[2017-11-17] Fobos->RigEK->Bunitu

November 17, 2017

Overview

Saz file is 2017-11-17_11-34-45.saz

(↓Analysis result using EKFiddle)

Malware

Bunitu

5d225036372c54faf72e630fb0af3ca5498a85be12c8480375b78d4da316df45
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

[Fobos]
http[:]//tehasholdempoker.info/
↓
[Fobos]
http[:]//56kjghfukj546.pw/freebet/index.php?r5=1&ps=492093186969
↓
[RigEK][Landing Page]
http[:]//188.225.32.106/?NTc0ODQ1&rgBfljlvuVwdW5rbm93bmxyWnRsRFdmbWpCag==bWlzc2luZw==&WwtBSOfkFjm=bWlzc2luZw==&vbncvx=xH3QMrXYbRvFFYDfKP_EUKBEMUvWA0OKwYyZhazVF5yxFDLGpbH1Fx_spV6dCFiEmvdvdLcHIwCh1UfA&KKXqTkMHDXUtF=c3Rvcm1lZA==&gjlJavPOBpiU=Y2FwaXRhbA==&tlnPIswusYpWw=cmVwb3J0&oZgFLnZtqYN=ZGVub21pbmF0aW9ucw==&cvbvbmbn=Swcwyo9aUl4Q_qqpiUSGyRXPh5OF_RaLaA9NrZGSFLQ4jV7zyLMdJM8mxRKH62RXy-4tYlggpQ5R2avI&gyCdUW=Y2FwaXRhbA==&aGOqCkoEqMhuHd=cmVwb3J0&zttpuZd=bG9jYXRlZA==&OJseDCQkg=dW5rbm93bg==&MuToLadW5rbm93bg==
↓
[RigEK][SWF Payload]
http[:]//188.225.32.106/?MTc1NjUw&QuARPcSKbWlzc2luZ1hCWUlIbUdoeHh1dg==dW5rbm93bg==&GrhGumvqaRAf=YXR0YWNrcw==&vbncvx=xX3QMvWYbRXQCJ3EKvncT6NGMVHRHECL2YydmrHQefjaeFWkzrHFTF_2ozKATgSG6_FtdfJRDV&KZxPcNemDyZdfOW=dW5rbm93bg==&cvbvbmbn=K3jkKAeAZom4leAVpA9q6pjkDTwB6e0pCC_xbYZwtC9saQFbM-2l_yyLUkc8kkzheF7VETi-5L&aATQsJwx=ZGVub21pbmF0aW9ucw==&oqUCQcTVzkPn=Y2FwaXRhbA==&sBPsZEu=dW5rbm93bg==&oauCaVvR=c3Rvcm1lZA==&oKfnYz=YXR0YWNrcw==&keqMVsFQRP=Y2FwaXRhbA==&ntYROLBucIbxVwO=cmVwb3J0&vONTJTZGVub21pbmF0aW9ucw==