Malicious Links | Malware Database

Archive for the 'Malicious Links' Category

Nov

Database Update - 16 Files (Low-Moderate Detection)

By djpnuemo 0 Comments

Categories: Database Update, Infection, Low Detection, Malicious Domains, Malicious Links, Malware, Malware Distribution, Rogue Anti-Malware, Rogue Security Software, Rogue Software and Rootkit

Another update for tonight. Should have more over the weekend. Find them in /pnuemo-malware/.

BE ADVISED: These URL’s may still be active. Proceed at your own risk!

services.exe
Result: 19/36 (52.78%)
MD5: c629db60a9a5d7303419b5153d3e9b0b
VirusTotal
ThreatExpert Analysis

nd82m0.dll
Result: 5/36 (13.89%)
MD5: d6f2135dc562c7d4992cf2cea2166707
VirusTotal
ThreatExpert Analysis
hxxp://85.17.166.182

kb600179.dll
Result: 5/36 (13.89%)
MD5: f946f8c3de445d45c7eb34591bee037b
VirusTotal
ThreatExpert Analysis
hxxp://89.188.16.30

setup_457_6777_.exe
Result: 1/36 (2.78%)
MD5: e9339f9045368947789ec70739de4b21
VirusTotal
ThreatExpert Analysis
hxxp://files.download-antispyware.com

scanner_457_6777_.exe
Result: 16/36 (44.44%)
MD5: e0f855c6c5fc93f0a8ed1fe9e702e492
VirusTotal
ThreatExpert Analysis
hxxp://dl.storage-antispyware.com/get/

42.exe
Result: 4/36 (11.12%)
MD5: f5201b9e77b7b31443b4e0e6190e219f
VirusTotal
ThreatExpert Analysis
hxxp://85.92.157.141/mxlivemedia/

msansspc.dll
Result: 6/36 (16.67%)
MD5: 3cc545e42b9bb14df4a63f2a37aebdb0
VirusTotal
ThreatExpert Analysis

mvnzivtlmzhxi.dll
Result: 7/36 (19.45%)
MD5: 7614e7448f1983b9641e9699f67576a4
VirusTotal
ThreatExpert Analysis

pdf.pdf
Result: 6/36 (16.67%)
MD5: a3f83503a165a19c4b01328463175cd7
VirusTotal
hxxp://activision.cc/1/spl

twext.exe
Result: 11/36 (30.56%)
MD5: 5767c816cb20753976df2edb60eaf448
VirusTotal
ThreatExpert Analysis

load.exe
Result: 12/36 (33.34%)
MD5: 9b467bdc6dd1b3e68651b7039cd373c8
VirusTotal
ThreatExpert Analysis
hxxp://activision.cc/1/

xcvb.pdf
Result: 4/36 (11.12%)
MD5: e3b86145de00ebfab3e3159d24b81104
VirusTotal
hxxp://91.203.92.137/xcv/

install.exe
Result: 16/36 (44.45%)
MD5: 0869881865032bd1b3b08d82e5e4f404
VirusTotal
ThreatExpert Analysis
hxxp://91.203.92.137/xcv/

beep.sys & figaro.sys
Result: 29/36 (80.56%)
MD5: c4618f889863b5aa357f5f5ba8f353d6
VirusTotal
ThreatExpert Analysis

brastk.exe
Result: 14/36 (38.89%)
MD5: 0d63a88fdb4259de8280f8bb7d78ec35
VirusTotal
ThreatExpert Analysis

KB908268.exe
Result: 7/36 (19.45%)
MD5: 504eb66e741186a61792862f0a83ff82
VirusTotal
ThreatExpert Analysis
hxxp://76.74.239.143/weruoiq/

msansspc.dll
Result: 6/36 (16.67%)
MD5: 3cc545e42b9bb14df4a63f2a37aebdb0
VirusTotal
ThreatExpert Analysis

Nov

Fake control panel app installing multiple malware binaries

By djpnuemo 0 Comments

Categories: Database Update and Malicious Links

Came across this nasty bugger today. It installs a few banker trojans, generic trojans, and a rootkit. Below you can see all of the files that it installs on the computer. These files are available in /pnuemo-malware/. Please read our FAQ for access to our repository.

BE ADVISED: These URL’s may still be active. Proceed at your own risk!

video.cpl
Result: 19/36 (52.78%)
MD5: c87f1736ab9ac5d80a4027b5ba139f7c
VirusTotal
ThreatExpert Analysis
hxxp://amateur-sexy.whyza.net

kodnkwnv.sys
Result: 3/36 (8.34%)
MD5: 4ad5d5229f85f42e873fda98190b2f19
VirusTotal
ThreatExpert Analysis

certificado.exe
Result: 11/36 (30.56%)
MD5: 500a7df333ebe3d1e11d18b08b005e1e
VirusTotal
ThreatExpert Analysis

msnsgs.exe
Result: 17/36 (47.23%)
MD5: f53fea0cef9389535f9df74981527268
VirusTotal
ThreatExpert Analysis

codecs.exe & svchosts.exe & avg.exe
Result: 20/36 (55.56%)
MD5: 7b51419b022709cffec32fa24a23f510
VirusTotal
ThreatExpert Analysis

nppagent.exe
Result: 13/36 (36.12%)
MD5: 91f4c75a4f000f3b5bdc2cd74fb5d0d8
VirusTotal
ThreatExpert Analysis

outlok.exe
Result: 24/36 (66.67%)
MD5: 4dd0afcca8764bce567ebd853f022db7
VirusTotal
ThreatExpert Analysis

sounds.exe
Result: 11/35 (31.43%)
MD5: 0fba190253a84d28d022008ee42ea8e5
VirusTotal
ThreatExpert Analysis

sysmod.exe
Result: 11/35 (31.43%)
MD5: 2eb09ac08f87b9c4dd54c9d4be9241cc
VirusTotal
ThreatExpert Analysis

Oct

Ocean Bank phishing/malware distribution through fake SSL certificate

By djpnuemo 1 Comment

Categories: Database Update, Malicious Domains, Malicious Links, Malware, Malware Distribution and Phishing

Found another phishing/malware distribution scheme this time using Ocean Bank. Just as the ones we’ve seen in the past, it pushes a file to download that they say is a SSL certificate needed for security purposes. As you’ll see below there are quite a few URL’s pushing this malware and the ones listed are just a fraction of the total number. Once the file is run, it installs a rootkit to the system. The sample is available in /pnuemo-malware/.

BE ADVISED: These URL’s may still be active. Proceed at your own risk.

Oceanmultissl.exe (Downloads or Creates: s.exe)
Result: 21/34 (61.77%)
MD5: c4906f64d0ea19dab7a9e7626ee40781
VirusTotal
ThreatExpert Analysis

s.exe & 9129837.exe (Downloads or Creates: 9129837.exe & new_drv.sys)
Result: 18/36 (50%)
MD5: d951f3a8e3485c3c150ba17c0f53db86
VirusTotal
ThreatExpert Analysis

new_drv.sys
Result: 34/36 (94.45%)
MD5: a54de1d46ff7bdefbf9d9284c1916c5e
VirusTotal
ThreatExpert Analysis

ns1.domensinter.com
ns2.domensinter.com

hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.verification.0wylzehgk.edfrkti.com/103541.html?/renewmirror/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.demystifying.1vzohkwd0.edfrkti.com/103541.html?/ptcontrol/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.procedure.gnyit07m8.edfrkti.com/103541.html?/onlineupdate/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.jdv6kcukz.ceuewys.com/103541.html?/comreportid/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.ifzsgwhsm.edfrkti.com/103541.html?/customerlogin/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.bankonenet.9sxkghaq8.gineehg.com/103541.html?/viewcontent/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.renewmirror.mnskscirl.ceuewys.com/103541.html?/sitesurvey/encrypted
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.ptcontrol.jcpptbgdz.ceuewys.com/103541.html?/procedure/actionvalidate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.carehtmlclient.lg3qhifus.ceuewys.com/103541.html?/memberverify/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.bankonenet.aldz11d6n.gineehg.com/103541.html?/bankonenet/bankonline
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.rnalid.gyomouftr.reueys.com/103541.html?/securitychallenge/memberverify
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.portalserver.fkquawuv8.ceuewys.com/103541.html?/verification/exacttrget
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.selfservice.servletdologin.jgu801sal.edfrkti.com/103541.html?/servletdologin/bankonenet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.securitychallenge.certificateupdate.dpf29qakc.edfrkti.com/103541.html?/bankonline/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.portalserver.rczkjzpmm.reuybso.com/103541.html?/memberverify/procedure
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.onlineupdatemirror.pqwzbc38r.reueys.com/103541.html?/communitypage/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.slapiservlet.kjlxlurym.gineehg.com/103541.html?/certificateUpdate/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.demystifying.kululslhk.edfrkti.com/103541.html?/cfmasternbank/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.comreportid.0hbfmxry5.reueys.com/103541.html?/configlogin/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.bankonenet.jrbks5mu1.reueys.com/103541.html?/demystifying/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.sessionervlet.zsbtlddf1.gineehg.com/103541.html?/doexte/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.ptcontrol.e9s82vmjo.edfrkti.com/103541.html?/ptcontrol/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.productsremote.uj8mqt7af.edfrkti.com/103541.html?/carehtmlclient/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.portalserver.uhdirryyz.edfrkti.com/103541.html?/services/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.bankonline.xfadkkfg9.reueys.com/103541.html?/services/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.onlineupdatemirror.hia3rhicq.edfrkti.com/103541.html?/linkbrowse/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.exacttrget.sl1iyagjp.reueys.com/103541.html?/comservlet/communitypage
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.demystifying.ebulerhz1.reuybso.com/103541.html?/linkbrowse/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.carehtmlclient.m0fz6fjtp.reuybso.com/103541.html?/customerlogin/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.renewmirror.e4s0uhfhb.edfrkti.com/103541.html?/communitypage/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.exacttrget.mkcxdf604.reueys.com/103541.html?/onlineupdatemirror/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.communitypage.f3lg1sydw.edfrkti.com/103541.html?/carehtmlclient/demystifying
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.onlineupdate.services.bodkqha20.edfrkti.com/103541.html?/communitypage/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.memberverify.certificateupdate.h5sfn919q.gineehg.com/103541.html?/exacttrget/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.linkbrowse.privatelogin.ehe2hxod6.edfrkti.com/103541.html?/privatelogin/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.exacttrget.demystifying.djzxt6l3z.edfrkti.com/103541.html?/bankonenet/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.encrypted.siteminderagent.oit17c3jq.edfrkti.com/103541.html?/sessionervlet/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.rnalid.p7jzbwnji.gineehg.com/103541.html?/renewmirror/sitesurvey
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.ptcontrol.utqnl5dg0.ceuewys.com/103541.html?/exacttrget/privatelogin

Oct

Database Update - 28 Files (Moderate Detection)

By djpnuemo 0 Comments

Categories: Database Update, Malicious Domains, Malicious Links, Malware, Rogue, Rogue Security Software, Rogue Software and XP AntiSpyware 2009

Here is an update of files from this past week. These files are available in /pnuemo-malware/ in our repository. PLEASE READ UPDATED README.TXT!

BE ADVISED: These URL’s may still be active. Proceed at your own risk.

certificado-3.15.exe
Result: 12/36 (33.34%)
MD5: b249760cd0c1a3b21df8993604efe36b
VirusTotal
ThreatExpert
hxxp://212.98.9.4/Bradesco.com.br/

Flash_Player_9.exe (Downloads or Creates: winexec32.exe & wsys33.exe)
Result: 18/36 (50%)
MD5: f6d3cc53df4a70ee53a9a0a5288834da
VirusTotal
ThreatExpert
hxxp://www.momocortes.com/blog/media/2/

wsys33.exe
Result: 10/36 (27.78%)
MD5: fa0f6781e99d1d78c0d24417cb7b88fd
VirusTotal
Sunbelt Sandbox

exe.exe (Downloads or Creates: vhosts.exe)
Result: 24/36 (66.67%)
MD5: c28f755cdf4863de48659d84c68efab7
VirusTotal
ThreatExpert
hxxp://verynicejob.info/sxe/load.php

02.exe
Result: 8/36 (22.23%)
MD5: 166da263d55d3a06b0bac738ceea769a
VirusTotal
ThreatExpert
hxxp://regect.mobi/

item.gif (Downloads or creates: msxml71.dll)
Result: 7/35 (20%)
MD5: 0a5b198090739429b0e939078517c4d8
VirusTotal
ThreatExpert
hxxp://nessotr-help.com/images/

msxml71.dll
Result: 8/36 (22.23%)
MD5: 46b14c6da49eba5ab1a07bd63b001057
VirusTotal
ThreatExpert

skash.exe (Downloads or creates: figaro.sys, beep.sys, & brastk.exe)
Result: 17/36 (47.23%)
MD5: df565df07afc10489c4b419b1f252158
VirusTotal
ThreatExpert
hxxp://destinationsurfersparadise.com.au/lsi/

beep.sys & figaro.sys
Result: 31/36 (86.12%)
MD5: 14054908c961bb3af74f08fc9dbddeac
VirusTotal

brastk.exe
Result: 17/36 (47.23%)
MD5: 18bc3ea8f0ec094e5a8bacf19e4413b0
VirusTotal
ThreatExpert

serce.php
Result: 7/36 (19.45%)
MD5: 0f3d0ea3905df454581e0c59595f72a6
VirusTotal
ThreatExpert

ex002.exe
Result: 11/36 (30.56%)
MD5: 6f6b2be08feb03f26c84100a24b4891e
VirusTotal
ThreatExpert
hxxp://traff.loadmore.eu/t/l/

setup_1_1_.exe (Installs Pro Antispyware 2009)
Result: 1/36 (2.78%)
MD5: d62c9998be552d4a7189f4c656501e81
VirusTotal
ThreatExpert
hxxp://files.proas2009dl.com/load/

pdf.pdf
Result: 7/36 (19.45%)
MD5: 746f87f5fcf309bc0c5bc422007f3740
VirusTotal
hxxp://svinushka.net/forum/spl/

video20798.cfg
Result: 11/36 (30.56%)
MD5: 1b06e026fdb1fe6e42e66472bae3cc74
VirusTotal
hxxp://lyox-lib.com/addon/

9llCJ4amiU.exe
Result: 10/36 (27.78%)
MD5: 0662482dea0f312e1ed7bfdab7cf86b1
VirusTotal
ThreatExpert
hxxp://78.157.143.225/EX/

video.cfg
Result: 8/36 (22.23%)
MD5: 75dfc5f4c4cbc9367a830d216dec62a4
VirusTotal
hxxp://69.46.24.95/addon/

DivXCodecPKG.7.exe
Result: 2/36 (5.56%)
MD5: f6b635b62fe9a91e9bc0eb01ee827f67
VirusTotal
ThreatExpert
hxxp://softawe-download-forpc.com/

7-v3av.exe (Downloads or Creates: beep.sys, figaro.sys, & brastk.exe)
Result: 12/36 (33.34%)
MD5: aed0e8cb43f48862d89daf441fd844da
VirusTotal
ThreatExpert
hxxp://91.203.92.121/7-v3av.exe

beep.sys & figaro.sys
Result: 30/36 (83.34%)
MD5: b01ed4cec7f0aa6232d49202a71e3a5c
VirusTotal

brastk.exe
Result: 11/36 (30.56%)
MD5: faa1dfd63f02675c4e717c01a476e1f8
VirusTotal
ThreatExpert

setup.exe (Downloads or Creates: getsn32.dll, smwin32.dll, & uesiuqcr.exe)
Result: 11/36 (30.56%)
MD5: d2e8f5095dcd62f912fd233c4e2e5459
VirusTotal
ThreatExpert
hxxp://kb960830-sp2-x86.enu.v6.updates.cab.windowupdate.micros0ft.com.microsofred.cn/

getsn32.dll
Result: 5/36 (13.89%)
MD5: a33aa3d2d4f3a78aa51b3bafb9ce34e1
VirusTotal
ThreatExpert

smwin32.dll
Result: 2/36 (5.56%)
MD5: 39f89f98990a946bc31cb0271b2d3e19
VirusTotal
ThreatExpert

uesiuqcr.exe
Result: 12/36 (33.34%)
MD5: d2e8f5095dcd62f912fd233c4e2e5459
VirusTotal
ThreatExpert

b156.exe
Result: 18/36 (50%)
MD5: 05411d4f5b6a3b430dcd30bea1731362
VirusTotal
ThreatExpert
hxxp://dl2.bundlext.com:8080/get.php

Removal:
Remove this threat with MalwareBytes!

Oct

Database Update - 13 Files (Low-Moderate Detection)

By djpnuemo 0 Comments

Categories: Database Update, Malicious Domains, Malicious Links and Malware

Here is todays update of malware. Some interesting finds today! As always, the files are available under /pnuemo-malware/ in our repository.

BE ADVISED: The URLs may still be live. Proceed at your own risk.

Serv46.exe & asedf2g2.exe (Downloads/Creates the files: tcpip.sys, MSWINSCK.OCX, asedf2g2.exe, & jhil8.exe)
Result: 11/36 (30.56%)
MD5: ebbbda43a97c73d50adc34803155cc41
VirusTotal
ThreatExpert Analysis
hxxp://58.221.254.219:86/Serv46.exe

MSWINSCK.OCX
Result: 0/36 (0%)
MD5: e8a2190a9e8ee5e5d2e0b599bbf9dda6
VirusTotal

jhil8.exe
Result: 2/36 (5.56%)
MD5: 04d98f36c2a1b79a40c97619c1c3ed31
VirusTotal
ThreatExpert Analysis

tcpip.sys
Result: 1/36 (2.78%)
MD5: 1745b00fc1141404b28f4b94f69a8871
VirusTotal
ThreatExpert Analysis

Psetup.exe (Downloads/Creates the files: newie.exe & msgsvc.dll)
Result: 6/36 (16.67%)
MD5: 812474725260a3646b5f0ecad9602ee5
VirusTotal
ThreatExpert Analysis
hxxp://soft.client-get-data.com/soft2/qq569752824/Psetup.exe

newie.exe
Result: 3/36 (8.34%)
MD5: af619d7871d7dbb4dbd3295c4336d76b
VirusTotal
ThreatExpert Analysis
hxxp://soft.client-get-data.com/soft2/qq569752824

msgsvc.dll
Result: 4/36 (11.12%)
MD5: 103d90d32fcf59b82a2315820bbe7470
VirusTotal
Sunbelt Sandbox

DSC1435.exe (Downloads/Creates the files: DJ12335.exe & D4722.exe)
Result: 11/36 (30.56%)
MD5: d837e1f5ff46c8e51c442690705782fd
VirusTotal
ThreatExpert Analysis

DJ12335.exe
Result: 16/36 (44.45%)
MD5: a5785c6cc41bcd48b94d8bf2477c9004
VirusTotal
ThreatExpert Analysis
hxxp://chiring.de/temp

D4722.exe (Downloads/Creates the files: Windows32.exe)
Result: 14/36 (38.89%)
MD5: a267139ce72faff6e05394792b031e49
VirusTotal
ThreatExpert Analysis
hxxp://chiring.de/temp

Windows32.exe
Result: 13/35 (37.14%)
MD5: c1a850a6c0946a3a970715968279236b
VirusTotal

showsoft.exe
Result: 4/36 (11.12%)
MD5: a2c091f45b4319ba2aeba3527c50db73
VirusTotal
ThreatExpert Analysis
hxxp://www.777tool.com/showsoft.exe

Oct

eBay phishing websites

By djpnuemo 0 Comments

Categories: Malicious Domains, Malicious Links and Phishing

Here are some domains hosting eBay phishing sites. These are intended to harvest user credentials for the popular auction site. This along with the M&I Bank post are intended to show how well these pages are created and can trick even an educated web surfer.

Below is a screenshot of the phishing website along with domains that are currently hosting the phishing site.

hxxp://signin.ebay.com.pwitr7y9scfbu51yl.333krv7olw2ynfgw1n.web.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=x&ref=eb&sspagename=ADME:X:CEM:US
hxxp://signin.ebay.com.gdriyip90t1a.333m9ocosl9h7fo985.info.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=belfire27@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.j4eupml07uipz.333ana77×9jwudokll.net.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=mattlisab28@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.ri0g9apjjlf4algqb8k.333krv7olw2ynfgw1n.info.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=saco252@aol.com&ref=eba1&sspagename=ADME:X:CEM:US
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.f033ab37c30201f73f142449d037028d.mldfki29y30×11lpx3.com/ws/eBayISAPI.dll/?cmd=SignIn&co_partnerId=2&pUserId=&email=dropshippeddirect@verizon.net&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor&MfcISAPICommand=ConfirmRegistration
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.44f683a84163b3523afe57c2e008bc8c.df34uifyn389o13f1c.com/ws/eBayISAPI.dll/?cmd=SignIn&
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.ea5d2f1c4608232e07d3aa3d998e5135.df34uifyn389o13f1c.com/ws/eBayISAPI.dll/?cmd=SignIn&
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.fe9fc289c3ff0af142b6d3bead98a923.pqmdcjh8y2tnx2i3rc.com/ws/eBayISAPI.dll/?cmd=SignIn&co_partnerId=2&pUserId=&email=margimac@earthlink.net&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor&MfcISAPICommand=ConfirmRegistration
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.d82c8d1619ad8176d665453cfb2e55f0.pqmdcjh8y2tnx2i3rc.com/ws/eBayISAPI.dll/?cmd=SecurityMeasure&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&email=lance@lbcad.com
hxxp://signin.ebay.com.pwitr7y9scfbu51yl.333krv7olw2ynfgw1n.web.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=x&ref=eb&sspagename=ADME:X:CEM:US
hxxp://signin.ebay.com.0m3kw84y2qx3mdf.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=lisettechiasson@hotmail.com&ref=eb&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.j03tlcwradrnyl6ecj.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=tlizzie1@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.rbjvo7q3uk3dpnj.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=moskaterx@yahoo.com&ref=eb&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.5ya63pn8gzhev4ko413.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=robdebaa@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.4oz0i3iiahwup.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=fx94@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.cflc4xfunpul.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=jackster@consolidated.net&ref=eb&sspagename=ADME:X:CEM:U

Oct

M&I Bank Malware/Phishing Websites

By djpnuemo 0 Comments

Categories: Malicious Domains, Malicious Links, Malware, Malware Distribution and Phishing

There is a campaign to spread malware through fake M&I Bank websites. The malware that these pages try to install were feature in todays database update and can be accessed through /pnuemo-malware/MIbankcertificate.zip in our repository.

Below is a screenshot of the website along with a list of some of the domains hosting these pages. Luckily both Firefox and Internet Explorer detected these as suspicious pages.

hxxp://businessportal.mibank.mibusinessonlinebanking.qzbpkh9in1q7mzd.bankonenet.services.wlienex.com/subsections.htm?/actionvalidate/onlineupdate/OSL.htm?LOB=3163895149&refer=bpkH9iN1Q7mzDrZ
hxxp://businessportal.mibank.mibusinessonlinebanking.sybzjefp95juuqd.bankonline.configlogin.bineeo.com/subsections.htm?/viewcontent/privatelogin/OSL.htm?LOB=0820757379&refer=bZjEFP95juuQd8T
hxxp://businessportal.mibank.mibusinessonlinebanking.hgt7nxvcm13ieqf.renewmirror.siteminderagent.sddgus.com/subsections.htm?/carehtmlclient/bankonline/OSL.htm?LOB=6355552810&refer=T7nXvCm13IEqfNX
hxxp://businessportal.mibank.mibusinessonlinebanking.4xgbf1wlvys8xl4.doexte.linkbrowse.sddgus.com/subsections.htm?/actionvalidate/ptcontrol/OSL.htm?LOB=5425746488&refer=gbf1WlVyS8xl4Xg
hxxp://businessportal.mibank.mibusinessonlinebanking.sb0pryfloi89guq.renewmirror.productsremote.bineeo.com/subsections.htm?/doexte/exacttrget/OSL.htm?LOB=8754725917&refer=0PrYFloI89GuQAR
hxxp://businessportal.mibank.mibusinessonlinebanking.ibxtphpk5roeojr.comservlet.servletdologin.bineeo.com/subsections.htm?/procedure/privatelogin/OSL.htm?LOB=5359068295&refer=XTPHPk5rOEOJrK4
hxxp://businessportal.mibank.mibusinessonlinebanking.9cl3xftk4ni9t9t.servletdologin.ptcontrol.bineeo.com/subsections.htm?/onlineupdate/configlogin/OSL.htm?LOB=1831421831&refer=L3Xftk4nI9T9tv5
hxxp://businessportal.mibank.mibusinessonlinebanking.ynqcyrmfqwjt2st.bankonenet.comreportid.bueozia.com/subsections.htm?/bankonline/customerlogin/OSL.htm?LOB=2678391850&refer=QCyrmFqWJt2stbY
hxxp://businessportal.mibank.mibusinessonlinebanking.j880s7k6hjwpqsz.onlineupdate.onlineupdate.bueozia.com/subsections.htm?/configlogin/customerlogin/OSL.htm?LOB=2783087268&refer=80S7k6HjwpQSzmp
hxxp://businessportal.mibank.mibusinessonlinebanking.4vlhcq1ray5plj8.securitychallenge.configlogin.sddgus.com/subsections.htm?/verification/encrypted/OSL.htm?LOB=1963750084&refer=lhCQ1RAy5Plj8qn
hxxp://businessportal.mibank.mibusinessonlinebanking.w4kjtij48tuycyg.bankonenet.carehtmlclient.bueozia.com/subsections.htm?/cfmasternbank/doexte/OSL.htm?LOB=7399944416&refer=kJtij48TUYCYgR6

Oct

Database Update - 9 Files (Low-Moderate Detection)

By djpnuemo 0 Comments

Categories: Database Update, Malicious Domains, Malicious Links, Malware, Malware Codec and Malware Distribution

Here is a fresh round of new malware. All files are available under /pnuemo-malware/ in our repository.

BE ADVISED: These domains may still be active. Proceed at your own risk!

MIbankcertificate.exe (Download/Creates the files: 9129837.exe, new_drv.sys, & s.exe)
Result: 6/36 (16.67%)
MD5: 6a5c95ca74f538155b36bb8146920e3b
VirusTotal
ThreatExpert Analysis
hxxp://businessportal.mibank.mibusinessonlinebanking.ytb4odaguh6n7ga.rnalid.carehtmlclient.mdwiers.com

s.exe & 9129837.exe
Result: 4/36 (11.12%)
MD5: 7b09e457f412bf841e04d37658e678db
VirusTotal
ThreatExpert Analysis
hxxp://lodnew.com

new_drv.sys
Result: 33/36 (91.67%)
MD5: a54de1d46ff7bdefbf9d9284c1916c5e
VirusTotal
Sunbelt Sandbox

zcodec.1067.exe
Result: 9/36 (25%)
MD5: e288a47163d936343ca3f7c36d07c08b
VirusTotal
ThreatExpert Analysis
hxxp://codecdownload.funsoft-enjoyportal.com

setup_110144_3_.exe
Result: 4/36 (11.12%)
MD5: 92c50bb6ad9c7edd923cd1ac82a9ccdd
VirusTotal
ThreatExpert Analysis
hxxp://files.pc-security-downloads.com

b156.exe (Download/Creates the files: Twain.exe)
Result: 14/36 (38.89%)
MD5: 05411d4f5b6a3b430dcd30bea1731362
VirusTotal
ThreatExpert Analysis
hxxp://dl2.bundlext.com:8080

Twain.exe
Result: 16/36 (44.45%)
MD5: 13d526cefcef5d5f9e49baf7c56dd5db
VirusTotal
Sunbelt Sandbox

keygen.Cool.Burning.Studio.3.1c30 (Download/Creates the files: 30980.exe)
Result: 8/36 (22.23%)
MD5: a136a6370f9d9cef72cf1e3563bace00
VirusTotal
ThreatExpert Analysis
hxxp://city-codec.net/download

30980.exe
Result: 9/36 (25%)
MD5: 5f2b7907b87f7000938aa9cd17cdcd0f
VirusTotal
ThreatExpert Analysis

Oct

Fake PornTube websites installing malware (Revisted)

By djpnuemo 0 Comments

Categories: Database Update, Malicious Domains, Malicious Links, Malware, Malware Distribution and Porntube

There are more and more fake PornTube websites appearing these days. They’re being installed on unsuspecting webservers that have vulnerable software on them. They are usually uploaded through SQL injection exploits. Here is a look again at these fake sites.

BE ADVISED: The URL’s listed may still be live. Proceed at your own risk. Files available in /pnuemo-malware/.

The user will be directed to the initial page which will instantly redirect them to the next page, which is always the same.

hxxp://domain.com/index1.php -> hxxp://domain.com/index14.php

Continue reading ‘Fake PornTube websites installing malware (Revisted)’

Oct

Database Update - 6 Files (Moderate Detection)

By djpnuemo 0 Comments

Categories: Database Update, Malicious Links and Malware

Database update for today. Files are available in /pnuemo-malware/ in our repository. Please visit our FAQ for information on gaining access to our repository.

BE ADVISED: These URL’s may still be active. Proceed at your own risk.

plaintext.exe (svc32.dll)
Result: 6/36 (16.67%)
MD5: 9b9ac40318a4c6a1d146e3e78b61bacd
VirusTotal
ThreatExpert Analysis
hxxp://killwinpc.com

ftpgrb.exe (flask32.dll)
Result: 10/36 (27.78%)
MD5: fabc648c06c09d91e313bdadaeb60dc0
VirusTotal
ThreatExpert Analysis
hxxp://killwinpc.com

fotos.inglesa.pif (mswinsck.jpg, svchost.jpg, pross2.jpg, process.jpg are downloaded as binaries)
Result: 12/36 (33.34%)
MD5: 128f2c588881eb839a4aa3a250636e43
VirusTotal
ThreatExpert Analysis
hxxp://suport2008.home.sapo.pt/fotos.inglesa.pif

svchost.jpg (svchost.exe)
Result: 18/36 (50%)
MD5: ca4750bcfdd9d032b1fdbee0a4e12c6d
VirusTotal
ThreatExpert Analysis
hxxp://suport2008.kit.net

mswinsck.jpg (mswinsck.exe)
Result: 2/36 (5.56%)
MD5: 6f0c03a2c24e2518f4dd4101dded5483
VirusTotal
ThreatExpert Analysis
hxxp://suport2008.kit.net

pross2.jpg & process.jpg (pross2.exe & process.exe) process.zip in repository
Result: 18/35 (51.43%)
MD5: 63159d242b4b6d74f92f393b62012c6e
VirusTotal
ThreatExpert Analysis
hxxp://suport2008.kit.net
hxxp://suport2008.kit.net