Anyone knows how to decrypt an encrypted EpicBot password?

[ImSoPro]

Heya guys,

I have a few people on my RAT which use EpicBot and of course, EpicBot stores their encrypted passwords in the Roaming folder (C:\Users\USERNAME\Appdata\Roaming).

Take a look at this example: 94a200a24a178a-31a212a6a-47a92a23a-27a120a32a-109a-64a-2

I hope any of you guys could help me out.

 

[Gogetaa]

ask @slack3r, he gave me a link to a pretty good site for cracking hash's and salt's and all that good stuff

 

[Edwin]

I never tried myself, but I was thinking that you could copy his file and put it in your folder, and then login by doing that.

 

[Deathcrow]

Use this website: http://www.cmd5.org

Courtesy of @"slack3r".

 

[Strength_mybb_import21403]

Thanks, found 30m from the dump.

 

[ImSoPro]

Thanks, found 30m from the dump.

How did you do it?

I can't find a way to solve it!

 

[tu y tu mama]

Thanks, found 30m from the dump.

How did you do it?

I can't find a way to solve it!

Lol pretty sure he's trolling you. Even though he decrypted it he doesn't has the login username/email (unless you dumped something else in the forum)

 

[ImSoPro]

Thanks, found 30m from the dump.

How did you do it?

I can't find a way to solve it!

Lol pretty sure he's trolling you. Even though he decrypted it he doesn't has the login username/email (unless you dumped something else in the forum)

Mhm, could be. I am still looking for answers guys..

 

[Aceo]

crypter.co.uk or sumtin?

 

[ImSoPro]

crypter.co.uk or sumtin?

Site doesn't exist, lol. I've sent a PM to Slack3r, maybe he can help me out.

Anyone who can help me will be awarded with the hacked profit.

 

[Crin]

Since the software will need to be able to get the password back from that, it's not a hash of any kind. The sites listed above won't help. A good resource I use for determining hash types is this: http://www.insidepro.com/hashes.php

I did a bit of searching and I can't find any solid information on the precise encryption it uses. It's either SHA-1 or DES, possibly using the MAC address as a key. I've also heard the decryption might be done server side now, but there's a lot of different things being said.

If it's written in java (.jar file) then I can try and decompile the source and see what's going on. It might be obfuscated though, so no guarantees there.

 

[ImSoPro]

Since the software will need to be able to get the password back from that, it's not a hash of any kind. The sites listed above won't help. A good resource I use for determining hash types is this: http://www.insidepro.com/hashes.php

I did a bit of searching and I can't find any solid information on the precise encryption it uses. It's either SHA-1 or DES, possibly using the MAC address as a key. I've also heard the decryption might be done server side now, but there's a lot of different things being said.

If it's written in java (.jar file) then I can try and decompile the source and see what's going on. It might be obfuscated though, so no guarantees there.

The saved usernames/password/pins is not in a .jar file, but an .ini file. Do you want the .ini file?

Anyway, EpicBot itself is a .jar.

 

[tu y tu mama]

Since the software will need to be able to get the password back from that, it's not a hash of any kind. The sites listed above won't help. A good resource I use for determining hash types is this: http://www.insidepro.com/hashes.php

I did a bit of searching and I can't find any solid information on the precise encryption it uses. It's either SHA-1 or DES, possibly using the MAC address as a key. I've also heard the decryption might be done server side now, but there's a lot of different things being said.

If it's written in java (.jar file) then I can try and decompile the source and see what's going on. It might be obfuscated though, so no guarantees there.

The saved usernames/password/pins is not in a .jar file, but an .ini file. Do you want the .ini file?

Anyway, EpicBot itself is a .jar.

.exe wrapping a .jar

 

[Cannabis]

If you want to have any where near a chance of cracking it you NEED the victim's HWID. Epicbot and PB use it as a key for the encryption. I've told you this like 50 times now dammit.

 

[ImSoPro]

I have theirs HWID and I have access to their computers.

 

[Cannabis]

I have theirs HWID and I have access to their computers.

Now you get to do a lot of trial and error.

 

[Crin]

Their source is obfuscated using Allatori (http://www.allatori.com/) so I can't see the decryption/encryption method.

All I can tell you is it's hardware based. It could use one or more of many hardware based identifiers as there's no standardised HWID algorithm. It could also use the PC name, current username, etc as part of the key.

If I get time I'll look in to it further tomorrow.

 

[Haywire]

ISP, why don't you just wait till they log-in, and take the keylogger ?

 

[ImSoPro]

Their source is obfuscated using Allatori (http://www.allatori.com/) so I can't see the decryption/encryption method.

All I can tell you is it's hardware based. It could use one or more of many hardware based identifiers as there's no standardised HWID algorithm. It could also use the PC name, current username, etc as part of the key.

If I get time I'll look in to it further tomorrow.

Thanks for the head up, I already knew that it the encryption was HWID-based. I hope you could investigate further though, I have no idea how to decrypt it, even though I do have their HWID, mac-address, etc.

Thanks again. =)

ISP, why don't you just wait till they log-in, and take the keylogger ?

They don't, they use the bot to log-in, so the keylogger doesn't register the strokes. I have managed to get their e-mail and recover it.

But, knowing how to decrypt (and how it works) is even better.