Citadel 0.0.1.1 (Atmos)

Includes the following features:

- Formgebung/Injections for Firefox/IE (latest version)
- Automatic balances grabber https:// links (multi currency)
- Updated grabber CC algorithm LUHN10
- Updated videologger http/https links with the VP9 codec in .mkv format and flexible settings.
- New VNC technology, full compatible with Win7/8.1/10(IE,Chrome,FF)
- Backconnect Socks & Command Line(+PowerShell)
- Case-Sensitive Keylogger processes
- Instant loading of web injections through the admin panel
- Local WebProxySrv: equivalent to a web server, write/read data in the local storage, and creating backconnect connection/video at any time, directly from the injections. Execution of your scripts on any website
- Support to inject code into Zeus format+UTF8
- Block/redirect by URL-masks
- Videologger applications
- Integrated port scanner
- Search files by mask (Bitcoin-grabber, exception rules)
- Full set of legacy web features: FTP Iframer, Mailer, Note, Crypts interface, Notes
- Powerful analyzer of behavioral factors, statistics for URL am
- Support to configuration via https://

- Automatic file check using scan4you service
- Screenshots
- Built-in Online Player video files
- Jabber notification according to numerous parameters
Interface to encryption exe.
- GeoIP
- Statistics gathering: set software, browser, screen resolution, version of the antivirus, firewall
- Data-Miner: convenient micro-parser logs
- Adding the additional database when working with logs
- API: VNC/CMD/SOCKS/VIDEO team

For Samples Contact : 

Skype : suriya.cyber

For More Research Details :  Citadel decrypte

Note : For educational Stuffs not to harm anyone ( only for malware researchers ) 

          Configuration  

• url_config1-10 [up to 10 links to configuration files; 1 main for your web admin panel and 9 spare ones. To save the resources, use InterGate button in the builder to place config files on different links without setting up admin panel. Spare configs will be requested if the main one is not available during first EXE launch. Don't forget to put EXE and config files in 'files/' folder]
• timer_config 4 9 [Config file refresh timer in minutes | Retry interval]
• timer_logs 3 6 [Logs upload timer in minutes | Retry in _ minutes]
• timer_stats 4 8 [New command receiving and statistics upload timer in minutes | Retry in _ minutes]
• timer_modules 4 9 [Additional configuration files receiving timer | Retry in _ minutes. Recommending to use the same setting as in timer_config]
• timer_autoupdate 8 [EXE file renewal timer in hours]
• insidevm_enable 0/1 [Enable execution in virtual machine: 1 - yes | 0 - no]
• disable_antivirus 0/1 [1 - Disable built-in 'AntiVirus' that allows to delete previous version of Zeus/Citadel/Citra after EXE lauch |  0 - leave enabled(recommended)]
• disable_httpgrabber 0/1 [1 - Disable http:// mask grabber in IE | 0 - Enable http:// mask grabber in IE]
• enable_luhn10_get 0/1 [Enable CC grabber in GET-requests http/https]
• remove_certs 0/1 [Enable certificate deletion in IE storage]
• report_software 0/1 [1 - Enable stats collection for Installed Software, Firewall version, Antivirus version | 0 - Disable]
• disable_tcpserver 0/1 [1 - Enable opening SOCKS5 port (not Backconnect!) | 0 - Disable]
• enable_luhn10_post 0/1 [Enable CC grabber in POST-requests http/https]
• disable_cookies 0/1 [1- Disable IE/FF cookies-storage upload | 0 - Enable | use_module_ffcookie - duplicates the same]
• file_webinjects "injects.txt" [File containing injects. Installed right after successful config files installation. Renewal timer is set in timer_config]
• url_webinjects "localhost/file.php" [Path to 'file.php' file. Feature of 'Web-Injects' section for remote instant inject loading]
• AdvancedConfigs [Links to backup configuration files. Works if !bot is already installed on the system! and first url_config is no longer accessible]
• entry "WebFilters" [Set of different filters for URLs: video(# character), screenshot(single @ character - screenshot sequence after a click in the active zone. double @ character '@@' - Full size screenshot), ignore (! character), POST requests logging (P character), GET request logging (G character)]
• entry HttpVipUrls [URL blacklist. By default the follwing masks are NOT written to the logs "facebook*" "*twitter*",  "*google*". Adding individual lines with these masks will enable logging for them again]
• entry "DnsFilters" [System level DNS redirect, mask example - *bankofamerica.com*=159.45.66.100. Now when going to bankofamerica.com - wellsfargo.com will be displayed. Not recommending blocking AV sites to avoid triggering pro-active defenses]
• entry "CmdList" [List of system commands after launch and uploading them to the server]
• entry "Keylogger" [List of process names for KeyLogger. Time parameter defines the time to work in hours after the process initialization]
• entry "Video" [Video recording settings | x_scale/y_scale - video resolution | fps - frame per second, 1 to 5 |  kbs - frame refresh rate, 5 to 60 | cpu 0-16 CPU loading | time - time to record in seconds | quality 0-100 - picture quality]
• entry "Videologger" - [processes "" - list of processes to trigger video recording. Possible to use masks, for example calc.exe or *calc*]
• entry "MoneyParser" [Balance grabber settings | include "account,bank,balance" - enable balance parsing if https:// page contains one of the following key words. | exclude "casino,poker,game" - do NOT perform parsing if one of the following words is found]
• entry "FileSearch" [File search by given mask. The report will be stored in 'File Hunter' folder. Keywords can be a list of files or patterns ** to for on the disk. For example, multibit.exe will search for exact match on filename.fileextension, *multibit* will report on anything found matching this pattern. | excludes_name - exclude filenames/fileextensions from search. excludes_path - exclude system directories macros, like, Windows/Program Files, etc | minimum_year - file creation/change date offset. The search task is always on. Remove all the parameters from this section to disable it.]
• entry "NetScan" [hostname "host-to-scan.com" - list of local/remote IP addresses to scan. scantype "0" - sets the IP address range, for example, scantype "0" scans a single IP in the 'hostname', scantype "1" creates a full scan of class C network 10.10.10.0-255, scantype "2" creates a full scan of class B network 10.10.0-255.0-255]
• Example 1 {hostname "10.10.0-255.0-255" addrtype "ipv4" porttype "tcp" ports "1-5000" scantype "2"}
• Example 2 {hostname "10.10.1.0-255" addrtype "ipv4" porttype "tcp" ports "1-5000" scantype "1"}]
• entry "WebMagic" [Local WebProxySrv, web server with its own storage. Allows to read and write bot parameters directly, for example, when using injects. This saves time and resources since it doesn't generate additional remote requests for different scripts that are generally detected by banks anti-tampering controls. It also allows to bypass browser checking when requesting https:// resource hosted remotely and to create backconnect connection. Full settings description is located in F.A.Q section]

Commands

• user_execute [execute given file]
• user_execute -f [execute given file, manual bot update that overwrites the current version]
• user_cookies_get [Get IE cookies]
• user_cookies_remove [Remove IE cookies]
• user_certs_get [Get .p12 certificates. Password: pass]
• user_certs_remove [Remove certificates]
• user_homepage_set [Set browser home page]
• user_flashplayer_get [Get user's .sol files]
• user_flashplayer_remove [Remove user's .sol files]
• url_open [open given URL in a browser]
• dns_filter_add [Add domain name for redirect(blocking) *bankofamerica.com* 127.0.0.1]
• dns_filter_remove [Remove domain name from redirect(blocking)]
• user_destroy [Corrupt system vital files and reboot the system. Requires elevated privileges]
• user_logoff [Logoff currently logged in user]
• os_reboot [Reboot the host]
• os_shutdown [Shutdown the host]
• bot_uninstall [Remove bot file and uninstall it]
• bot_update [Update bot configuration file. Requires to use the same the crypt. The path is set in url_config]
• bot_bc_add socks [Connect Bot > Backconnect Server > Socks5 | Run backconnect.exe listen -cp:1666 -bp:9991 on BC server / -bp is set when the command is launched, -cp is required for Proxifier/Browser...]
• bot_bc_add vnc [Connect Bot > Backconnect Server > VNC Remote Display |  Run backconnect.exe listen -cp:1666 -bp:9991 on BC server / -bp is set when the command is launched, -cp is required for UltraVNC client]
• bot_bc_add cmd [Connect Bot > Backconnect Server > Remote Shell | Run backconnect.exe listen -cp:1666 -bp:9991 on BC server / -bp is set when the command is launched, -cp is required for telnet/putty client ]
• bot_bc_remove [Disconnect from the bot and hide connections from 'netstat' output]
• close_browsers [close all browser processes]

Pony (Win32/Fareit)

Pony Stealer leaked (advanced stealers included)

Pony botnet is notorious for banking, bitcoin stealing, and stealing other things..

The Bitcoin theft is in addition to a slew of credentials, over 700,000, that Pony pilfered from September 2013 to January including: 600,000 website login credentials 100,000 email account credentials 16,000 FTP account credentials 900 Secure Shell account credentials 800 Remote Desktop credentials - See more at: http://threatpost.com/latest-instance-of-pony-botnet-pilfers-200k-700k-credentials/104463#sthash.f17KzXK0.dpuf

Pony steals more than 30 concurrency wallets, and is very good at what it does. Some of the botnet is based off the Zeus src source. I personally used this botnet for a year and moved on to more updated malware, but at the time that I used it, it worked fantastically. Most of the panel is in russian, along with the builder, but we were able to translate the russian in the builder.

version : 1.9 , 2.0 ( updated password modules )

 for more details u can contact me @ 

Skype: suriya.cyber