ExpressFiles are programs developed by Express Solutions. The most used version is 1.9.3, with over 98% of all installations currently using this version. Upon installation and setup, it defines an auto-start registry entry which makes this program run on each Windows boot for all user logins. A scheduled task is added to Windows Task Scheduler in order to launch the program at various scheduled times (the schedule varies depending on the version).
The software is designed to connect to the Internet and adds a Windows Firewall exception in order to do so without being interfered with. The programs's main executable is ExpressFiles.exe and has been seen to consume an average CPU of less than one percent, and utilizes about 20.48 MB of memory. It also adds an icon to the Windows notifications area in order to provide access to the program. A vast majority of those who have this installed end up removing it just after a couple weeks.
The software installer includes 10 files and is usually about 9.09 MB (9,531,113 bytes). EFUpdater.exe is the automatic update component of the software designed to download and apply new updates should new versions be released. In comparison to the total number of users, most PCs are running the OS Windows 7 (SP1) as well as Windows 8. While about 22% of users of ExpressFiles come from the United States, it is also popular in Italy and Germany.
For more on this Threat, see here
MALWARE SITE: EXPRESS FILES (RBN 434)
DOMAIN:
http://pulidecor.com/
- https://www.virustotal.com/de/url/faf2ea9682c998e9a7d44c054d6f9483e682cd3cbe1bf8ecdbf0f0ad82587cbb/analysis/1393154354/
MALICIOUS LINK:
http://pulidecor.com/KID-ICARUS-DOWNLOAD-CODE.htm
- https://www.virustotal.com/de/url/8e8fb70f7504c3fc967981edcb7bd1ba0d50832cd5366ebda348434398dc12a1/analysis/1393153202/
Express Files
- https://www.virustotal.com/de/file/2edf84f8a5daef6398a5a44a730d6c7917c4f25e41cfaf2ff5ba144031aa006e/analysis/1393153844/
- https://urlquery.net/report.php?id=9609071
------>
DOMAIN/IP:
http://93.174.88.93/
- https://www.virustotal.com/de/url/97e56e02bb235d9b4d8603a2e189479745361911c618102fa066d4d3b26276cd/analysis/1393155556/
- https://www.virustotal.com/de/file/94ee059335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22cc2/analysis/1393156281/
MALICIOUS LINK:
http://93.174.88.93/go.php?q=KID-ICARUS-DOWNLOAD-CODE
- https://www.virustotal.com/de/url/1fa617458a620b8e6b4c10b903d987b5f1457d22e1addef94abe1da2012f8529/analysis/1393155418/
HTML
- https://www.virustotal.com/de/file/663de60a22fb540bfd8fae57df84a29e6410b90956c7caaddeb60b7e4c438274/analysis/1393156233/
- http://wepawet.iseclab.org/view.php?hash=cbe4a405fb132a836b5dd65a79936c98&t=1393155497&type=js
- https://urlquery.net/report.php?id=9609326
------>
DOMAIN:
http://pushtraffic.net/
- https://www.virustotal.com/de/url/36276552d4b9b922202792af9bb487791f37eacb6b84154cbef2b8ac07d9b0dd/analysis/1393156637/
HTML (Friendly Error Page...Looool)
- https://www.virustotal.com/de/file/761bbfe842ec7b0a1861abddca602c1525cd4555a7a56d91cf582511f26f07b4/analysis/1393156583/
MALICIOUS LINK:
http://pushtraffic.net/TDS/?wmid=99934&uid=969&q=KID-ICARUS-DOWNLOAD-CODE
- https://www.virustotal.com/de/url/043abe5c83ca189dde5ec8d475c706aa7d822fee1c5e57a553e1a9e1044fde89/analysis/1393155686/
HTML
- https://www.virustotal.com/de/file/fe76e106d6e3f1e9ec900de0a09d3e55f25516ea7400ddef4d2bafc4c9f97be8/analysis/1393155858/
- http://wepawet.iseclab.org/view.php?hash=be6ba6e4122acfb113c66af27b22fbd6&t=1393155899&type=js
- https://urlquery.net/report.php?id=9609355
Keine Kommentare:
Kommentar veröffentlichen