The malware was spotted as payload in HFS watering hole <PIC>
Drops two files:
The initial communication (beacon) is like this <PIC>
Sample: https://www.virustotal.com/en/file/675f ... /analysis/
Maybe more analysis in windowsOS must be perfomed, reference is poor, it's hard to recognize it as Bulta actually but it's the closest description that I an match for the sample. Will ask Ben to improve this repo.
Need help. @EP_X0FF @Xylit0l
Code: Select all
Origin is PRC/China. Many analysis evasion like: packed,check mouse,aiming specific OS,antivirus process detection, etc.CNC: kugo.f3322.net (58.128.228.168)port 51012 Drops two files:
Code: Select all
The vbs is for self deletion executed by malware via wscript <PIC>\Common Files\ppt\symet.exe (self-copy)
\C:\2370.vbsThe initial communication (beacon) is like this <PIC>
Sample: https://www.virustotal.com/en/file/675f ... /analysis/
Maybe more analysis in windowsOS must be perfomed, reference is poor, it's hard to recognize it as Bulta actually but it's the closest description that I an match for the sample. Will ask Ben to improve this repo.
Need help. @EP_X0FF @Xylit0l
Attachments
7z/infected
(29.4 KiB) Downloaded 62 times
(29.4 KiB) Downloaded 62 times
