[tim]

anyone with live samples

[robemtnez]

Here you go, from today's run. Botnet 220.

[sysopfb]

http://www.justice.gov/opa/pr/bugat-bot ... e-disabled

Andrey Ghinkul, aka Andrei Ghincul and Smilex, 30, of Moldova, was charged in a nine-count indictment unsealed today in the Western District of Pennsylvania with criminal conspiracy, unauthorized computer access with intent to defraud, damaging a computer, wire fraud and bank fraud. Ghinkul was arrested on Aug. 28, 2015 in Cyprus. The United States is seeking his extradition.

[malwarelabs]

Ghinkul was arrested on Aug. 28, 2015 in Cyprus.

Sample received yesterday

[sysopfb]

Well I doubt Smilex was the mastermind behind dridex heh, life goes on.

[Blaze]

Agreed @sysopfb. I doubt it'll be dead, but at least it's something. Some more reports on it:

http://www.forbes.com/sites/thomasbrews ... mail-fail/
http://www.secureworks.com/cyber-threat ... operation/
https://www.fox-it.com/en/press-release ... aises-fox/
https://www.europol.europa.eu/content/n ... nforcement

[malwarelabs]

I don't know if it's something known or not but on each payload link you can find a readme file and some statistics about download rate.
For exemple:
hXXp://178.62.7.183:8080/uniq/load.php (hXXp://178.62.7.183:8080/uniq/file/crypted120med.exe ) -> https://www.virustotal.com/en/file/2d10 ... /analysis/
hXXp://178.62.7.183:8080/uniq/readme:

Code: Select all

--------- Описание ---------
Скрипт для выдачи файла и фиксации уников в мускуле (уникальность сверяется по ипам). Файл располагается в папке "file", под любым именем, с расширением exe, но только в единственном экземпляре.
load.php - скрипт для захода, активирующий счетчик и выдающий файл.
stat.php - стата.
install.php - установщик таблицы в мускул.
--------- Установка ---------
Данные доступа к БД MySQL настраиваются в lib/DBConfig.php. Затем с браузера переходим на install.php и, если все нормально, нас сразу кидает на стату.
--------- Логирование ошибок ---------
В папку "logs" пишутся ошибки php-скриптов и проблемы с выдачей файла.
Ошибки выводятся выводятся прямо в браузер везде, кроме как на load.php (юзеру совсем необязательно знать, что у нас мускул отвалился; к тому же иначе корректно не выдастся файл).
--------------

Code: Select all

--------- Description ---------
Script for serving files and storing unique ones in MySQL(uniqueness is defined by IPs). The file is located in the folder called 'file'. It has to be the only file in the folder. The filename can by anything, but the extension has to be 'exe'.
load.php - is entering script that activates the counter and serves the file.
stat.php - is statistics page.
install.php - creates tables in MySQL
--------- Installation ---------
Login details for MySQL database are set in lib/DBConfig.php. Next, using the browser to open install.php. If everything went well, you'll be redirected to statisctics page.
--------- Error Logging ---------
PHP script errors and issues with serving the files are recorded in 'logs' folder.
The errors are dispalyed in the browser for every page, except 'load.php'(users don't have to know MySQL went down; and also it will not serve the file)
--------------

hXXp://178.62.7.183:8080/uniq/stat.php

[grum]

this is Xbagging .doc macro exploit service, not new

[stimark]

Dridex (Botnet 120)

https://www.virustotal.com/en/file/a6c7 ... /analysis/

MD5: 0da24bd7b49a955d8e4624371ccb8e9f
SHA1: 649334478327ebb7049361ec215179ebf6a516c5
SHA256: a6c7988521ee47168aa241695ddcfee588c38aa0ab86152934306517dae1af5b

[Xylitol]

Signed sample, 0/56 - VxVault