Malicious URL

hxxp://dechehang.com/
V.T-https://www.virustotal.com/#/url/6d5711fad0a14c96da6a771e6f0f48ea5b689c54b424e110a513c15882b90e57/detection

Fortinet:Malware
CyRadar:Malicious
Forcepoint ThreatSeeker:Suspicious
AOS:It is safe ???
Google Safe Browser:No alerts.

Note:Reported to avast viruslab.

You can report a suspicious/malicious sample (File/Website) here: https://www.avast.com/report-malicious-file.php

Thanks i already did.

NP, good job.

Redirects found: URLs that redirect found in: -http://dechehang[.]com/

1: -http://tongji.baidu.com/hm-web/welcome/ico?s=3374ad26b834d55a05500564f2a3b27b
-https://tongji.baidu.com/web/welcome/login

Re: IP -101.201.50.204 → https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=dechehang.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1

Detected: https://sitecheck.sucuri.net/results/dechehang.com
Web application version:
WordPress version: 3.5.1
WordPress version outdated: Upgrade required.
Outdated WordPress Found: WordPress under 4.8
Outdated Web Server Nginx Found: nginx/1.0.15

polonus

Why avast! not blocking this malware website…? :o

Hi Be Secure,

Yes it is unbelievable: https://ransomwaretracker.abuse.ch/host/dechehang.com/

We check them, and they come back as “uncategorized, unverified”, that is bad for a CrytoWall C2 detection,
Alibaba’s CNNIC-ALIBABA-CN-NET-AP Hangzhou abuse, detected during all of 2016: https://www.virustotal.com/nl/file/eca0c3af2fec8fa5db493b199af465676418d9ed42002dda80b55c4603b4749f/analysis/1455362734/
https://www.virustotal.com/nl/file/eda3162f6ed98d24a264191927a3198c968cb39823883a01ca4ebd7ee2490f77/analysis/1454977716/
https://www.virustotal.com/nl/file/7318d1d1996024e0a4ca1f017983a3c04932bf0791a581f953f722e340d07dee/analysis/1454913143/
https://www.virustotal.com/nl/file/74d76719feb7878afc0ad3a125797c8b00cb5aa1ea944e1abac2ae0d248ac953/analysis/1454637514/

polonus

BUMP :o

Hi,
We have been blocking dechehang[.]com/gz2qrn.php since 08.09. 2016, 16:48, but since we haven’t seen anyone in our userbase (200+ M) actually “visit” the URL in the past 6 months, it was removed from VPS to make space for other (useful) detections. Of course once we see it active, it will return to VPS again.
The URL is still blocked by URLInfo (cloud service that is used by for example AOS, our browser plugin) and all samples touching the URL (or downloaded from it) will automatically be blocked, so there is no need to be worried.
Honza