[Ludvig]

Target on russian dbo

https://virustotal.com/ru/file/6cdff1af ... /analysis/
https://virustotal.com/ru/file/8cd25454 ... 465199488/

[EP_X0FF]

VT links posting are great, now attach the actual files or your post makes absolutely no sense.

[Ludvig]

VT links posting are great, now attach the actual files or your post makes absolutely no sense.

[patriq]

same samples, comment post by Dimarik on VT, re: Bolik, Dr. Web

http://forum.drweb.com/index.php?showtopic=324942
http://news.drweb.ru/show/?i=9999&lng=ru&c=5

started reversing, its does appear to read itself and...well.. there are AutoHotKey macros involved. :roll: would like to check out the file infector function, but im ok.

C&C
91.215.154.155

[tildedennis]

Couple more blogs on this one:

- http://www.cert.pl/news/11379/langswitch_lang/en
- http://phishme.com/bolek-leaked-carberp ... campaigns/

Attached the config for 91.215.154.155:

- .raw_config file is the decrypted JSON object returned from the C2. The Data keys are base64 and either contain binary data or another JSON object
- .config file is a lightly parsed version showing the inner JSONs

Comak (or anyone) know why the name "Bolek" ?

[comak]

Comak (or anyone) know why the name "Bolek" ?

I think because the guy who named is lacking imagination... ;]
bolek is a shorter form of a common name "Bolesław" in .pl.

btw, thanks for cfgs, you got them from cnc? or rip them from memory?

[xors]

One more article

https://www.arbornetworks.com/blog/aser ... ek-trojan/

[robemtnez]

Another sample I found yesterday.

Posts to androidlom[.]xyz