bulkbin.cn

[extrexploit]

Hi there,

what about bulkbin.cn ? I have start a sort of analysis on my blog but I'm curious what about others guys think about. If you are interested

http://extraexploit.blogspot.com/2009/05/bulkbincn-part-01.html

Thank you

[MysteryFCM]

This is what it downloads;

http://antimonous.info/scan/download.php?said=10&ver=1.0.6

> install.exe > 19K

Likely VM aware, as shown by;

http://anubis.iseclab.org/?action=result&task_id=171568062bed9337485595d47981c54df

... and the attached JoeBox report ...

Couldn't grab the agentival.info URL referenced, as it returned a 404 for me .... however, loading install.exe in a hex editor showed;

Code: [Select]

http://174.133.202.178/pbpro/stats/cnt.php?type=%s&said=%s&ver=%s
http://antimonous.info/scan/download.php?type=%s&said=%s&ver=%s
The former seems to be just a counter - returning "true" when accessed, and nothing else. Ref;

http://hosts-file.net/?s=174.133.202.178

The latter of these also returned a 404 for me .... funny considering it just worked to download the install.exe file ....

2 files referenced, presumably the filenames to be used for the dropped files;

iewizard.dll
atiwizard.exe

Directory referenced;

%APPDATA%\Windows Wizard

[MysteryFCM]

install.exe - 9/40
http://www.virustotal.com/analisis/836021574863e6779abf897af2b3de8f2ed4181b9811e3b4e67111c7f9dae847-1243270905

[extrexploit]

Hi there,
sorry for my short question. I know already what do you can download from bulkbin. But my doubts are related to strange AS graph behavior as i post on my blog. Also I have look that the binary it's seem still undetected.

Anyway Thank you for your feedback and analysis.

Regards