Author Topic: possibly malicious  (Read 2499 times)

0 Members and 1 Guest are viewing this topic.

December 04, 2009, 07:01:02 pm
Read 2499 times

crunchtime

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I haven't had time to analyze this one but it looks interesting.

VirusTotal:
http://www.virustotal.com/analisis/00cbe01f1efde60ec0a22aceb16aaaf2a0f59674f8e501ce81b62b23c8189099-1259935626

Sample:
hxxp://74.81.78.68/IMG55340_09.JPG-www.myspace.com.exe

December 06, 2009, 11:35:14 am
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
There's a few of these floating around, for most social networking sites, and for some banks and the likes of PayPal etc.

/edit

The IP btw, belongs to solutionsbeyond.com and wickedleo.com (URL doesn't work if you replace the IP with either of these domain names though, indicating it's the server itself that's been compromised)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

December 06, 2009, 02:23:08 pm
Reply #2

Evilcry

  • Special Access
  • Jr. Member

  • Offline
  • *

  • 39
The application is packed and presents a second executable called pista_.exe witch is the core malicious executable =)
pista_.exe is located into Temp Directory
Deep Root Never Freezes - Tolkien