dx9.52z.c0m/jstpqv.exe
Listed Here: malc0de.com/database/
Virustotal: https://www.virustotal.com/en/url/e25efa3ae4067b1ec6f8eb69208d8c62b539b23ce7f046b6374d6c2f0c04a6bd/analysis/1382472856/
URLQuery: http://urlquery.net/report.php?id=7054356
Sucuri: http://sitecheck.sucuri.net/results/dx9.52z.com/jstpqv.exe
IP Address: 61…147.108…51. Part of a massive chain of sites.
Analysis of extracted file
Most malcode on it seems dead and closed (each after approx. 2-2.5 hrs activity),
htxp://dx7.52z.com/RMBDXZH.exe seems still up and alive:
Not detected on VT but analyzed here: http://camas.comodo.com/cgi-bin/submit?file=157f32a98ad47c6ac21d107db60aaab59d0a00b2133042b924a5f437afe9dd8d
See: http://urlquery.net/report.php?id=7055123 with IDS alerts, same as given for alan1998’s scan for the other uri.
On the one I gave there is even this IDS alert: ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
Here we have an earlier file scan: https://www.virustotal.com/nl/file/13033a0fcba3c8b9db385014719c5cf9922db2be6fe12b6295e248d659cc4f5b/analysis/
from the same executable earlier version 1 month ago. It means the malware is constantly changing and launched anew from that domain.
The version of 2 minutes ago: http://anubis.iseclab.org/?action=result&task_id=1ac114bc5fbee5844f50aa0edc2f0b097&format=html
Characteristics shown of trojan_nelloweg or zero_access. Site directs to Fast Flux Trojan.
see: http://support.clean-mx.de/clean-mx/viruses.php?ip=61.147.108.51&sort=id%20DESC
pol
ZA!!! Finally found a site with it! Yes!!! Means I can test it. :):):):):):)
I’m sooo happy right now. Thanks Pol and Twin!
Sites(s) are down. So no ZA for me
Hi alan1998,
You have to wait for another 2,5 houurs and check on the links there (linkchecker ready?).
Then the malware launching “casino” will be re-opened, new chances for you ;D.
Watch your clicks :o.
pol