[2018-04-17] Fobos->RigEK->Bunitu

April 17, 2018

Overview

Saz file is 2018-04-17_01-08-43.saz

Malware

Bunitu

719b185ad168afdd3858691192f2133f655120e53dfc66e1c8448cec53609be1
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

[Fobos]
http[:]//jblcharge.info/
↓
[Fobos]
http[:]//jblchar.info/h9ulrbc/index.php?s=3312011749?
↓
[RigEK][Landing Page]
http[:]//46.30.42.233/?MjU4OTI3&cTqbVCWEoRxYCVF&IMmTXAsYbm=cmVzb3J0&t4af2af=dL-QFaQfg3EWDLQQwmtpfU1kQ96ms2xOHnRSY0cPQ_BbYaAxBqceQQLML6G2xzPNRcw&mPllozaATWH=c2hha2U=&fd543f=wn3QMvXcKRXQFYbEKuXDSKZDKU7WH0aVw4-YhMG3Yp_Nfynz1ezURnLytASVVFmRrbM&OmuWhFdC=c2hha2U=&LVTKKyHdXMhu=c3BvcnQ=&kYOEWt=c2Vh&dxqixFf=c2Vh&tYEUiKYkeapWc=cmVzb3J0
↓
[RigEK][SWF Payload]
http[:]//46.30.42.233/?MjUzMDU0&xOGlLwDiC&pPZGNRBYtOggX=c2Vh&QrxfeNUeuIWVGqJ=cmVzb3J0&LyFsQYMvl=cmVzb3J0&YKkPzmrYSUl=Zmx5&lWbBEYVSjjNnSHW=bW9uZXk=&tuFmbBECz=c2Vh&fd543f=wnzQMvXcLBXQFYbCKuXDSKFDKU7WHEaVw4-ahMG3YprNfynz0uzURnLxtASVVFmRrbMdLO&t4af2af=QFaQfj3EWDLQYwmtpfVlkQ96mq2xOHnReY0cPQ_hbYaAxHqceQQLIL0FnwzLUcQIglgECy&hMjjoOik=Y2F0cw==
↓
[RigEK][Malware Payload]
http[:]//46.30.42.233/?NjIyOTI=&idJJvrJiK&MLqqyuKwDM=Zmx5&fd543f=wnrQMvXcLxXQFYbBKuXDSKRDKU7WHEaVw4-dhMG3Yp_Nfynz0OzURnLwtASVVF-RrbMdLOQFa&nvwwob=cmVzb3J0&nJNIAtHTDMdtX=bWF0Y2h1cA==&jfnlVPRNevGnIlK=Zmx5&ObrAsIZMsvp=c3BvcnQ=&t4af2af=Qfj3EWDLQQwmtpfVlkQ96mt2xOHnRSY0cPQ_BbYaAxGqceQQLAL0VT8y7gdecIjzibfqWBT_A&GRpESjmFwWt=bWF0Y2h1cA==&ookCzgr=c2Vh