[en] Ramnit via Malvertising

Got a Malvertising from a Warez Website that leads to Ramnit virus :
Malvertising_Ramnit
from popads.net Malvertising_Ramnit2
the TDS : http://dristohren.biz (64.120.137.35)

NetRange: 64.120.128.0 – 64.120.255.255
CIDR: 64.120.128.0/17
OriginAS: AS21788
NetName: HOSTNOC-5BLK
NetHandle: NET-64-120-128-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
RegDate: 2009-04-27
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-64-120-128-0-1

Malvertising_Ramnit3
The dropper :  http://malwaredb.malekal.com/index.php?hash=8388ea91a2d7fd290a6b0c32f3dd5f7c

Detections are good : https://www.virustotal.com/fr/file/d64b3eff3613e301acb95dc057d604526aeb396854a73b1eca327262da5d85fb/analysis/1362590163/

SHA256: d64b3eff3613e301acb95dc057d604526aeb396854a73b1eca327262da5d85fb
Nom du fichier : 0.20802980489479506.exe
Ratio de détection : 11 / 46
Date d’analyse : 2013-03-06 17:16:03 UTC (il y a 10 minutes)

AhnLab-V3 Trojan/Win32.Lebag 20130306
CAT-QuickHeal (Suspicious) – DNAScan 20130306
DrWeb Trojan.Inject1.15519 20130306
Jiangmin Trojan/Lebag.bee 20130304
Kaspersky HEUR:Trojan.Win32.Generic 20130306
Malwarebytes Trojan.Lebag 20130306
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Obfuscated.D 20130306
Panda Trj/Genetic.gen 20130306
TrendMicro PAK_Generic.005 20130306
TrendMicro-HouseCall PAK_Generic.005 20130306

Malvertising_Ramnit4

Malvertising_Ramnit5

Malvertising_Ramnit6

Malvertising_Ramnit7
The driver : https://www.virustotal.com/fr/file/c1293f8dd8a243391d087742fc22c99b8263f70c6937f784c15e9e20252b38ae/analysis/

SHA256: c1293f8dd8a243391d087742fc22c99b8263f70c6937f784c15e9e20252b38ae
Nom du fichier : dnsgvbny.sys
Ratio de détection : 43 / 46
Date d’analyse : 2013-02-22 15:35:49 UTC (il y a 1 semaine, 5 jours)

Malvertising_Ramnit8Connect to : 188.40.45.67:443

inetnum: 188.40.45.64 – 188.40.45.127
netname: HETZNER-RZ10
descr: Hetzner Online AG
descr: Datacenter 10
country: DE
admin-c: HOAC1-RIPE
tech-c: HOAC1-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
mnt-lower: HOS-GUN
mnt-routes: HOS-GUN
source: RIPE # Filtered

EDIT April 18 2013

An other one : http://malwaredb.malekal.com/index.php?hash=3324d8f9d58a37d92b0c44a021e2a1f9

https://www.virustotal.com/fr/file/634ec041368d4e8a10cb1c7cf1e99b4a758bc5a3449635bc07354fb58f2ff20c/analysis/1366272286/

SHA256: 634ec041368d4e8a10cb1c7cf1e99b4a758bc5a3449635bc07354fb58f2ff20c
Nom du fichier : 0.5107251914043918.bfg
Ratio de détection : 12 / 46
Date d’analyse : 2013-04-18 08:04:46 UTC (il y a 0 minute)

BitDefender Gen:Variant.Kazy.165322 20130418
Comodo Heur.Suspicious 20130418
Emsisoft Gen:Variant.Kazy.165322 (B) 20130418
F-Secure Gen:Variant.Kazy.165322 20130418
Fortinet W32/Kryptik.AYLT!tr 20130418
GData Gen:Variant.Kazy.165322 20130418
Kaspersky Trojan.Win32.Lebag.uet 20130418
McAfee-GW-Edition Heuristic.LooksLike.Win32.SuspiciousPE.F 20130418
Microsoft Trojan:Win32/Ramnit.A 20130418
MicroWorld-eScan Gen:Variant.Kazy.165322 20130418
Symantec WS.Reputation.1 20130418

Malvertising from Clicksor :

Clicksor_Malvertising_Ramnit Clicksor_Malvertising_Ramnit2 Clicksor_Malvertising_Ramnit3

http://tikamoho.com/ad_track.php?s=2&aid=123&cn=eu&contextm=1 (31.207.2.154 – CEUSERVERS – CZ)
http://tikamoho.com/in.cgi?2&ngsno=1&lpbdd=1&jgocs=3667054860&ur=1&HTTP_REFERER=http%3A%2F%2Fads%2Ehooqy%2Ecom%2FnewServing%2Fbanner%5Fframe%2Ephp%3Fnid%3D1%26pid%3D102042%26sid%3D301172%26zone%3D%2D1%26image%3D3%26adtype%3D1%26key%3De9ecd422a05a733728190c0c2c455912&aid=123&cn=eu&contextm=1
http://lkghktyhyadvfl.biz/jkBD3v17ujQ17xg20Fnoc0VXj30haog0J9AW0Rovk0HtXS0F9gg04t2L0Gjch/ (94.198.96.9 – SEFLOW-DEDICATED-NET – IT)

Clicksor_Malvertising_Ramnit4

(Visité 37 fois, 1 visites ce jour)

Vous pouvez aussi lire...

Vous pouvez lire les articles et tutoriels suivants en rapport avec cette page :
Tutoriel AntivirusTutoriel Processus Windows

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com