MALICIOUS BLOG VISITOR (to this Blog & other ones): www.diecrema.de (IP: 83.169.18.105) Germany PHISHING Microsoft Internet Explorer remote code execution via option element CVE-2011-1996

MALICIOUS DOMAIN: Microsoft Internet Explorer remote code execution via option element 

http://www.diecrema.de/

• https://www.virustotal.com/de/url/304393da60a41d90a1c1e81e097f7a65b930ef02d49131972a56c77153ef524e/analysis/1393697717/

HTML

• https://www.virustotal.com/de/file/1129a906ac309bc8791ab0fc5554f0daa8ea5ad0cfeaa3d809e077de0d94c490/analysis/

Microsoft Internet Explorer remote code execution via option element

• https://urlquery.net/report.php?id=9729333

• https://urlquery.net/report.php?id=9729329

• https://urlquery.net/report.php?id=9729331

INFORMATION ON THIS SECURITY THREAT:

• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1996
• http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html

SPAM, SCAM, PHISH DOMAIN: news.online-surftipps.com & allesunverbindlich.com & tradebutler.de (Nebenjob zu vergeben) FRANCE & GERMANY (IP: 2.1.8.110)

Sehr geehrte Damen und Herren,

ein internationaler Konzern sucht für die Expansion in Deutschland engagierte Online-Bürokräfte.
Sehr gute Einkommensmöglichkeiten (bis 25 € pro Stunde) erwarten Sie in einer Teil- oder Vollzeittätigkeit, die Sie von Zuhause ausführen.

Hier geht es zum Bewerbungsformular.


Mit freundlichen Grüßen
Ihr JobKarriere Team

Ihre Petra Vogt

SCREENSHOT SPAM-MAIL

DOMAIN(s) INVOLVED:

 http://www.allesunverbindlich.com/

• https://www.virustotal.com/de/url/a50a28210fc094a6861f49520a028ebc17ab10217b16e82773672250830131c9/analysis/1393670585/

http://news.online-surftipps.com/

• https://www.virustotal.com/de/url/9b289c2e28e2790291f4b6fad96c31623ea5894c4867379652d4adbda52f3b38/analysis/1393671148/

http://www.tradebutler.de/

• https://www.virustotal.com/de/url/add54dd3214308f79440b4172d96992a26540b194a048ef92fa2b71d70fc3ac5/analysis/1393671238/

ORIGINATING IP:

2.1.8.110

• https://www.virustotal.com/de/url/f511e3823cedc584bdcd55ec4b788197390a851dcf630c4398caba3cbc929d36/analysis/1393671338/

LISTED AT SPAMHAUS (PBL):

• http://www.spamhaus.org/query/bl?ip=2.1.8.110

Email Reputation: Poor

• http://www.senderbase.org/lookup/?search_string=2.1.8.110

Category MALICIOUS IP: 68.178.254.121 (www.bonsaihacker.com) Infected with a spam or malware forwarding link - Botnet (UNITED STATES)

The IP address 68.178.254.121 (listed in the CBL (Composite Blocking List)) corresponds to a web site that is infected with a spam or malware forwarding link. The website's host name is "www.bonsaihacker.com", and this link is an example of the redirect: "http://www.bonsaihacker.com/infantile.htm?vixe". In other words the website "www.bonsaihacker.com" has been hacked. Usually, the redirect takes the user's browser to a spam or malware site. It's usually fake russian pills or pornography.

In several cases, particularly with older compromises, the criminals that hacked this site will have uploaded a wide variety of spamming and other compromise tools. Therefore, the account corresponding to "www.bonsaihacker.com" needs to be examined very carefully for signs of tampering. Further, the criminal will even modify existing web pages (particularly www.bonsaihacker.com itself) to have hidden references to pill/drug/porn sites.

It is believed that the malicious redirects are done by altering web server access control mechanisms (example, ".htaccess" files on Apache web servers), and causing the redirect to occur on all "404 url not found" errors.

REFERENCES:

68.178.254.121

• https://www.virustotal.com/de/url/66dfd5856d9fd790189a5f8242c3eb4828b0e02c4e5a3932610e225e9d30e2be/analysis/

LISTED AT SPAMHAUS (CBL):

• http://www.spamhaus.org/query/bl?ip=68.178.254.121

LISTED AT CBL:

• http://cbl.abuseat.org/lookup.cgi?ip=68.178.254.121

FULL REPORT:

Category MALICIOUS IP: 67.225.146.147 (wpnoupfront.authenticbd.com) Infected with a spam or malware forwarding link - Botnet (UNITED STATES & RUSSIAN FEDERATION)

The IP address 67.225.146.147 (listed in the CBL (Composite Blocking List)) corresponds to a web site that is infected with a spam or malware forwarding link. The website's host name is "wpnoupfront.authenticbd.com", and this link is an example of the redirect: "http://wpnoupfront.authenticbd.com/invigorating.htm". In other words the website "wpnoupfront.authenticbd.com" has been hacked. Usually, the redirect takes the user's browser to a spam or malware site. It's usually fake russian pills or pornography.

No Time to lay back...

In several cases, particularly with older compromises, the criminals that hacked this site will have uploaded a wide variety of spamming and other compromise tools. Therefore, the account corresponding to "wpnoupfront.authenticbd.com" needs to be examined very carefully for signs of tampering. Further, the criminal will even modify existing web pages (particularly http://wpnoupfront.authenticbd.com itself) to have hidden references to pill/drug/porn sites.

It is believed that the malicious redirects are done by altering web server access control mechanisms (example, ".htaccess" files on Apache web servers), and causing the redirect to occur on all "404 url not found" errors.

Related Post: http://stayaway2.blogspot.com/2014/02/us-phishing-visitor-to-this-blog.html

REFERENCES:

67.225.146.147

• https://www.virustotal.com/de/url/30de5a071652e44f8f6003ab0c22553e72808bfec8aa5982ae23fb7badde4857/analysis/1393510660/

LISTED AT SPAMHAUS (CBL):

• http://www.spamhaus.org/query/bl?ip=67.225.146.147

LISTED AT CBL:

• http://cbl.abuseat.org/lookup.cgi?ip=67.225.146.147

----------------------------------------------------------

http://wpnoupfront.authenticbd.com/

• https://www.virustotal.com/de/url/1fb32860105dea70846f611020d9ba6c2a4557c5337ded5e1dcbe83b51b9641d/analysis/1393517602/
• http://urlquery.net/report.php?id=9691230

http://wpnoupfront.authenticbd.com/invigorating.htm

• https://www.virustotal.com/de/url/071ca9f4199a95b2d2824d0207e8c6287c20458ad1f87b80ac37a9a36ec2de9b/analysis/1393517601/

HTML:RedirME-inf [Trj]

• https://www.virustotal.com/de/file/5f0925c559ea8e1285877f550f361a92770d54528f8800ab181bdc1a0c039427/analysis/1393520355/

• (GETFILE: http://jsunpack.jeek.org/dec/getfile?hash=8ff9/ed8ea2a207c8f4ae5c70dac68556d6ff425a)

---> REDIRECTS TO

http://doctorxonft.ru/

• https://www.virustotal.com/de/url/0512b24fcc96129c9951e4f5103bfed2312c9fe359403ed3a6ec36e6ced2e962/analysis/

HTML (PUA.JS.Obfus-7)

• https://www.virustotal.com/de/file/8aad19003d4937d93cf60ff7f8457c231e4b72110d380a4c6a2e133b1e169fae/analysis/1393521420/

• http://virusscan.jotti.org/de/scanresult/baf1b8fc0d963713dd61f1f9549226321e068189

FULL REPORT:

U.S. PHISHING Visitor to THIS Blog: winnerhousingbd.com & cloudfront.net IP: 67.225.146.147 (GOOGLEDRIVE) Trojan.JS.Iframe.ahd (PHISH Remax)

PHISHING SITE (IN THE NAME OF GO(D)OGLE) WITH MALWARE: Trojan.JS.Iframe.ahd (PHISH Remax)

DOMAIN:

http://www.winnerhousingbd.com/

• https://www.virustotal.com/de/url/a017e5db1d1486a70dadfddfdbc356b76d580559c9228b77aba6a5acb92a8492/analysis/1393506758/

PHISHING LINK:

http://www.winnerhousingbd.com/images/googledrive

• https://www.virustotal.com/de/url/fceefd5470a2ca79d822b0c021315541f51484d421cd5bd865c0cd8fb39b70de/analysis/1393506767/

INFECTION:

Trojan.JS.Iframe.ahd

• https://www.virustotal.com/de/file/6843e6f0d4cbfbae6a0baeb12ec548e3a2a8a0d732c521574ab6e0ecb1bcc8e3/analysis/1392021552/

---> REDIRECTS TO (A SLASH +)

http://www.winnerhousingbd.com/images/googledrive/

• https://www.virustotal.com/de/url/e1e7b671eb7a97d535cbc998116465c59d58161c210405f66220159a75e0ea7f/analysis/1393507443/

INFECTION:

Trojan.JS.Iframe.ahd

• https://www.virustotal.com/de/file/6843e6f0d4cbfbae6a0baeb12ec548e3a2a8a0d732c521574ab6e0ecb1bcc8e3/analysis/1392021552/

Related Post: http://stayaway2.blogspot.com/2014/02/category-malicious-ip-67225146147.html

TO SEE THE FULL REPORT, SEE THE .txt ICON:

New Malware Code found on IRANIAN Blogsite (involved in Phishing): model-irani.mihanblog.com infected with Trojan.JS.StartPage.eg (Former HEUR:Trojan.Script.Generic) (IP: 5.144.133.146)

FOLLOWUP:
New Malicious Code:
From: HEUR:Trojan.Script.Generic
To: Trojan.JS.StartPage.eg

MALWARE: HEUR:Trojan.Script.Generic (PHISHING ACTIVITIES) IRAN

DOMAIN:

http://model-irani.mihanblog.com/

• https://www.virustotal.com/de/url/87e504b01108edfe5de0f78bee9f91b014661af9abf0bcbb8625b88ceeb18258/analysis/1393498401/

INFECTION:

HEUR:Trojan.Script.Generic

• https://www.virustotal.com/de/file/9ad90edf6be055ce40cdc01608f58783e6aa45bed1453e760b1afbfbbcb025b0/analysis/1393498623/

--->

http://static.mihanblog.com//public/scripts/run/g.other.v3.js

• https://www.virustotal.com/de/url/0bdd1749892dbca59d44f29f3d008f5639aeb8be37ec4deb6873ada600e84505/analysis/1393498967/

PUA.Script.Packed-2

• https://www.virustotal.com/de/file/9c7e6c2ebd2ac2b10978a8627e31d1cd287aa43f19e5a8233b018103dad507d2/analysis/1393498970/

FOR THE FULL REPORT CLICK THE .txt ICON:

Solimba Installer Category MALICIOUS DOWNLOADS: dl.downloadohdooshieyei.com (IP: 165.254.155.129) Englewood, Colorado, United States

MALWARE SITE: MALICIOUS DOWNLOADS (Solimba Installer)

DOMAIN:

http://dl.downloadohdooshieyei.com/

• https://www.virustotal.com/de/url/ef7757bab9e69849807f527d515ab673778d76a3e3cb8f1d2da775a2d5dfb199/analysis/

MALICIOUS DOWNLOAD LINK:

http://dl.downloadohdooshieyei.com/n/11812101/N0636.exe

• https://www.virustotal.com/de/url/7be861a3b2d6b26d20a103730f77fdbdc3248682700ebd2405ef0002db822494/analysis/1393347015/

FUNNY 2 DIFFERENT FILES:

• FILE DOWNLOADED BY VT:

N0636.exe Solimba Installer

• https://www.virustotal.com/de/file/6b76dc210986bb989da482ef6a8bd19cf8438c832e4c8b8984f15c8567c342e5/analysis/1393347021/

FILE FROM JSUNPACK:

• http://jsunpack.jeek.org/?report=c631008f24cb11be18ffb6c52628296e2f878c79

• https://www.virustotal.com/de/file/814f68ccb748f3bbe2cf34078ca219b6ce59f0c079d3e21b0320c8153fa15300/analysis/1393347080/

.GOV DOMAIN (National Institute of Standards and Technology) HOSTS BACKDOORS: NEW Malware CODE (Backdoor.Win32.HacDef.uoeu & .uoev)

NEW MW CODE (Backdoor.Win32.HacDef.uoeu & .uoev)

http://www.nist.gov/

• https://www.virustotal.com/de/url/c77487e014679ee3cab82094c045cacd96a4314bedb15f3d1a2a35421b06cc2e/analysis/1393343534/

--------------------

http://www.nist.gov/mml/mmsd/structure_determination/upload/AtomCorr.exe

• https://www.virustotal.com/de/url/f52db131b34375b505af937b9daee912bfc2288a5372bbb7f50ca36f67781a3d/analysis/1393343072/

Backdoor.Win32.HacDef.uoev

• https://www.virustotal.com/de/file/ce1c81e6f10f4290872bec7bfd1e391435589d5f3160f9c7c3cd842531c53b12/analysis/1393343077/

http://www.nist.gov/mml/mmsd/structure_determination/upload/Diffuse.exe

• https://www.virustotal.com/de/url/1e3b8fdc1842dbcc6fccc1137a55bfe25f6436992d7e58f95eca1d121003acf8/analysis/1393342998/

Backdoor.Win32.HacDef.uoeu

• https://www.virustotal.com/de/file/01606685339668d2d46aabbeee7e9fcea91897d2b7c74cc68cb3de9bfacca462/analysis/1393343003/

--------------------

• https://urlquery.net/report.php?id=9650828

116 Suspicious Files

• http://quttera.com/detailed_report/www.nist.gov

GREATSOFTWARE.COM: www.greatsoftware.com & dl.downloadohdooshieyei.com (MALICIOUS DOWNLOADS from NORWAY & FRANCE)

MALWARE SITE (DIRECTLY & INDIRECTLY): MALICIOUS DOWNLOADS

DOMAIN:

http://www.greatsoftware.com/

• https://www.virustotal.com/de/url/944ea52f2622d40e250fca3d82c5b01920482196479a88a5fc7aa55567828d0c/analysis/1393276144/

MALICIOUS LINK:

http://www.greatsoftware.com/image-merger-exe/

• https://www.virustotal.com/de/url/ae080a4ba9dff79029475591902616ccde3860d512fc444d14f7d2fd0f313254/analysis/1393276105/

(DONT) CLICK THE DOWNLOAD BUTTON AND YOU WILL GET THE FILE (MALWARE) 

FROM:
http://dl.downloadohdooshieyei.com/n/12372005/Image%20Merger%20.EXE.exe

• https://www.virustotal.com/de/url/e5a90ede66101c9b432ea464827a5d8c0f47bb8461520eacbea096b4ba9e823a/analysis/1393273342/

(PUA) Win32/FirseriaInstaller.F

• https://www.virustotal.com/de/file/a43fc03c2fc7519029692d6666c54ea5d8ef478748ec893153ee479607324277/analysis/1393273348/

MALICIOUS DOMAIN:

http://dl.downloadohdooshieyei.com/

• https://www.virustotal.com/de/url/ef7757bab9e69849807f527d515ab673778d76a3e3cb8f1d2da775a2d5dfb199/analysis/1393274740/

Category MALICIOUS DOMAIN & IP: www.zbestclubreview2014.com (IP: 115.242.210.80) Casino, Gambling (PHISHING, SCAM, SPAM) (Ruby Palace, Mumbai, INDIA)

Auf unseren Webseiten finden Sie die besten Online Casinos mit exklusiven Angeboten, wenn Sie sich über unsere Webseiten registrieren.
Verschiedene Angebote wie Freispiele und Bonusse auf Einzahlungen erwarten Sie.
Besuchen Sie unsere Webseite, finden Sie Ihr neues Online Casino und profitieren Sie von einem exklusiven Angebot, das Ihnen am besten gefällt.
Klicken Sie hier, um unsere Webseite zu besuchen.
http://www.

zbestclubreview2014.com/
Mit freundlichen Grüßen
Bitte klicken Sie hier, wenn Sie von uns keine E-Mails mehr erhalten wollen:
http://unsubscribe.zbestreview2014.com/

• Please notice that most of all those Mails that include "Ruby" (Example), are connected to Gambling Sites who want to "steal" your hard earned money in many different ways. You will ALWAYS lose. Consider going to a "real" Casino, instead of gambling online, although the chance losing more money than gaining it is potentially low as well. "Ruby"-Mails are not only SPAM but as well Scam, Phishing, and downloads of Malware (Riskware). These domains rarely last more than a month and they change the name again. Ignore & delete those Mails and the included links. Otherwise you will be set onto a potential Risk, damaging your PC.

SPAM-Mail Screenshot

• Bitte beachten sie dass sogut wie alle E-Mails die im URL den Namen "Ruby" (Beispiel) enthalten und die im SPAM-Ordner liegen (oder auch nicht), in Verbindung stehen mit (zum Teil illegalem) Glücksspiel (Online-Casinos), die nur darauf bedacht sind ihr hart erworbenes Geld aus der Tasche zu ziehen. Wenn Sie aber unbedingt "zocken" möchten, wäre es ratsamer ein echtes Casino zu besuchen. Obwohl man dort im Normalfall auch, eher ärmer als reicher dieses verlässt. "Ruby-Mails" stehen nicht nur mit SPAM im Zusammenhang, sondern auch mit SCAM, Phishing und schädliche Downloads von schädlicher Software (ganz oft werden diese schädlichen Downloads ohne Wissen des Besuchers) auf den PC heruntergeladen. Am besten ist man meidet diese Sites, ansonsten könnte ihr PC beschädigt werden.

MALICIOUS DOMAIN(s): PHISHING, SCAM, SPAM

MAIL SENT THROUGH:

http://de-graaf.nl/

• https://www.virustotal.com/de/url/9a2407169f616b2a2a036d1f5bdfdc1b586c3da935cbeb9586e394db4ebdb792/analysis/1393265245/

HTML (TITLE: test igr)

• https://www.virustotal.com/de/file/897f06db515c21290c30c57dd1af5866fb260e19c213dd86af0c991bf5b2ab5f/analysis/1393265111/

IP:

http://109.109.120.43/

• https://www.virustotal.com/de/url/3ea4a1d473e5c5d071795108a2ac018278483b00a9f78f903666ea1d8966dc72/analysis/1393265363/

• https://www.virustotal.com/de/ip-address/109.109.120.43/information/

HOSTNAME:

http://pernis.cbizz.nl/

• https://www.virustotal.com/de/url/1ffd59fd6c336547198255126d30d61be74c67d3ef51ad3dccac2037c71b43fa/analysis/1393265933/

HTML (PUA - LIKELY HOSTILE)

• https://www.virustotal.com/de/file/b360defdc2da0baa651a970842c02965c9c7abf9aa64fc1313f4a4a1108faf3d/analysis/1393266111/

GETFILE: http://jsunpack.jeek.org/?report=516635988cbc568d4d2d43d0ad9c0e190325b4be

PUA.JS.Obfus-7

• http://virusscan.jotti.org/de/scanresult/9bac55894b100053305d87eaf342fd1d7b967b33

• http://www.UnmaskParasites.com/security-report/?page=pernis.cbizz.nl

DOMAIN:

http://cbizz.nl/

• https://www.virustotal.com/de/url/1ef1ca00c396eeda1ca723d3780b7b912674431c8f5e5aff3d81e5c0b374a59b/analysis/1393266792/

----------------------

SPECIFIC "CASINO" (MALWARE) DOMAIN:

http://www.zbestclubreview2014.com/

• https://www.virustotal.com/de/url/02ee438ea4071e0839c5b4f0839c174ff0413423e74f33227791241134dc444c/analysis/1393265668/

UNSUSCRIBE LINK:

http://unsubscribe.zbestreview2014.com/

• https://www.virustotal.com/de/url/0e33f7e548f5d9685ac666974b4ded4025b0735f14b3e435b0c315555714a755/analysis/1393265770/

ORIGINATING IP ADDRESS:

http://115.242.210.80/

• https://www.virustotal.com/de/url/98b43e7ad335c2310d1cb232e943d9bf9518613df8ba00d9f5dd41062a54e0c3/analysis/

LISTED AT SPAMHAUS (PBL):

• http://www.spamhaus.org/query/bl?ip=115.242.210.80

• http://www.spamhaus.org/pbl/query/PBL386929

EMAIL REPUTATION: POOR

• http://www.senderbase.org/senderbase_queries/detailip?search_string=115.242.210.80

EXPLOIT DotKaChef: gmc.yoyogames.com infected (IP: 78.129.174.221) United Kingdom

MALICIOUS URL (DOMAIN): EXPLOIT DotKaChef

DOMAIN:

http://gmc.yoyogames.com/

• https://www.virustotal.com/de/url/12e5110e14db3ce65d9aaf36b49b9384c72b562ce1064580ecb8e049d51768e5/analysis/1393259505/

HTML

• https://www.virustotal.com/de/file/1a95707e9ea74da8b9199ac18b76548e4890d278a541e51384cb1d24b2008e9f/analysis/1393259871/

SPECIFIC LINK:

http://gmc.yoyogames.com/index.php?showtopic=479246

• https://www.virustotal.com/de/url/93917974f72f15f40bb77746b50bbd3993b4ea2ed5987ed985044afc42293dfc/analysis/1393259414/

HTML

• https://www.virustotal.com/de/file/d8178b94ffba61ff7365005c105aadd795c7f2872c94fb4a0db0461ec4ddf7fd/analysis/

--->

DOMAIN:

http://alnera.eu/

• https://www.virustotal.com/de/url/d56d95917506e3446ed65d011174cf24dee73b9812fac409112c5c7b785bb2d4/analysis/1393260526/

EXPLOIT LANDING PAGE

http://alnera.eu/B1D7AA56.js?cp=gmc.yoyogames.com

• https://www.virustotal.com/de/url/af2c5eddfbfc5a4873cd9e8f463992b4537e5b16410d01070cad5c665b51c8d3/analysis/1393249461/

AND OTHERS....RANDOMLY (POSSIBLY)

• https://urlquery.net/report.php?id=9628606

• https://urlquery.net/report.php?id=9628608

• https://urlquery.net/report.php?id=9628612

• https://urlquery.net/report.php?id=9630211

• https://urlquery.net/report.php?id=9630215

Possible Redkit 1-4 char JNLP request

• https://urlquery.net/report.php?id=7843788

DotkaChef EK initial landing from Oct 02 2013 mass-site compromise EK campaign

• https://urlquery.net/report.php?id=6995999

FOR MORE ON THIS TREAT, SEE:
http://community.websense.com/blogs/securitylabs/archive/2014/02/03/dotkachef-exploit-kit-comeback.aspx

Weitere Informationen dieses Exploits finden Sie unter dem folgenden Link:
http://www.datev.de/portal/ShowPage.do?pid=dpi&nid=159813

Malicious Downloads of EXPRESS FILES: Domain: pulidecor.com & go-for-files.com Win32/ExpressFiles (U.S.A., U.K., Ukraine, Russia, Netherlands)

ExpressFiles are  programs developed by Express Solutions. The most used version is 1.9.3, with over 98% of all installations currently using this version. Upon installation and setup, it defines an auto-start registry entry which makes this program run on each Windows boot for all user logins. A scheduled task is added to Windows Task Scheduler in order to launch the program at various scheduled times (the schedule varies depending on the version). 

The software is designed to connect to the Internet and adds a Windows Firewall exception in order to do so without being interfered with. The programs's main executable is ExpressFiles.exe and has been seen to consume an average CPU of less than one percent, and utilizes about 20.48 MB of memory. It also adds an icon to the Windows notifications area in order to provide access to the program. A vast majority of those who have this installed end up removing it just after a couple weeks. 

The software installer includes 10 files and is usually about 9.09 MB (9,531,113 bytes). EFUpdater.exe is the automatic update component of the software designed to download and apply new updates should new versions be released. In comparison to the total number of users, most PCs are running the OS Windows 7 (SP1) as well as Windows 8. While about 22% of users of ExpressFiles come from the United States, it is also popular in Italy and Germany.

For more on this Threat, see here

MALWARE SITE: EXPRESS FILES (RBN 434)

DOMAIN:

http://pulidecor.com/

• https://www.virustotal.com/de/url/faf2ea9682c998e9a7d44c054d6f9483e682cd3cbe1bf8ecdbf0f0ad82587cbb/analysis/1393154354/

MALICIOUS LINK:

http://pulidecor.com/KID-ICARUS-DOWNLOAD-CODE.htm

• https://www.virustotal.com/de/url/8e8fb70f7504c3fc967981edcb7bd1ba0d50832cd5366ebda348434398dc12a1/analysis/1393153202/

Express Files

• https://www.virustotal.com/de/file/2edf84f8a5daef6398a5a44a730d6c7917c4f25e41cfaf2ff5ba144031aa006e/analysis/1393153844/

• https://urlquery.net/report.php?id=9609071

------>

DOMAIN/IP:

http://93.174.88.93/

• https://www.virustotal.com/de/url/97e56e02bb235d9b4d8603a2e189479745361911c618102fa066d4d3b26276cd/analysis/1393155556/

• https://www.virustotal.com/de/file/94ee059335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22cc2/analysis/1393156281/

 
MALICIOUS LINK:

http://93.174.88.93/go.php?q=KID-ICARUS-DOWNLOAD-CODE

• https://www.virustotal.com/de/url/1fa617458a620b8e6b4c10b903d987b5f1457d22e1addef94abe1da2012f8529/analysis/1393155418/

HTML

• https://www.virustotal.com/de/file/663de60a22fb540bfd8fae57df84a29e6410b90956c7caaddeb60b7e4c438274/analysis/1393156233/

• http://wepawet.iseclab.org/view.php?hash=cbe4a405fb132a836b5dd65a79936c98&t=1393155497&type=js

• https://urlquery.net/report.php?id=9609326

------>

DOMAIN:

http://pushtraffic.net/

• https://www.virustotal.com/de/url/36276552d4b9b922202792af9bb487791f37eacb6b84154cbef2b8ac07d9b0dd/analysis/1393156637/

HTML (Friendly Error Page...Looool)

• https://www.virustotal.com/de/file/761bbfe842ec7b0a1861abddca602c1525cd4555a7a56d91cf582511f26f07b4/analysis/1393156583/

MALICIOUS LINK:

http://pushtraffic.net/TDS/?wmid=99934&uid=969&q=KID-ICARUS-DOWNLOAD-CODE

• https://www.virustotal.com/de/url/043abe5c83ca189dde5ec8d475c706aa7d822fee1c5e57a553e1a9e1044fde89/analysis/1393155686/

HTML

• https://www.virustotal.com/de/file/fe76e106d6e3f1e9ec900de0a09d3e55f25516ea7400ddef4d2bafc4c9f97be8/analysis/1393155858/

• http://wepawet.iseclab.org/view.php?hash=be6ba6e4122acfb113c66af27b22fbd6&t=1393155899&type=js

• https://urlquery.net/report.php?id=9609355

TO GET TO THE FULL REPORT, CLICK THE ICON .txt :