197.85.182.110(Trojan Emotet hosted in South Africa Cape Town Mweb Connect (proprietary) Limited)

Spawned process “cmd.exe” with commandline “/c C:/winclient.au3” (UID: 00009516-00001892)

Autoit strings inside maybe this malware is also coded in autoit.

Injected into “CCleaner.exe” at 2015-7-2.14:59:47.395 (UID: 00009516-00000996)

Contacts very many different hosts

“197.85.182.110:8080”
“162.144.35.78:8080”
“158.255.238.209:8080”
“198.1.122.176:8080”
“119.59.124.163:8080”
“200.159.128.132:8080”
“88.208.228.111:8080”
“162.144.88.73:8080”
“103.245.153.70:8080”
“103.228.200.37:8080”

POSTs files to a webserver

“POST /b215de35/f5665861/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: 200.159.128.132:8080
Content-Length: 203
Connection: Keep-Alive
Cache-Control: no-cache” with no payload

sample here

Hosting infos
http://whois.domaintools.com/197.85.182.110