Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.EXE for Analasys possible?


  • Please log in to reply
2 replies to this topic

#1 bass740

bass740

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 14 January 2014 - 02:51 AM

So I got an email today in zip format with an exe file, I scanned it with an online scanner and the test revealed safe, also was safe by my AV BD.

 

I think its a snooping code no more and is why getting passed under the radar. I would love to get more info on this code and wondering if anyone here can further analyze it.

 

Has two originating ips and the email it arrived from is bogus but what the user was thinking can be a clue

 

Some of the Text I was able to retrieve from the code which was not executed on my machine, but might do so in vmware to check the ip the code is intended to communicate with.

 

GetCurrentThreadId
GetCurrentThread
HeapCreate
GetCurrentProcessId
GetSystemTimeAsFileTime
GetConsoleMode
GetLastError
LoadLibrary
GetLocaleInfoW
GetCPInfo
GetTickCount  
GetEnvironmentStrings KERNEL32.dll
ADVAPI32.dll
GetIpStatistics IPHLPAPI.DL
Free sSetLastError

 

Here is the email source

from securityycve.net (unknown [173.199.227.114])
	by mtain-mp03.r1000.mx.aol.com (Internet Inbound) with SMTP id C1B8C370001C9;
	Mon, 13 Jan 2014 14:14:17 -0500 (EST)
Received: from relay.2yahoo.com [208.83.235.55] by relay-x.misswldrs.com with LOCAL; Mon, 13 Jan 2014 12:58:55 -0600
Received: from unknown (HELO smtp.doneohx.com) (Mon, 13 Jan 2014 12:39:03 -0600)
	by mtu23.bigping.com with SMTP; Mon, 13 Jan 2014 12:39:03 -0600
Received: from m1.gns.snv.thisdomainl.com [206.77.64.32] by snmp.otwaloow.com with QMQP; Mon, 13 Jan 2014 12:24:41 -0600
Received: from public.micromail.com.au ([143.208.148.172]) by mailout.endmonthnow.com with ESMTP; Mon, 13 Jan 2014 12:12:37 -0600
Message-ID: <9E4ED095.D07C4214@securityycve.net>
Date: Mon, 13 Jan 2014 12:12:37 -0600
Reply-To: "EGCTechServs" <securitymazxtubqg@securityycve.net>
From: "EGCTechServs" <securitymazxtubqg@securityycve.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.17) Gecko/20080914 Thunderbird/2.0.0.17
X-Accept-Language: en-us
MIME-Version: 1.0

Here is the email thats displayed as received from.

 

securitymazxtubqg@securityycve.net

 

Please pay note to the CVE letters this user used in the email, its someone thats familiar with such acronym which stands for  Common Vulnerabilities and Exposures (CVE).

 

Anyway it was an interesting find and sloppy work by the sender. Would like to hear from the experts of the forum. and anyone who wants the exe you are welcome to it as a .txt.

 

My first post here, cheers.


Edited by bass740, 14 January 2014 - 07:08 AM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:53 AM

Posted 14 January 2014 - 05:40 AM

Hello and Welcome -

An IP location trace of 173.199.227.114, estimates this is at, about, or most likely, near Maceys, East Flagler Street Miami Florida -

 

ISP: =   Hotwire Communications

 

Along with the basic IP Location and tracking information's the IP Blacklist checker module can show you also the next informations:

• Status
Not Blacklisted
Search Engine
Suspicious
Harvester
Comment Spammer

 

It could just be a location of a Spam Bot or similar, unless you subscribe to a comments forum/survey.      

Beyond that, information seems vague -

 

Personally, I would just change my email password (I do this on a monthly basis).

 

Others may help, but that was the limit of my search ........

 

 

Regards -



#3 bass740

bass740
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 14 January 2014 - 06:19 AM

Thank you for the warm welcome Nok, I also looked the originating ip and got the same results.

 

I was more interested in what the code was designed to do and where it wanted to send this info to once compiled. So I had plans to watch it go to work behind a firewall.

 

And also how do I know the originating IP is not a proxy or a fake IP?

 

Also why a total of 4 ips.

 

173.199.227.114
208.83.235.55
206.77.64.32
143.208.148.172

 

Many thanks for jumping in.


Edited by bass740, 14 January 2014 - 07:10 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users