a2h7uploading.com Malware Site unknown functionality

[Winston Smith]

Saw a2h7uploading.com appearing on a number of Zeus infected machines, the string was usually something like:

hxxp://133007d90712.a2h7uploading.com/get.php?c=HXBIBLID&d=26606B673934206A616D37783C3F3F3C2026222A327A7A73476C737F21282E2A164311161403534E4C141A1D1C1E6D1705720B70750002060000037E7909097A05710306737D03727F796C28203B2B3D6D6761753D263733353034666C7B2B315D145A0006515341071A1C0E1E05075245571D000210041B17

hxxp://212907d90701.a2h7uploading.com/get.php

hxxp://062907d90730.a2h7uploading.com/get.php

Don't know if its a drop site or Zeus call home site, or if it is just a secondary infection, but WhoIs shows it was registered on 15-jul-2009

Wepawet lists site as suspicious. 

[SysAdMini]

I don't know what it is, but you can use anything as a subdomain name.
The "d" parameter has to be valid. Modifying the subdomain or the "c" parameter doesn't change the response.
If "d" is invalid, then site returns 404. Other filenames than get.php redirect to uploading.com.

[Winston Smith]

That would make sense.  Base on what you saw, I suspect the D parameter is a machine specific identifier.

The C parameter is most likely the encrypted outbound data going back home.