[Xylitol]

I don't have the raw decode since i've not decoded it.
edit: i asked a little birdy, it's attached.

I've found these domains in relation:
raphclickable.com/foh/file.php
onepagegrinsd.com/foh/file.php
unstandardclo.net/foh/file.php
measuredtrick.com/foh/file.php
opportunitiess.su/foh/file.php
upanddownrein.com/foh/file.php
Possibly also in relation:
omituniversit.com/adu/file.php
zopapublishedn.su/adu/file.php
eagencygraphp.net/adu/file.php
demandmeticul.net/adu/file.php
dollarsremons.com/adu/file.php
onestopinstru.net/adu/file.php
--
http://www.spamhaus.org/sbl/query/SBL193024
ewsoulelysejh.com/wel/file.php

And malwr seem to know a dropper: https://malwr.com/analysis/OTNkZTMyMTVm ... MxYzM0YWI/
behavioral analysis is interesting: 86734234434.exe -> fnmod_32.exe i've already see this user_execute on ZeusVM (36CE0A33.zip unpacked payload)
S21 guys observed an involution of the 3.1.0.0, maybe because actors switched on ZeusVM :?:
one ZeusVM use the same ASN of a Citadel 3.1.0.0: http://www.urlquery.net/report.php?id=7654694 and guess what, it's the one who download fnmod_32.exe

Some others 3.1.0.0 in attachement.
https://www.virustotal.com/en/file/3202 ... 394564044/
https://www.virustotal.com/en/file/b71b ... 394564049/
https://www.virustotal.com/en/file/f45b ... 394564053/

[comak]

thanks,

full decoded cfg attached, with patterns to webinjects and what else ;]

[Xylitol]

Hey, thanks comak :)
In attachement a Citadel 1.2.0.0 and a 3.1.0.0 sample, i got these from S21sec (thanks guys)

[g0r_]

Apart from dumping memory and using a hex editor, is there an easy way to decrypt these configs? Are there any (semi) public tools that can be used if you have the config keys for a sample?
With the volume of samples we're seeing, it's becoming hard to keep up. I'd like to be able to use something maybe python based to decrypt the config to save time instead of spinning up VM's and checking memory, etc. Any help/pointers appreciated.

[reverser]

Apart from dumping memory and using a hex editor, is there an easy way to decrypt these configs? Are there any (semi) public tools that can be used if you have the config keys for a sample?
With the volume of samples we're seeing, it's becoming hard to keep up. I'd like to be able to use something maybe python based to decrypt the config to save time instead of spinning up VM's and checking memory, etc. Any help/pointers appreciated.

Try contacting JPCERT/CC, it seems they have a tool: http://blog.jpcert.or.jp/2014/03/jpcert ... -ac8c.html

[rkhunter]

http://community.websense.com/blogs/sec ... t-iii.aspx

[Xylitol]

Slight panel modification integrating secpassword stored in SQL db instead of PHP like in Zeus Evolution, otherwise sample is a 1.3.5.1 bot not interesting. (generic wells fargo config)

[syntax="sql"]INSERT INTO `cp_users` (`id`, `name`, `pass`, `secpass`, `language`, `flag_enabled`, `comment`, `ss_format`, `ss_quality`, `r_edit_bots`, `r_stats_main`, `r_stats_main_reset`, `r_stats_os`, `r_botnet_bots`, `r_botnet_webinjects_admin`, `r_botnet_webinjects_coder`, `r_botnet_scripts`, `r_botnet_scripts_edit`, `r_reports_db`, `r_reports_db_edit`, `r_reports_files`, `r_reports_files_edit`, `r_reports_jn`, `r_reports_db_cmd`, `r_svc_notes`, `r_svc_crypter_crypt`, `r_svc_crypter_pay`, `r_system_info`, `r_system_options`, `r_system_user`, `r_system_users`) VALUES
(1, 'admin', '472a84ce7f8d3ee6b25253204092e262', '472a84ce7f8d3ee6b25253204092e262', 'en', 1, 'Default user', 'jpeg', 30, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1);
[/syntax]

Code: Select all

{
    "_id" : ObjectId("53748884a47c204d73f1c32b"),
    "zbotscan" : {
        "zbotscan" : {
            "data" : {
                "injected_process" : {
                    "xor_key" : "0",
                    "executable" : "Ybhoy\\ynfy.exe",
                    "comm_rc4_key_plaintext" : "2ace2cb9dfca415a89b669211257fbaf7f94388de1610fdd82fc04b4e5dd739a1690f02b424ada544cc937754868d066bd1191e07c4ba6db56856e911a3cf8040027584fa50725281cafe695d46cad8a21ac72b5fe4e0c6c440f66052c5a10e8c0253fec783ba2c06f2397fb6b7639e2b5ba816760c68dfc17a1b83cef1b57abcf756a883336ed7f139c5351d5e407f714f2d445f6fdfdc9a27ee1563ea800cf7b10ac69d3392a97311530dc63e2a8309f71d176921ea50ba741c04151a69bbb193288d320e9cdcd0a53869b2d8163b3c249b4081df7058601bf84390e3471d8708d20efbb405fc36de89efd46457a01f4eb56a0ccc5559cb88a95eec4d0bc5e",
                    "aes_key" : "63E7D8908429A95CD2542F26A99E7E78",
                    "config_rc4_keystream_plaintext" : "c78bb50e2c64713af82487dd354983231229e0ef79baf6473214721d5a68e44a5907db4e46d274bb6b09fb0f94627fd8e3b7cbf684ee5b419f63d1602fb81b27034ee9c09da5a51905765868741fa4beb0c0aadee02a0ceb8fa762c84067a2e660cd09751a95ac356ee1cf94f6e5065fea912ad1013e8ff7f0caea51e6c9bf85b387f2b6a1ae7954902050118ad01728bd54ae328c9655cd976c14fe10a3751b728632ff71ad1e840656d04d00c3df82f7c892ce2bc2faed0a3b37b4c47f33040bced66347704a17f965a08afb13a3e95fa0fd209c36866b4dddd39a413477d6437e217a2e2d314c9e575d9b3c6d3b255c9bddb38193005728184cb8efafc9dc",
                    "malware_zbot" : "CITADEL",
                    "process_name" : "explorer.exe",
                    "mutant_key" : "1835366737",
                    "computer_identifier" : "COMPUTER_1_7875768F1E829C61",
                    "aes_xor_key" : "FCA4C13246F5C8ABD0C5CFDC7350AB42",
                    "process_id" : 1500,
                    "process_address" : "34865152",
                    "login_key" : "C1F20D2340B519056A7D89B7DF4B0FFF",
                    "urls" : [ 
                        "http://54.208.246.4/webalizer/opt/ningga.php|file=config.dll", 
                        "http://54.208.246.4/webalizer/opt/ningga.php|file=config.dll"
                    ],
                    "zbot_version" : " 1.3.5.1",
                    "registry" : "{'Value3': 'Kuyfce', 'key_path': 'HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Qinuy', 'Value1': 'Ceqou', 'Value2': 'Enukak'}"
                }
            },
            "config" : {}
        }
    }
}

http://vxvault.siri-urz.net/ViriFiche.php?ID=26458
https://zeustracker.abuse.ch/monitor.ph ... .208.246.4

[Xylitol]

retrieved this old sample on my hdd, Citadel targeting France, sample courtesy of kafeine.
https://zeustracker.abuse.ch/monitor.ph ... kguides.su
https://www.virustotal.com/en/file/e188 ... 412584484/

Code: Select all

#*banquepostale.com/*
#*banquepostale.fr/*
#*caisse-epargne.fr/*
#*bnpparibas.net/*
#*societegenerale.fr/*
#*credit-agricole.fr/
#*lcl.fr/*
#*axabanque.fr/*
#*groupama.fr/*
#*banquepopulaire.fr*

decoded and stuff in attachement as usual.

[tildedennis]

last month, i started seeing (new to me) citadel samples with the following details. the configs can be decrypted and parsed like citadel 3.1.0.0, but at this point i don't know what other differences there are (if any).

version: 1.0
bot names: 2015, apple, ATM, DM5, DM6, max, stains, usca
login keys: 258C804A6C32A4EE66E786A111B32901, A9B0A3F1522313D46F7A3D00A5F3C5FE, D8F3A28A92E53179A3EC2100B314A5CB
compilation dates (for what they're worth): 2014-12-18 14:51:49 -> 2015-07-17 19:39:59
couple of config urls:

Code: Select all

hXXp://ablackjob3.ru/max/file.php|file=max.xml
hXXp://adwords-shoping.ru/adwords/file.php|file=td.dll
hXXp://buseneujob2.ru/usca/file.php|file=usca.xml
hXXp://lucoilosa2.ru/usca/file.php|file=usca.xml
hXXps://anormalnoejavlenieprimer.net/bmbmbm/file.php|file=ati.xml

---

version: 1.1
bot names: black3, DM5, mac, root, usca
login keys: 258C804A6C32A4EE66E786A111B32901, D8F3A28A92E53179A3EC2100B314A5CB
compilation dates (for what they're worth): 2015-05-09 19:48:01 -> 2015-07-29 17:25:51
couple of config urls:

Code: Select all

hXXp://genmjob3.ru/black3/file.php|file=black3.xml
hXXp://genmjob3.ru/mac/file.php|file=mac.xml
hXXp://lucoilosa.ru/usca/file.php|file=usca.xml
hXXp://somethinfresh.ru/file.php|file=td.dll

samples and configs for the latest compile times are attached.

[Xylitol]

Signed AutoIt Citadel https://www.virustotal.com/en/file/c294 ... /analysis/
Thanks to siri for the heads up.

Code: Select all

Key: 34 99 69 16 D4 BA 8B 06 D8 B6 EB 8E 72 E1 1B 71
login key: C1F20D2340B519056A7D89B7DF4B0FFF

1.3.5.1 version targeting France, non-exclusive list:

!https://smetrics.sfr.fr*
!https://adsl.free.fr*
!https://extranet.sfrbusinessteam.fr*
#*.societegenerale.fr/*
#*.bnpparibas.net/*
#*cic.fr/*
#*edi05.cedricom.fr/*
#*.credit-agricole.fr/*
#*entreprises.ca-languedoc.fr/*
#*creditmutuel.fr/*
#*labanquepostale.fr/*
#*.lcl.fr/*
#*hsbc.fr/*
#*edibanque.com.fr/*
#*.banquepopulaire.fr/*
#*banque-courtois.fr/*
#*credit-du-nord.fr/*
#*fortuneo.fr/*
#*cmb.fr/*
#*cmmc.fr/*
#*bpe.fr/*
#*cofinoga.fr/*
#*hellobank.fr/*
#*arkeabanqueprivee.fr/*
#*axabanque.fr/*
#*bemix.fr/*
#*banque-accord.fr/*
#*.caisse-epargne.fr/*

There is also a mitb for LBP (la banque postale) but the C2 seem offline...

Edit: https://www.virustotal.com/en/file/5bd4 ... 459494348/
same guy ? http://vxvault.net/ViriFiche.php?ID=29587
http://vxvault.net/ViriFiche.php?ID=29580
And https://virustotal.com/en/file/15e17a41 ... /analysis/ (from agemiel.com/4.exe)

Domains in relation:
https://www.virustotal.com/en/domain/be ... formation/
https://www.virustotal.com/en/domain/ww ... formation/
https://www.virustotal.com/en/domain/kr ... formation/