https://www.virustotal.com/en/domain/ww ... formation/
https://www.virustotal.com/en/domain/kr ... formation/
Attachments
infected
(1.04 MiB) Downloaded 111 times
  • 1
  • 16
  • 17
  • 18
  • 19
  • 20