A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27609  by unixfreaxjp
 Mon Jan 11, 2016 8:31 am
The malware was spotted as payload in HFS watering hole <PIC>
Code: Select all
CNC: kugo.f3322.net (58.128.228.168)port 51012 
Origin is PRC/China. Many analysis evasion like: packed,check mouse,aiming specific OS,antivirus process detection, etc.
Drops two files:
Code: Select all
\Common Files\ppt\symet.exe (self-copy)
\C:\2370.vbs
The vbs is for self deletion executed by malware via wscript <PIC>
The initial communication (beacon) is like this <PIC>
Sample: https://www.virustotal.com/en/file/675f ... /analysis/
Maybe more analysis in windowsOS must be perfomed, reference is poor, it's hard to recognize it as Bulta actually but it's the closest description that I an match for the sample. Will ask Ben to improve this repo.
Need help. @EP_X0FF @Xylit0l
You do not have the required permissions to view the files attached to this post.
 #27618  by lasvegas
 Tue Jan 12, 2016 2:26 am
[quote="benkow_"]There is a weak FTP at ftp//58.128.228.168
Proof

It's really weak:-)