This malware uses a massive list of malicious domains

Today, we had the chance to analyze some malware and guess what?! We found an malware sample which connects to a massive list of domains.

These domains are used by the malicious file to post and get information from the hacker which is behind the malware.

We have collected the following information from the “0030f0de2aa2d0afd70f486899f4eca1” file (MD5 value).

File Details

File Name 0030f0de2aa2d0afd70f486899f4eca1
File Size 183001 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0030f0de2aa2d0afd70f486899f4eca1
SHA1 179a8d3e827ba89e38e7f401d25c70fe54e970ec
SHA256 19134ee89d44f39e14fe918245ddbf9614f75ca3b1685133f379585bd4cf2752
SHA512 4af2e585dcac6e9827d9c43a0958006e92865c5fe6fd642799b9c00c5dc8330ab02dc4a24f7c5e556225e60552cd8d1ef8f46cf5e47c607cb60501d5ee905847
CRC32 F2DDB88C
Ssdeep 3072:j7nuW3j3LNHoiL9O7YOEFo78H/PKrEqZvPOx+YC3oRQUEmVOsG833M1W:nu6j3Ldo89O/xWnaYCoistT33mW

The malware makes a connection to the following domains:

www.myipaddress.com 50.16.217.199
www.grokster.com 72.14.188.13
whatismyipaddress.com 66.171.248.172
www.ip-adress.com 64.34.169.244
www.showipaddress.com 192.64.147.171
www.find-ip-address.org 208.76.87.68
checkip.dyndns.com 91.198.22.70
www.ipaddress.com 148.251.128.237
www.ipchicken.com 209.68.27.16
www.comcast.net 95.100.96.25
www.mozilla.com 63.245.217.20
www.weather.com 95.100.97.50
google.com 74.125.136.139
ehjjczagc.com
google.net 74.125.136.104
vmifsgop.net
google.tv 74.125.136.99
egbmbdey.tv
google.cc 74.125.136.103
iuhqhbmq.cc
zehifruzjdk.com
REMOVED AS THIS SHOULD BE WHITELISTED REMOVED AS THIS SHOULD BE WHITELISTED
ztlcqlx.net
papzlvwf.tv
lvctmusxcyz.cc
wixcaiktigew.com
smmyuhxlt.net
bkfmxmuj.tv
hgddgbmbtvns.cc
jhkoofxj.com
cyjybofjoiut.net
ihpxbseg.tv
smmyuhxlt.cc
zoipmnwr.com
pcgthnl.net
zxxvzxvnt.tv
pcirtlav.cc
ckfrzitlm.com
mejyujl.net
hvjcehqi.tv
oggykpoyzx.cc
iuhqhbmq.com
egbmbdey.net
www.facebook.com 31.13.93.129

The malicious sample has been detected by the following anti-virus companies

Antivirus Signature
Bkav HW32.CDB.D363
MicroWorld-eScan Gen:Variant.Symmi.44852
nProtect Clean
CMC Clean
CAT-QuickHeal Clean
McAfee W32/Worm-FIX!0030F0DE2AA2
Malwarebytes Trojan.Crypt.NKN
VIPRE Trojan.Win32.Generic!BT
AegisLab Clean
TheHacker Clean
K7GW Unwanted-Program ( 0049ebb41 )
K7AntiVirus Trojan ( 0049c5331 )
NANO-Antivirus Clean
F-Prot Clean
Symantec Trojan.ADH
Norman Injector.GWDY
TotalDefense Clean
TrendMicro-HouseCall TROJ_SPNR.0BGA14
Avast Win32:Injector-BVU [Trj]
ClamAV Clean
Kaspersky Trojan.Win32.Buzus.oufg
BitDefender Gen:Variant.Symmi.44852
Agnitum Trojan.Injector!sH56eaFkaQM
SUPERAntiSpyware Trojan.Agent/Gen-Buzus
Rising Clean
Ad-Aware Gen:Variant.Symmi.44852
Emsisoft Gen:Variant.Symmi.44852 (B)
Comodo UnclassifiedMalware
F-Secure Gen:Variant.Symmi.44852
DrWeb Trojan.PWS.Panda.7535
Zillya Trojan.Buzus.Win32.121089
AntiVir TR/Dropper.VB.14484
TrendMicro TROJ_SPNR.0BGA14
McAfee-GW-Edition BehavesLike.Win32.Autorun.cc
Sophos Troj/VB-HKO
Cyren Clean
Jiangmin Clean
Antiy-AVL Trojan/Win32.SGeneric
Kingsoft Win32.Troj.Generic.a.(kcloud)
Microsoft VirTool:Win32/VBInject
ViRobot Trojan.Win32.Buzus.51417
AhnLab-V3 Dropper/Win32.Necurs
GData Gen:Variant.Symmi.44852
ByteHero Virus.Win32.Heur.p
VBA32 Trojan.Buzus
AVware Trojan.Win32.Generic!BT
Panda Trj/CI.A
Zoner Clean
ESET-NOD32 a variant of Win32/Injector.BGTO
Tencent Win32.Trojan.Gen.Pxvx
Ikarus Backdoor.Andromeda
Fortinet W32/Injector.BGTO!tr
AVG Inject2.ALYW
Baidu-International Trojan.Win32.Buzus.aM
Qihoo-360 HEUR/Malware.QVM03.Gen

Be the first to comment

Leave a Reply