92.63.197.190(Ruski Email Worm Hosted In AS60307 HVFOPSERVER-AS, UA)

Dangerous worm spreading through mails probably our old friend snk.

Defense EvasionObscures a file’s origin :

  • Tries to delete zone identifier of file “C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\pe.exe”.
  • Tries to delete zone identifier of file “C:\Windows\230531292821781\svchost.exe”.
  • Tries to delete zone identifier of file “C:\Users\5P5NRG~1\AppData\Local\Temp\1762129910.exe”.
  • Tries to delete zone identifier of file “C:\Users\5P5NRG~1\AppData\Local\Temp\2759815991.exe”.
  • Tries to delete zone identifier of file “C:\Users\5P5NRG~1\AppData\Local\Temp\1454232575.exe”.
  • Tries to delete zone identifier of file “C:\Users\5P5NRG~1\AppData\Local\Temp\1740811625.exe”.

Contacts malicious url’s :

  • Contacted URL “hxxp://tldrbox.top/1”
  • Contacted URL “hxxp://tldrbox.top/2”
  • Contacted URL “hxxp://tldrbox.top/3”
  • Contacted URL “hxxp://tldrbox.top/4”
  • Contacted URL “hxxp://tldrbox.top/5”
  • Contacted URL “hxxp://tldrbox.top/v”

 

Detects Sandboxes :

  • Tries to detect “SunBelt Sandbox” by checking for existence of module “dir_watch.dll”.
  • Tries to detect “SunBelt Sandbox” by checking for existence of module “pstorec.dll”.
  • Tries to detect “Virtual PC” by checking for existence of module “vmcheck.dll”.
  • Tries to detect “SunBelt Sandbox” by checking for existence of module “api_log.dll”.
  • Tries to detect “Comodo Sandbox” by checking for existence of module “cmdvrt32.dll”.
  • Tries to detect “Sandboxie” by checking for existence of module “SbieDll.dll”.
  • Tries to detect “Sandboxie” by checking for existence of module “SbieDllX.dll”.
  • Tries to detect “AVAST Sandbox” by checking for existence of module “snxhk.dll”.

 

Disables monitoring for antivirus software by Windows Security Center.

Disables monitoring for firewall software by Windows Security Center.

Disables Windows Security Center antivirus notification.

Disables Windows Security Center warning about disabled system updates.

Disables Windows Security Center warning about disabled automatic system updates.

Disables Windows Security Center firewall notification.

 

Performs DNS request :

  • Resolves host name “yahoo.com”.
  • Resolves host name “mta6.am0.yahoodns.net”.
  • Resolves host name “nate.com”.
  • Resolves host name “naver.com”.
  • Resolves host name “hanmail.net”.
  • Resolves host name “mx2.naver.com”.
  • Resolves host name “mx1.nate.com”.
  • Resolves host name “mx4.hanmail.net”.
  • Resolves host name “mx3.naver.com”.
  • Resolves host name “mx2.hanmail.net”.
  • Resolves host name “chollian.net”.
  • Resolves host name “yahoo.co.kr”.
  • Resolves host name “mailhub.chollian.net”.
  • Resolves host name “0504.com”.
  • Resolves host name “8802.com”.
  • Resolves host name “9839.com”.
  • Resolves host name “0947.com”.
  • Resolves host name “3394.com”.
  • Resolves host name “1663.com”.
  • Resolves host name “6136.com”.
  • Resolves host name “mx-apac.mail.gm0.yahoodns.net”.
  • Resolves host name “8521.com”.
  • Resolves host name “2621.com”.
  • Resolves host name “6106.com”.
  • Resolves host name “0924.com”.

 

Connects to remote host :

  • Outgoing TCP connection to host “67.195.204.75:25”.
  • Outgoing TCP connection to host “74.208.5.20:25”.
  • Outgoing TCP connection to host “68.87.20.5:25”.
  • Outgoing TCP connection to host “67.195.204.82:25”.
  • Outgoing TCP connection to host “125.209.222.14:25”.
  • Outgoing TCP connection to host “67.195.228.111:25”.
  • Outgoing TCP connection to host “144.160.235.144:25”.
  • Outgoing TCP connection to host “35.162.106.154:25”.
  • Outgoing TCP connection to host “117.53.114.15:25”.
  • Outgoing TCP connection to host “64.136.44.37:25”.
  • Outgoing TCP connection to host “106.10.248.73:25”.
  • Outgoing TCP connection to host “200.147.36.13:25”.
  • Outgoing TCP connection to host “211.231.108.175:25”.
  • Outgoing TCP connection to host “213.120.69.89:25”.
  • Outgoing TCP connection to host “211.231.108.47:25”.
  • Outgoing TCP connection to host “47.43.18.9:25”.
  • Outgoing TCP connection to host “203.175.174.69:25”.
  • Outgoing TCP connection to host “81.93.94.134:25”.
  • Outgoing TCP connection to host “121.125.79.80:25”.
  • Outgoing TCP connection to host “104.47.38.36:25”.
  • Outgoing TCP connection to host “148.163.153.92:25”.
  • Outgoing TCP connection to host “148.163.148.46:25”.
  • Outgoing TCP connection to host “125.209.238.137:25”.
  • Outgoing TCP connection to host “67.231.156.180:25”,
  • Outgoing TCP connection to host “204.141.42.120:25”.

 

Connects to HTTP servers :

 

  • URL “hxxp://tldrbox.top/1”.
  • URL “hxxp://tldrbox.top/2”.
  • URL “hxxp://tldrbox.top/3”.
  • URL “hxxp://tldrbox.top/4”.
  • URL “hxxp://icanhazip.com/”.
  • URL “hxxp://tldrbox.top/5”.
  • URL “hxxp://92.63.197.190/new/n.txt”.
  • URL “hxxp://92.63.197.190/new/534.txt”.
  • URL “hxxp://92.63.197.190/mixxx/n.txt”.
  • URL “hxxp://tldrbox.top/v”.
  • URL “hxxp://92.63.197.190/1”.
  • URL “hxxp://92.63.197.190/2”.
  • URL “hxxp://92.63.197.190/3”.
  • URL “hxxp://92.63.197.190/mixxx/716.txt”.
  • URL “hxxp://92.63.197.190/4”.
  • URL “hxxp://92.63.197.190/5”.
  • URL “hxxp://92.63.197.190/v”.
  • URL “hxxp://92.63.197.190/snd/n.txt”.
  • URL “hxxp://92.63.197.190/snd/1332.txt”.
  • URL “hxxp://suogogurshodt.ru/1”.
  • URL “hxxp://suogogurshodt.ru/2”.
  • URL “hxxp://suogogurshodt.ru/3”.
  • URL “hxxp://suogogurshodt.ru/4”.
  • URL “hxxp://suogogurshodt.ru/v”.

Exe file : hxxps://www.xup.in/dl,79407726/pe.7z/

Hosting Infos :

hxxps://whois.domaintools.com/92.63.197.190

 

 

Categories: Uncategorized