[en] advert leads to an hacked website (expecity.com)

Got it from Warez Website with a clicksor advertising that lead to banner.fastclickout24.com and fr.couponhit.com :

fr.couponhit.com loads tradedoubler.com stuffs : expecity.com_malvertising8
tradedoubler.com redirect to ecs-fr.kelkoo.fr expecity.com_malvertising
then ecs-fr.kelkoo.fr redirect to jump.beezup.com expecity.com_malvertising2
finally to advert for expecity.com (legitim shop website) :
On expecity.com we got a javascript with functionjs.com (

inetnum: –
descr: Hetzner Online AG
descr: Datacenter Nuernberg
country: DE
admin-c: HOAC1-RIPE
tech-c: HOAC1-RIPE
mnt-by: HOS-GUN
mnt-lower: HOS-GUN
mnt-routes: HOS-GUN
source: RIPE # Filteredexpecity.com_malvertising4

that redirect to the Exploit Kit : expecity.com_malvertising5

yeah an advertising that leads to an hacked website – will try to contact them : expecity.com_malvertising9

The dropper : http://malwaredb.malekal.com/index.php?hash=1da83efd27fcc7270f9631539f38f630


SHA256: 91f905a4e43bafb4ae3c4a376a6e9efce93cd9e9d592c270f3497f33d600b440
File name: GRPCONV.EXE
Detection ratio: 2 / 46
Analysis date: 2013-02-06 08:27:59 UTC ( 1 heure, 1 minute ago )

Fortinet W32/Zbot.DHN!tr 20130206
Kaspersky UDS:DangerousObject.Multi.Generic 20130206

The dropper loads sub-processus with random digit name and create a Run Key – the new file have better detection : https://www.virustotal.com/file/73d4a16d8321cb61b50d26098bea91fe3e26d051e074c8fa2f33d5484e63032b/analysis/1360143698/

AntiVir TR/Crypt.XPACK.Gen 20130206
ESET-NOD32 a variant of Win32/Kryptik.ATRT 20130206
Kaspersky UDS:DangerousObject.Multi.Generic 20130206
Malwarebytes Trojan.Ransom.Gen 20130206
Panda Trj/Genetic.gen 20130205
Symantec Suspicious.Cloud.5 20130206
TrendMicro-HouseCall TROJ_GEN.F47V0205 20130206


Many HTTP connections and SMTP so spambot (i don’t know his name): expecity.com_malvertising_malware2

EDIT February 9

3 days after, the malicious redirection is still active, now on the main page.
I got a contact with the webmaster by mail and he is not able to find the source of the redirection……



Avast! is able to detect the Exploit Kit :


EDIT Mars 5

Still online

expecity_exploit expecity_exploit2

EDIT Mars 30

still online

Expecity_Malware Expecity_Malware2 Expecity_Malware3

Toujours Fareit / Tepfer : http://malwaredb.malekal.com/index.php?hash=1bb84ed5a2911119cc9b61d44c96c5b5


DrWeb Trojan.PWS.Stealer.1932 20130330
Emsisoft Trojan.Win32.Agent.AMN (A) 20130330
ESET-NOD32 Win32/PSW.Fareit.A 20130330
Kaspersky Trojan-PSW.Win32.Tepfer.hnyd 20130330
Microsoft PWS:Win32/Fareit 20130330
Sophos Mal/Generic-S 20130330
TrendMicro-HouseCall TROJ_GEN.F47V0329 20130330

EDIT April 15

Toujours des redirections vers un Exploit Kit – soit depuis 2 mois.

avec une iframe qui redirige vers http://scriptsname.com/sname ( – HETZNER-RZ-NBG-NET – DE)

qui redirige vers l’Exploit Kit : http://linksrt.com/contents/gallery.php?tracetabs=86 ( – RN-Data-DC – LV) Expecity_Hack2
Le kit refile ZeroAccess/Sirefef et Trojan.Necurs Expecity_Hack4

Edit May 4

Malicious redirection still online : http://malwaredb.malekal.com/index.php?hash=049e32e474be11705fb37b8d89b634a6
So Two months.

Expecity_Exploit_Mai Expecity_Exploit_Mai2

EDIT May 29

still online : http://malwaredb.malekal.com/index.php?hash=ca7dd5e36980c22ab8c86a4abb1b813f

Exploit_Expecity Exploit_Expecity2

EDIT June 25

still online

Expecity_exploit Expecity_exploit2


SHA256: a9d14747e0224b3632cd101104c0b612c3387ed9b6f7ce14a2b1e33be49064d1
Nom du fichier : malekal_7fd217cbb06354b0bb8e029f9fa43dd4
Ratio de détection : 6 / 47
Date d’analyse : 2013-06-25 12:34:45 UTC (il y a 3 minutes)

AntiVir TR/Crypt.XPACK.Gen3 20130625
ByteHero Trojan.Malware.Obscu.Gen.004 20130613
Comodo UnclassifiedMalware 20130625
Kaspersky Trojan-PSW.Win32.Tepfer.mxgs 20130625
Panda Trj/Dtcontx.F 20130625
VIPRE Trojan.Win32.Kryptik.bcgs (v) 20130625




URL normalisée : http://scriptsname.com/sname
Ratio de détection : 3 / 38  <== wondering how it can be so bad !
Date d’analyse : 2013-06-25 12:37:23 UTC (il y a 2 minutes)

(Visité 73 fois, 1 visites ce jour)

Vous pouvez aussi lire...