Malware Domain List

Malware Related => Malware Analysis => Topic started by: extrexploit on May 25, 2009, 03:22:06 pm

Title: bulkbin.cn
Post by: extrexploit on May 25, 2009, 03:22:06 pm
Hi there,

what about bulkbin.cn ? I have start a sort of analysis on my blog but I'm curious what about others guys think about. If you are interested

http://extraexploit.blogspot.com/2009/05/bulkbincn-part-01.html

Thank you


Title: Re: bulkbin.cn
Post by: MysteryFCM on May 25, 2009, 04:55:08 pm
This is what it downloads;

http://antimonous.info/scan/download.php?said=10&ver=1.0.6

> install.exe > 19K

Likely VM aware, as shown by;

http://anubis.iseclab.org/?action=result&task_id=171568062bed9337485595d47981c54df

... and the attached JoeBox report ...

Couldn't grab the agentival.info URL referenced, as it returned a 404 for me .... however, loading install.exe in a hex editor showed;

Code: [Select]
http://174.133.202.178/pbpro/stats/cnt.php?type=%s&said=%s&ver=%s
http://antimonous.info/scan/download.php?type=%s&said=%s&ver=%s

The former seems to be just a counter - returning "true" when accessed, and nothing else. Ref;

http://hosts-file.net/?s=174.133.202.178

The latter of these also returned a 404 for me .... funny considering it just worked to download the install.exe file ....

2 files referenced, presumably the filenames to be used for the dropped files;

iewizard.dll
atiwizard.exe

Directory referenced;

%APPDATA%\Windows Wizard
Title: Re: bulkbin.cn
Post by: MysteryFCM on May 25, 2009, 05:10:37 pm
install.exe - 9/40
http://www.virustotal.com/analisis/836021574863e6779abf897af2b3de8f2ed4181b9811e3b4e67111c7f9dae847-1243270905
Title: Re: bulkbin.cn
Post by: extrexploit on May 26, 2009, 01:08:54 pm
Hi there,
sorry for my short question. I know already what do you can download from bulkbin. But my doubts are related to strange AS graph behavior as i post on my blog. Also I have look that the binary it's seem still undetected.

Anyway Thank you for your feedback and analysis.

Regards