hxxp://besttubetech.com/xplays.php?id=40014&name=sahel+kazemi+dui+video&hostingtype=vox&theme=trends&category=hottrends&from=videoplayer
Whois entry for hotexefiles.com 64.20.38.172
Susan Field (susfie16@gmail.com)
1059 Rubaiyat Road
Grand Rapids
Michigan,49503
US
Tel. +001.56578987654
onlinemovies.40014.exe
Result: 8/41 (19.52%)
MD5: 2e02ea10960799a78792e39f5498adb6
VirusTotal
ThreatExpert Analysis
hxxp://hotexefiles.com/
onlinemovies.40069.exe
Result: 2/40 (5%)
MD5: 35b979934376577e4429db4317e5184f
VirusTotal
ThreatExpert Analysis
hxxp://hotexefiles.com/
SIDE NOTE: There may be a misconception as to the purpose of these posts. It is not posting a NEW malware variant or NEW malware altogether. These posts are simply to show the new domain it has switched to. I include the the binary downloaded as additional information because we add it to our database. Because the person(s) involved will not respond to my emails, I posted here.
Let’s not make assumptions people.
Found these sites today while browsing on Google Video. This redirection is triggered from having a video.google.com referrer and pushes the user through a few domains to redirect and download content. It may be triggered by other video sites as well. This is offering an HD codec for flash player and features a cute installation process when you visit the site.
hxxp://best.viralprn.net
Redirects to
hxxp://only.hdpornr.net
Loads files from
hxxp://tvcodec.net
Whois entry for viralprn.net 88.80.19.191
Whois entry for hdpornr.net 195.95.151.178
Whois entry for tvcodec.net 91.194.10.60
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Whois entry for hdenabled.com 213.163.66.241
Flash.Player.HD.v10.0.exe
Result: 12/41 (29.27%)
MD5: 947828203c38f7cc2e98277076b747a0
VirusTotal
ThreatExpert Analysis
hxxp://hdenabled.com/download/5a6a576343673d3d050cf77920090701/
Whois entry for advanedspywarescan.com 78.46.251.41, 83.133.126.155, 94.102.48.29, 69.4.230.205
Privat person
Mikhail Peshkov xors678@freebbmail.com
+74952783440 fax: +74952783440
ul. Rozanova 28-51
Moskva Moskovskay oblast 126105
ru
Setup-27a_02022.exe
Result: 0/41 (0.00%)
MD5: a778ceee0fa0161bf77fa318fa3f1a51
VirusTotal
ThreatExpert Analysis
hxxp://advanedspywarescan.com/download.php?id=2022
hxxp://advanedspywarescan.com/download/
hxxp://m10b.com/in.cgi?2¶meter=
Redirect to
hxxp://www.specialsuggestion.com/rl_keycmp.php?ct=46LU7&key=
Redirect to
hxxp://m11b.org/in.cgi?2¶meter=
Redirect to
hxxp://fast-filedownload.com/l/6c524f9d7bv7bp6en
Whois entry for fast-filedownload.com 89.149.254.174
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Whois entry for ez-scanner-online.com 89.149.254.174
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
wsetup.exe (Rogue: Smart Defender PRO)
Result: 3/40 (7.5%)
MD5: 3d444f4c4bf2638aaa996c6c90d3f7f1
VirusTotal
ThreatExpert Analysis
hxxp://ez-scanner-online.com/5/11/0/
hxxp://tube-best-4free.com/xplay.php
Whois entry for exe-dot.com 64.20.38.172
Jamie Sires (jamisires@gmail.com)
1898 Farm Meadow Drive
Brentwood
Tennessee,37027
US
Tel. +001.90987876765
TubeViewer.ver.6.40000.exe
Result: 2/41 (4.88%)
MD5: c682fd006ebe668f23121e99f4ad5b1a
VirusTotal
ThreatExpert Analysis
hxxp://exe-dot.com/
hxxp://74.86.144.178/url/go.php?sid=15&q=
Redirect to
hxxp://avyciso.cn/?wm=70126 &q=
Whois entry for avyciso.cn 64.20.38.172
Domain Status: clientTransferProhibited
Registrant Organization: null
Administrative Email: dfgsegzhfs@yahoo.com
Sponsoring Registrar: 广东时代互è”科技有é™å…¬å¸
Name Server:ns1.pubilcnameserver7.com
Name Server:ns2.pubilcnameserver7.com
Registration Date: 2008-12-30 16:31
Expiration Date: 2009-12-30 16:31
This has the same payload as in my previous post here.
hxxp://6-tube-world.com/xplays.php?id=40014&name=
Whois entry for greatexe.com 64.20.38.172
Ernest Cobb (ernescobb@gmail.com)
1423 Kimberly Way
Caledonia
Maryland,49316
US
Tel. +001.32349806580
streamviewer.40014.exe
Result: 2/41 (4.88%)
MD5: 0f186559c2ec346757225fbfc8faf39d
VirusTotal
ThreatExpert Analysis
hxxp://greatexe.com/
keygen.Stellar.Phoenix.File.Recovery..3.0.0.1.45088.exe or keygen.AVS.Audio.Converter.5.1.1.283.45088.exe or keygen.SecureCRT.6.0.45088.exe
Result: 2/41 (4.88%)
MD5: 669df9421bdaa7b24fa38a66d4135c25
VirusTotal
ThreatExpert Analysis
hxxp://greatexe.com/
http://74.86.144.178/url/go.php?sid=15&q=Liquid+Foam+Urethane+For+Race+Cars
Redirects to
hxxp://avomec.cn/?wm=70126%20&q=Liquid+Foam+Urethane+For+Race+Cars
Whois entry for avomec.cn 195.95.151.174
Domain Status: clientTransferProhibited
Registrant Organization: null
Administrative Email: dfgsegzhfs@yahoo.com
Sponsoring Registrar: 广东时代互è”科技有é™å…¬å¸
Name Server:ns1.pubilcnameserver7.com
Name Server:ns2.pubilcnameserver7.com
Registration Date: 2008-12-30 15:40
Expiration Date: 2009-12-30 15:40
installer_70126.exe
Result: 20/41 (48.79%)
MD5: a85fc3c3122d9dfb7a7ced965559d999
VirusTotal
ThreatExpert Analysis
hxxp://avomec.cn/
