[2017-12-12] Fobos->RigEK->Bunitu

December 12, 2017

Overview

Saz file is 2017-12-12_12-17-24.saz

(↓Analysis result using EKFiddle)

Malware

Bunitu

5ff85643d98f7688bd17839c47d8e2d7673e2c84bb8c7ca4eb0a7ee97562dd88
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

[Fobos]
http[:]//download-texas-holdem-poker.net/
↓
[Fobos]
http[:]//2565hff.biz/asp/index.php?et=353783294361
↓
[RigEK][Landing Page]
http[:]//188.225.82.95/?MTc3NTU1&onkzMHIydW5rbm93bndFVE9BcGM=bWlzc2luZw==&JXOvoDwcgY=YXR0YWNrcw==&MeblsmgVlHt=bG9jYXRlZA==&BhryZoJrkKi=bWlzc2luZw==&ZdyrMrPa=dW5rbm93bg==&fFDqmWavyjoz=cmVwb3J0&niZIrnBkQnpS=bWlzc2luZw==&dfsdfdfhf=SDQvnjkaBegc1mo9eUVlF9K3_3UPUyBWYgZbW_ETeYw5Dq8eWErcy2lX3zbUkQPsjg1TH7GI&XlsWaQivDDQYpz=cmVwb3J0&ITxowNAtO=cmVwb3J0&wjMgBXQJrW=bWlzc2luZw==&ymvMuuuMIWWzj=YXR0YWNrcw==&CiSaPBY=c3Rvcm1lZA==&LWXKmxF=bWlzc2luZw==&asdfgdfg=xX_QMvWYbRXQC53EKv7cT6NEMVHRGUCL2Y2dmrHUefjaf1WkzrbFTF_3ozKATwSG6_BtdfJ&DMhDABAdrMYXR0YWNrcw==
↓
[RigEK][SWF Payload]
http[:]//188.225.82.95/?MTg0NzM4&ltzaxgAbG9jYXRlZE5ucWRndVVuZERyUGt2ZGVub21pbmF0aW9ucw==&efMxLdlGBoESX=ZGVub21pbmF0aW9ucw==&nwEwOffwBHzfpeR=cmVwb3J0&tRMnGS=c3Rvcm1lZA==&lzQWPMqvSM=Y2FwaXRhbA==&asdfgdfg=xXvQMvWdbRXQD53EKv_cT6NHMVHRGUCL2Y2dmrHVefjaeFWkzrfFTF_xozKASwSG6_JtdfJTDQ&zMsZIFwnbksh=bG9jYXRlZA==&MmGxpSe=dW5rbm93bg==&dfsdfdfhf=vniEaBegQ1mo9YUVlF9K3_3UXUyBWfgZbW-ETeYwlDq8eXErcy3VX3zbQkeMolzheE6FETi-tL&Oqtohpe=cmVwb3J0&PgaflRatGqNUyd=cmVwb3J0&ylPhDvKpWuFfvee=Y2FwaXRhbA==&ZAKHuLrzeilsOeG=Y2FwaXRhbA==&JyebxNHUa=bG9jYXRlZA==&IirAJIwCcEIFLFd=cmVwb3J0&hJEkRLvkkvIc3Rvcm1lZA==