bullguard09.wm01.to(Injector.DSCE Hosted In Portugal Lisbon Dotsi Unipessoal Lda.)

Resolved [ bullguard09.wm01.to ] To [ 5.206.227.248 ]

Malware activity :

Reads terminal service related keys (often RDP related)
Sets a global windows hook to intercept keystrokes
Creates a fake system process
Modifies auto-execute functionality by setting/creating a value in the registry
Writes data to a remote process
Reads the active computer name
Reads the cryptographic machine GUID
Opens the MountPointManager (often used to detect additional infection locations)

Sample here hxxps://www.multiup.eu/b5f25a49310dc36ca128a3947f566ae6

Hosting Infos :
http://whois.domaintools.com/5.206.227.248

Categories: Uncategorized