[2017-12-09] Fobos->RigEK->Bunitu

December 09, 2017

Overview

Saz file is 2017-12-09_13-05-23.saz

(↓Analysis result using EKFiddle)

Malware

Bunitu

e23bda7a976786532553201e6a76641bb2b6395aedc2accda7ef26a6b0107e2c
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

[Fobos]
http[:]//krai-soft.net/
↓
[Fobos]
http[:]//103jdhhfff995009.info/kot/index.php?am=151591246745
↓
[RigEK][Landing Page]
http[:]//176.57.220.130/?NjcyMzA2&UNFuJgiRDuIHNgcmVwb3J0RVhwVGFNTHBsdW5rbm93bg==&JYDdsCfSpjKiC=bG9jYXRlZA==&fgQnKCKYggl=bWlzc2luZw==&WqpiDMwoDv=c3Rvcm1lZA==&FxBRuuYbz=dW5rbm93bg==&LxNREDfo=ZGVub21pbmF0aW9ucw==&sepfmQ=dW5rbm93bg==&lmXShHe=dW5rbm93bg==&VBNiwmQetxo=Y2FwaXRhbA==&xfsdffghfgh=SwdllI1cB1kXpqj83UPWnRLKhpOC_hbYYQsX-ZeQEbRo0VmgzbQRcM9xwBOL62IEz-ktYl8gpQ5R2avI&CkcjyOHlGlP=bG9jYXRlZA==&xzcsdfgdfgfd=xH3QMrDYbRvFFYDfKP_EUKBEMU7WA0eKwYyZharVF52xFDPGpbH1Fx7spVidCFmEmvBvdLcHIwKh1UbA&nmVyIHhGklZMrS=ZGVub21pbmF0aW9ucw==&nwoKRZZM=YXR0YWNrcw==&RSsXej=dW5rbm93bg==&zwatrOcmVwb3J0
↓
[RigEK][SWF Payload]
http[:]//176.57.220.130/?NTIyNDk4&qwZjSisgVtTxspdW5rbm93bkJjZm1ueHJLWQ==bG9jYXRlZA==&VeTNHpRNOZK=ZGVub21pbmF0aW9ucw==&xfsdffghfgh=llIpcB1gXpqj83UXWnRPKhpKC_hfYYQkX-ZeQEbJo0VygzbMRcMpxwBeL62MEz-ktW1gW6A8Unq_7VaKO-w&eQQjkj=YXR0YWNrcw==&NEEQaVSzDr=c3Rvcm1lZA==&ZoDvfcwqc=bWlzc2luZw==&XFbTrSDv=ZGVub21pbmF0aW9ucw==&SDRyQXJSd=dW5rbm93bg==&ZNruTZTnNf=bWlzc2luZw==&fSvjjoMbMCYwv=ZGVub21pbmF0aW9ucw==&JzbGtlioqccXr=cmVwb3J0&yhXprhz=Y2FwaXRhbA==&mflcggVFJmXT=YXR0YWNrcw==&yRHGnRWMQJel=Y2FwaXRhbA==&xzcsdfgdfgfd=xHrQMrPYbRzFFYPfKPrEUKZEMU3WA0KKwYqZha_VF5-xFDfGpbL1FxnspV6dCFiEmvBvdLMHIweh1UbASwd&BhivxFvGxDcmVwb3J0