[2017-12-04] Fobos->RigEK->Bunitu
Overview
Saz file is 2017-12-04_09-12-40.saz
(↓Analysis result using EKFiddle)
Malware
Bunitu
8ff02ff8da65d513bdeda828f3dc9f26e9172b29604fdc54b4061c7962715952
[Hybrid-Analysis] [VirusTotal]
Traffic-Chain
[Fobos]
http[:]//gamesville.pro
↓
[Fobos]
http[:]//great009d.info/faq/?ps=49298418073
↓
[RigEK][Landing Page]
http[:]//188.225.76.165/?MTE0NDU0&TNkROmjvkwCbG9jYXRlZHF1bk5weGhYbG9jYXRlZA==&gAjKtc=bG9jYXRlZA==&rECSIIhzEc=YXR0YWNrcw==&SAtuLvwkNRMoJ=dW5rbm93bg==&ffDSTbqVort=bG9jYXRlZA==&fAefoRWVIwk=c3Rvcm1lZA==&khjjfghfghfd=xX3QMvWdbRXQC53EKvjcT6NHMVHRHECL2YydmrHUefjaeVWkzrHFTF_xozKASASG6_dtdfJ&nyRoQt=dW5rbm93bg==&fghfdfgfdhfg=SDVe3jEWJfQBkyd9fAFMW9an7iELQnxOfhZ6H_0aOaAgRrJeXFuNo2VumyLAkQPskg1TH6mI&SfqZKwBa=dW5rbm93bg==&XabrHXnhCRNH=cmVwb3J0&byzKpODu=ZGVub21pbmF0aW9ucw==&RGRApHsQbMBwj=bG9jYXRlZA==&VzEEGeiJnkWMblC=bWlzc2luZw==&brCCOMoYNNyxcn=ZGVub21pbmF0aW9ucw==&howyuozUimeaac3Rvcm1lZA==
↓
[RigEK][SWF Payload]
http[:]//188.225.76.165/?NjEyOTAy&rsNNVhbG9jYXRlZExab2VycEdMU2pkSQ==c3Rvcm1lZA==&UNdujdCbW=YXR0YWNrcw==&IIsKTNBPeJCi=YXR0YWNrcw==&LAhBfjFjIJb=YXR0YWNrcw==&gdGOmhlLNxb=bG9jYXRlZA==&FbddzdSCLPLVqQ=bG9jYXRlZA==&ckUJZgQkSDIUpG=Y2FwaXRhbA==&fghfdfgfdhfg=e3iUWJfQRkyd9ZAFMW86n7iELQnxOdhZ6H-UaOaAgRrJeWFuNo3FumyLAkcsgmzxSF6lETi-lL&qdIPesyNLiG=bWlzc2luZw==&bHcaOSlHv=cmVwb3J0&LAYvoyxZOcIXjjA=ZGVub21pbmF0aW9ucw==&vZhRTJDtRez=ZGVub21pbmF0aW9ucw==&khjjfghfghfd=xXzQMvWfbRXQC53EKv_cT6NEMVHRHkCL2Y2dmrHSefjaf1WkzrHFTF_xozKATwSG6_BtdfJUDV&wDtYMEnGsraB=bWlzc2luZw==&RWqhMdBNLD=dW5rbm93bg==&CghzockhfCzTc3Rvcm1lZA==