[EP_X0FF]

Found from a dropper

I think that it is Andromeda. Can anyone confirm ?

You're right, sort of Andromeda, http://vms.drweb.com/virus/?_is=1&i=7974964&lng=en Maybe it's Chtonic (Andromeda clone) new variant.

r u n a s c m d . e x e / c % s % l u
Test - OK /test yahoo.com google.com bing.com update.microsoft.com microsoft.com 80 C o n t e n t - T y p e : a p p l i c a t i o n / o c t e t - s t r e a m

C o n n e c t i o n : c l o s e P O S T C o n n e c t i o n : c l o s e K B % 0 8 l u . e x e % T E M P % \ % T M P % \ {"id":%lu,"tid":%lu,"err":%lu,"w32":%lu} \ s y s t e m 3 2 \ m s i e x e c . e x e \ S y s W O W 6 4 \ m s i e x e c . e x e M o z i l l a / 4 . 0 ntdll.dll @ Ђ @ As o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ p o l i c i e s \ s y s t e m E n a b l e L U A s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ R u n s o f t w a r e \ m i c r o s o f t \ w i n d o w s n t \ c u r r e n t v e r s i o n \ W i n d o w s s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ P o l i c i e s \ E x p l o r e r \ R u n U S E R P R O F I L E A P P D A T A A L L U S E R S P R O F I L E L o a d D:(A;;KA;;;WD) D:(A;;KRWD;;;WD) : Z o n e . I d e n t i f i e r m s % s . e x e \ % l u H i d d e n s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ e x p l o r e r \ a d v a n c e d S h o w S u p e r H i d d e n pool.ntp.org africa.pool.ntp.org oceania.pool.ntp.org asia.pool.ntp.org south-america.pool.ntp.org north-america.pool.ntp.org europe.pool.ntp.org 123 aReport aUpdate DllRegisterServer aStart \ c d o % l u . d l l T E M P T M P \ s y s t e m 3 2 \ c d o s y s . d l l \ S y s W O W 6 4 \ c d o s y s . d l l c d o % l u . d l l : % l u NtMapViewOfSection cdosys.dll software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe Debugger WinDefend MpsSvc SharedAccess wuauserv wscsvc H i d e S C A H e a l t h T a s k b a r N o N o t i f i c a t i o n s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ p o l i c i e s \ E x p l o r e r s o f t w a r e \ p o l i c i e s i s _ n o t _ v m 1 2 7 . 0 . 0 . 1 GetAddrInfoW ws2_32.dll

Please next time use password for archives. Posts moved.

[ikolor]

next

https://www.virustotal.com/en/file/4ef2 ... 473348995/

[EP_X0FF]

next

https://www.virustotal.com/en/file/a542 ... 456326601/

Andromeda.

Code: Select all

S-1-5-32-544    SeDebugPrivilege    ObtainUserAgentString   urlmon.dll  }   {"id":%lu,"bid":%lu,"os":%lu,"la":%lu,"rg":%lu,"bb":%lu Shell_TrayWnd   r u n a s   c m d . e x e   / c   % s   % l u   
 Test - OK /test   yahoo.com   google.com  bing.com    update.microsoft.com    microsoft.com   80  C o n t e n t - T y p e :   a p p l i c a t i o n / o c t e t - s t r e a m 
 
 C o n n e c t i o n :   c l o s e   P O S T     C o n n e c t i o n :   c l o s e   K B % 0 8 l u . e x e   % T E M P % \   % T M P % \     {"id":%lu,"tid":%lu,"err":%lu,"w32":%lu}    \ s y s t e m 3 2 \ m s i e x e c . e x e   \ S y s W O W 6 4 \ m s i e x e c . e x e   M o z i l l a / 4 . 0                       ntdll.dll                      @   Ђ                       @     As o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ p o l i c i e s \ s y s t e m   E n a b l e L U A   s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ R u n       s o f t w a r e \ m i c r o s o f t \ w i n d o w s   n t \ c u r r e n t v e r s i o n \ W i n d o w s         s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ P o l i c i e s \ E x p l o r e r \ R u n   U S E R P R O F I L E   A P P D A T A   A L L U S E R S P R O F I L E   L o a d         D:(A;;KA;;;WD)  D:(A;;KRWD;;;WD)    : Z o n e . I d e n t i f i e r     m s % s . e x e     \ % l u     H i d d e n     s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ e x p l o r e r \ a d v a n c e d   S h o w S u p e r H i d d e n   pool.ntp.org    africa.pool.ntp.org oceania.pool.ntp.org    asia.pool.ntp.org   south-america.pool.ntp.org  north-america.pool.ntp.org  europe.pool.ntp.org 123 aReport aUpdate DllRegisterServer   aStart  \ c d o % l u . d l l   T E M P     T M P   \ s y s t e m 3 2 \ c d o s y s . d l l     \ S y s W O W 6 4 \ c d o s y s . d l l     c d o % l u . d l l     : % l u     NtMapViewOfSection  cdosys.dll      software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe   Debugger    WinDefend   MpsSvc  SharedAccess    wuauserv    wscsvc  H i d e S C A H e a l t h   T a s k b a r N o N o t i f i c a t i o n       s o f t w a r e \ m i c r o s o f t \ w i n d o w s \ c u r r e n t v e r s i o n \ p o l i c i e s \ E x p l o r e r   s o f t w a r e \ p o l i c i e s   i s _ n o t _ v m   1 2 7 . 0 . 0 . 1   GetAddrInfoW    ws2_32.dll

[EP_X0FF]

next
https://www.virustotal.com/en/file/f55a ... 451121726/

Andromeda, posts moved.

[xors]

Some news regarding this malware

https://www.cyberscoop.com/andromeda-bo ... ed-future/

[Xylitol]

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda) ~ https://blogs.technet.microsoft.com/mmp ... andromeda/
Mastermind behind sophisticated, massive botnet outs himself ~ https://arstechnica.com/tech-policy/201 ... ppy-opsec/

Ar3s profile on exploit.in magically vanished from board :)

Code: Select all

Damagelab - Ar3s Последняя активность:Ноября 22, 2017, 09:58:57 pm
Exploit.in - Ar3s Последнее посещение 20.11.2017 - 22:15 

[EP_X0FF]

Was he is a direct owner of damagelab? Thoughts that this board is now a local branch of FBI/Interpol etc, rofl.

p.s.
oh I figured out they lost control over dlab.im

[R136a1]

https://twitter.com/Ar3s1/following

:)

[rkhunter]

Blog post by ESET

https://www.welivesecurity.com/2017/12/ ... t-gamarue/

[EP_X0FF]

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda) ~ https://blogs.technet.microsoft.com/mmp ... andromeda/
Mastermind behind sophisticated, massive botnet outs himself ~ https://arstechnica.com/tech-policy/201 ... ppy-opsec/

Ar3s profile on exploit.in magically vanished from board :)

Code: Select all

Damagelab - Ar3s Последняя активность:Ноября 22, 2017, 09:58:57 pm
Exploit.in - Ar3s Последнее посещение 20.11.2017 - 22:15 

Ares is back, charges dropped, if someone missed :)