12-6-2017: #Atmos banking #Trojan -> Spam "Purchase order"

1. _____________________ ________ _________ __________ _____ _______ ____ __._____________________
2. / _ \__ ___/ \ \_____ \ / _____/ \______ \ / _ \ \ \ | |/ _|\_ _____/\______ \
3. / /_\ \| | / \ / \ / | \ \_____ \ | | _/ / /_\ \ / | \| < | __)_ | _/
4. / | \ |/ Y \/ | \/ \ | | \/ | \/ | \ | \ | \ | | \
5. \____|__ /____|\____|__ /\_______ /_______ / |______ /\____|__ /\____|__ /____|__ \/_______ / |____|_ /
6. \/ \/ \/ \/ \/ \/ \/ \/ \/ \/
7. ATMOS BANKING TROJAN:
8.  
9. GATE = ["hxxp://cbiraqi[.]com/smoke/atmos/gate[.]php"]
10. BOT = ["hxxp://cbiraqi[.]com/smoke/atmos/file.php|file=us[.]exe"]
11.  
12. MODULES": { "hvnc_module, atmos_hvnc.module, cookie_module. atmos_ffcookie.module, video_module, atmos_video.module";}
13.  
14. "URL_REGEX_LIST": {
15. *.facebook.com
16. *.twitter.com
17. *.instagram.com
18. *.booking.com
19. *.sharepoint.com
20. *.yahoo.com
21. login.yahoo.com
22. *.google.com
23. accounts.google.com
24. 192.168.*.*
25. 127.0.0.1
26. */wp-login.php*
27. *.ru
28. *.ua
29. *.kz
30. *.il
31. *.li
32. *.bg
33. *.by
34. *.az
35. *.am
36. *.kg
37. *.md
38. *.tj––
39. *.tm
40. *.uz
41. *.xn--p1ai
42. ";}
43.  
44. "ZEUS-STYLE_CMD": {
45. "–%BOTID%
46. %BOTNET%
47. %BC-*-*-*-*%
48. %VIDEO%
49. Psystem
50. registry
51. setvalue
52. getvalue
53. hvnc_stop
54. hvnc_start
55. video_start
56. bc_remove
57. bc_add
58. ";}
59.  
60. "CONFIG": {
61. "dir %windir%\system32\inetsrv\*.xml
62. ipconfig /all
63. osql -L
64. osql -E -Q "exec sp_databases"
65. tasklist
66. "C:\Program Files\Microsoft Security Client\Setup.exe" /x /s
67. netsh firewall set opmode disable
68. net share
69. c:\windows\system32\inetsrv
70. ppcmd.exe list sites /text:name /state:started
71. $t;*
72. ;*.exe;*.png;*.bmp;*.lnk;*.wer;*.css;*.js;*.wpl;*.mp3;*.avi;*.mkv;*.wav;*.usca;*.ini;*.dll;*.url;*.menu;*.hfx;*.map;*.lng;*.ico;*.icon;*.aml;*.swf;*.man;*.inf;*.cab;*.flv;*.cat;*.lcp;*.scr;*.xml;*.sys;*.cn_;*.dl_;*.jpeg;*.psd;*.ch_;*.ex_;*.wma;*.m4a;*.tiff;*.mp4;*.msi;*.cov;*.gzi;*.cbr;*.wmv;*.ogg;*.h
73. $t*.
74. *swift*;*manufactur*;*atm*;*.aba;*.p12;*bitcoin*;*.qfx;*.ofx;*.qif;*westernunion*;*moneygram*;*translink*;*.pcf;*DWAF*;*vasco*;*RBAnet*;*diebold*;*wincor*;*.pab;*.MYO;*wupos*;*threatmetrix*;*apca*;*.apk;multibit.wallet;*nixdorf*;*aptra*;*.wallet;*litecoin*
75. *.log;*.jpg;*.gif;*.bat;*.exe;*.png;*.bmp;*.lnk;*.wer;*.css;*.js;*.wpl;*.mp3;*.avi;*.mkv;*.wav;*.usca;*.ini;*.dll;*.url;*.menu;*.hfx;*.map;*.lng;*.ico;*.icon;*.aml;*.swf;*.man;*.inf;*.cab;*.flv;*.cat;*.lcp;*.scr;*.xml;*.sys;*.cn_;*.dl_;*.jpeg;*.psd;*.ch_;*.ex_;*.wma;*.m4a;*.tiff;*.mp4;*.msi;*.cov;*.gzi;*.cbr;*.wmv;*.ogg;*.html;*.htm;*Swift_Current*;*.gm;*.epub;*.mov;*.gp5;*.gp3;*bluetooth*;*.torrent;*.class;*.mpg;*.cpp;*.h;*.py;*.pm;*.patch;*.hex;*.col;*book*;*.sol;*Clearwtr.MYO*;*BusinessInABox*;*.rpt;*iswift.dat*;*Taylor Swift*;*.flac;
76. %wd%;%td%;%sd1%;%sd2%;%pd1%;%pd2%;%ad%;*AppData*;*Local Settings*;*Application Data*;*Temp*;*Cookies*;*Recycle*;*torrent*;*drivers*;*help*;*movies*;*music*;*cache*;*adobe*;*I386*;*Windows*;*images*;*photo*;*game*;*google*;*ATI*;*acer*;*NVIDIA*;*University*;*sony*;*apple*;*Hewlett*;*cyberlink*;*dvd*;*poker*;*toshiba*;*autocad*;*starcraft*;*spybot*;*Semester*;*school*;*audio*;*maps*;*smitfraud*;*video*;*guitar*;*sound*;*warcraft*;*cygwin*;*Graphics*;*Pinnacle*;*yahoo*;*autodesk*;*android*;*nokia*;*example*;*theme*;*winamp*;*academy*;*demo*;*jre6*;*Windows.old*;*recycle*;*student*;*style*;*Tutorial*;*Spredsht*;*steam*;*samsung*;*java*;*tools*;*Libraries*;*cstrike*;*study*;*book*;*roms*;*Wireless*;*WildTangent*;*UNIVERSITY*
77. v{"usblist":[],"infected":[],"activated":false,"inittime":REDACTED}
78. Myob.exe;translink.exe
79. Myob.exe;translink.exe
80. account,bank,balance,transfer
81. ";}
82.  
83. "ANTI-VIRUS": {
84. "Rapport
85. SafenSoft
86. SysWatch
87. McAfee
88. McAfee
89. Symantec
90. Symantec
91. Norton
92. Kaspersky
93. avast!
94. ESET
95. Microsoft
96. ";}