See: https://www.virustotal.com/nl/url/70945677832b5055490e26cf1f57a91b631839f24ce6b1cedd643f2ba91c5cc7/analysis/1416174425/
Blacklisted: http://quttera.com/labs-data-url/qchwgzlfqduvgscpjbiqweygyrgus.info

IP badness history:
https://www.virustotal.com/nl/ip-address/54.83.43.69/information/
Re: http://dnslist.net/info/qch

Blacklisted and potentially harmful: http://sitecheck.sucuri.net/results/qchwgzlfqduvgscpjbiqweygyrgus.info
Maybe on pwnedlist…

pol

Hi Polonus,

Just from the domain name one can already tell that it’s suspicious.

~!Donovan

Yes look here for recent reports on same IP/ASN/Domain
Last 6 reports on IP: 54.83.43.69 → http://urlquery.net/report.php?id=1416174929849
18,269 other sites hosted on this server!
See: http://whois.domaintools.com/qchwgzlfqduvgscpjbiqweygyrgus.info
And that project → https://whoisology.com/registrar_name/archive_7/afilias%20special%20projects%20(r556-lrms)
and then: https://whoisology.com/archive_7/qchwgzlfqduvgscpjbiqweygyrgus.info

Websites on same IP
-prktqwbuzprolxbunfsdhsw.info
-gulzfuifugehdbmnbzmvhbinj.info
-ailqdyrszplbdifkfsconcuin.info
-phqtibhylphswtkhifheorts.biz
-hyhjneixptauhejvuvgnroncm.biz
-ylpffizlpxwdeqgkrhtsxktoijc.info
-fafmxmnljfevljcfmljnbzxtqg.biz
-hsooiznzkfxnjgmtlfciqgtwtgdi.info
-getswgdwctoheyrwxobeimjpmzp.biz
-haizrwzkruopvpjptwrwgdxmj.info

What is the common denominator here? Were these domain names automatically generated in advance and released on purpose.
At least all are on the DNS-BH / malwaredomains.com list, that is for sure.

pol

Avast! certainly doesn’t like that site. The file downloaded has no extension?

Edit: VT Scan: https://www.virustotal.com/en/file/dd44bda952c4e68a0597d2d7b8229c5cf07cb2d7780712b0d60624e9a3d98bef/analysis/1416179578/

Even after renaming it, to extensons .pdf, .scr, .com and .exe. I got no reaction inside a controlled environment?

Hi Michael,

Re: http://www.virusign.com/details.php?hash=dd44bda952c4e68a0597d2d7b8229c5cf07cb2d7780712b0d60624e9a3d98bef
Re: http://www.virusign.com/home.php?d=0&r=100&c=hashes&o=size&s=DESC&p=294
& https://malwr.com/analysis/YjQ5N2NkMjg5Njc3NDg3YzhhNDA3MGUxZDFiZjRlMWQ/#summary_keys
As a final step the files are renamed from.wmv to .s3d.
My good forum friendm this is Python27\cmd.exe malware for you, which could be detected by methods as, read: https://www.codeandsec.com/Building-Ultimate-Anonymous-Malware-Analysis-and-Reverse-Engineering-Machine

polonus

I would agree with cmd.exe malware. However, not CW.

If you check out the Network tab, it doesn’t attempt to make any to contact tor4pay :-).

First submission 2013-08-14 11:58:06 UTC ( 1 year, 3 months ago )

Old file.