[en] Nrgbot via trafficholder malvertising

Just a found this from TraficcHolder :
http://www.freeadultsporn.com/ (80.82.70.234)
http://www.freeadultsporn.com/%28%20European%20Hot%20Babes.com%20%29%20Most%20sexiest%20babes%20from%20all%20over%20the%20Europe%20and%20whole%20wide%20world_files/style.css
http://www.freeadultsporn.com/%28%20European%20Hot%20Babes.com%20%29%20Most%20sexiest%20babes%20from%20all%20over%20the%20Europe%20and%20whole%20wide%20world_files/whv2_001.js
redirect to Exploit kit :
http://stereoagreement.biz:1781/prazdnik/dremin/buttons.php?cars=8
http://stereoagreement.biz:1781/prazdnik/dremin/EQRMvW.jar
http://stereoagreement.biz:1781/prazdnik/dremin/MakYhMvs.jar
http://stereoagreement.biz:1781/prazdnik/dremin/EQRMvW.jar
http://stereoagreement.biz:1781/prazdnik/dremin/MakYhMvs.jar
http://stereoagreement.biz:1781/prazdnik/dremin/EQRMvW.jar
http://stereoagreement.biz:1781/prazdnik/dremin/EQRMvW.jar
http://stereoagreement.biz:1781/prazdnik/dremin/gsibl.class
http://stereoagreement.biz:1781/prazdnik/dremin/gsibl/class.class

The domain FREEADULTSPORN.COM is new, so this is a probably a malvertising :

Domain Name: FREEADULTSPORN.COM
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.ANONY-ONES.COM
Name Server: NS2.ANONY-ONES.COM
Status: clientTransferProhibited
Updated Date: 27-aug-2013
Creation Date: 27-aug-2013
Expiration Date: 27-aug-2014

malvertising_NRGBot
In string memory of the binary, we can find an URL – so a Trojan.Downloader :
malvertising_NRGBot2

malvertising_NRGBot3
The malware is a nrgbot – not very common from a Malvertising – it connects to u.placo.us (27.54.210.21) on port 9380
malvertising_NRGBot4

malvertising_NRGBot5

Domain ID:D7595330-AFIN
Domain Name:PLACO.IN
Created On:27-Aug-2013 09:19:29 UTC
Last Updated On:28-Aug-2013 10:29:44 UTC
Expiration Date:27-Aug-2014 09:19:29 UTC
Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:WIQ_29524138
Registrant Name:Mike J Perez
Registrant Organization:-
Registrant Street1:12 86391 Stadtbergen
Registrant Street2:
Registrant Street3:
Registrant City:Beds
Registrant State/Province:Dobeles Apripkis
Registrant Postal Code:76491
Registrant Country:LV
Registrant Phone:+371.754907346
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:bigpigever@gmail.com

bigpigever@gmail.com research on Google return some hacked forum.

Anyway the detections for a wild stuff are very good.

http://malwaredb.malekal.com/index.php?hash=c4a4e560e6144a2517aa954d267b961f

http://malwaredb.malekal.com/index.php?hash=ce2e9daa72f468fa82d954b2895c4734
malvertising_NRGBot6

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 19 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *