5 replies to this topic

[TeMerc]

From:
hxxp://proantispywarescanv3.com/download/Setup-30a_02020-1.exe

VT hits clean:
File Setup-30a_02020-1.exe received on 2009.07.19 17:58:37 (UTC)
Result: 0/41 (0%)
http://www.virustotal.com/analisis/cab8bee...4301-1248026317

Started here:
hxxp://sarracenia.com/pubs/babout.php?erin+andrews+peephole+video+cache
hxxp://ry0.ru/paths/path4.php
hxxp://bestjokesever.cn/go.php?id=2020-01&key=f804e386a&p=1
hxxp://j.maxmind.com/app/geoip.js

Maybe someone can take it apart, I tried to run it in Sandboxie and all it did was delete itself.

Attached Files

•  Setup_30a_02020_1.zip   131.36K   4 downloads

[MysteryFCM]

I believe these ones are sandbox/VM aware, so will need to be run live. I've got them going through JoeBox and TE to confirm this atm, and will report back with the results (at the other arf's so can't run it myself unfortunately)

[MysteryFCM]

JoeBox analysis (I really hate the fact that the JB reports ALWAYS freeze the damn browser whilst they're loading) attached.

TE report:

http://www.threatexpert.com/report.aspx?md...2950e1c1aa168f8

Attached Files

•  result.html   1.16MB   2 downloads

[TeMerc]

I got those runtime errors.

I didn't have time to run it live, or I would have.

[MysteryFCM]

hehe no worries

[Fatdcuk]

Hi Tom,

Almost certainly a rogue install that we have covered,thoes particular URL's are dispencing run once installers so is royal PITA tracking every new installer+ they have very limited shelf life.

Rule of thumb, we track them so far but as long as we have the installs covered so both PM and Quickscan pick it off then hitting every installer becomes non priority.