Dreambot Targeting Bulgarian Users

{
    'DLL_32': {
        'SHA256': '7aad125104371d27240353764d032e5d8b9b4921fb4975595a9c42d9b53371ab',
        'CRC_64BITDOWNLOAD': 'thenotwithsoldsuequiv.ru/pav/64.bin file://c:\\test\\tor64.dll',
        'CRC_TORSERVER': 's2mf5op7sjtonnkv.onion',
        'CRC_CONFIGTIMEOUT': '300',
        'CRC_TASKTIMEOUT': '300',
        'CRC_SERVER': '12',
        'CRC_BCTIMEOUT': '100',
        'CRC_BOOTSTRAP': '148.163.112.203',
        'CRC_HOSTS': 'pornolab.net',
        'CONF_TIMEOUT': '300',
        'MD5': '0317f93d837e8c4d1767fae2d7d3ec7d',
        'CRC_KNOCKERTIMEOUT': '150',
        'CRC_DGA_SEED_URL': 'www.gnu.org/licenses/gpl.txt',
        'IMPHASH': 'bf5bf0f0e000cd5829846fb1d7399e06',
        'CRC_DGATLDS': 'ru',
        'CRC_EXTERNALIP': 'curlmyip.net',
        'CRC_SENDTIMEOUT': '300',
        'CRC_SERVERKEY': 'V86iYRDA2FSEqWzL',
        'CRC_CONFIGFAILTIMEOUT': '300',
        'CRC_32BITDOWNLOAD': 'thenotwithsoldsuequiv.ru/pav/32.bin file://c:\\test\\test32.dll',
        'PUB_KEY': '00080000e54cb3604bdda7e4189c0704647ebc04488605fd9dc5a8f55820da04563a3100b06ffa03dba8dfb265fc238a4e41479f378c76dbce9518d8f9c52ab148142abf9c127747f843d9a07a10484323d51e4a68349b250b1be2fd8ca48ca0327c07f39b7a77990e44800fc88c5621cf9f9ebcc7d00d245d089b66b11cb8cc3908710f4b6b636543753c19a865d8f7046e03e580883fa1ea0bbc21194e8b2b0ae78fc435e7591e1121ac2d2276a696fa0bb029e1b160099d31eaffc17d24888733b1df5854b59eb9932d94b35f0ca428b858ec6fa34b30ea07f779c81e7e8f2850937734e686e9c8f0cdc077c5862afe46862f43f43f7fbb64562ef34de8a260cf5a7900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010001',
        'CRC_GROUP': '2027'
    }
}

Username

sysopfb

Posts

97

Joined

Thu Oct 23, 2014 1:22 am

Contact

Dreambot Targeting Bulgarian Users

#30863 by explo1t
Fri Sep 29, 2017 12:49 pm

Dreambot targeting Bulgarian users.

Infection chain: ZIP -> JS -> encrypted download of Dreambot

http://www.pwncode.club/2017/09/dreambo ... users.html

Interesting details of JavaScript deobfuscation in above article.

Username

explo1t

Posts

3

Joined

Sat Sep 23, 2017 4:10 am

Re: Dreambot Targeting Bulgarian Users

#30864 by Xylitol
Sat Sep 30, 2017 9:32 am

dreambot from article
https://www.virustotal.com/en/file/79e8 ... 506763983/

Attachments

37fb9dd68c86deeb44b672a84a8e25bf.zip

infected
(478.05 KiB) Downloaded 31 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Dreambot Targeting Bulgarian Users

#30873 by Antelox
Sun Oct 01, 2017 11:39 am

Additional metadata:

C2s:

Code: Select all

hxxp://becomesopposingdesign.ru
hxxp://cxzko43pnr7ujnte.onion
hxxp://deccitizenstwihas.ru
hxxp://fallthatalterthese.ru
hxxp://fhiscircumstatesfron.ru
hxxp://fpetitionedtkept.ru
hxxp://landstyrannywsh.ru
hxxp://osupportthetransporting.ru
hxxp://overhistoryadminis.ru
hxxp://takenguardsnewharthe.ru
hxxp://usurpothwholesomesuch.ru

Code: Select all

version: 216951
server id: 12
group id: 1029
serpent key: Dfei8OoQ0xhjTyql

BR,

Antelox

@Antelox

Username

Antelox

Posts

298

Joined

Sun Mar 21, 2010 10:38 pm

Contact