Apparently I have a piece of 0 day malware that seems to be attaching itself to different processes on different machines, everything from not very well known exes to well known exes. I need something that will break the exe apart, find out what it is calling, and find out what exactly is embedded in it. Yes yes, millions of lines of code....I don't feel like waiting for my av company to find the issue and fix it.
Executables that comodo seems to think are communicating to ips:
pc1
googlequicksearchbox.exe 208.73.210.48
pc2
svchost.exe 208.73.210.48
server1
btmservice.exe 208.73.210.48
Info about 208.73.210.48
IP address: 208.73.210.48
Reverse DNS: [No reverse DNS entry per ns1.oversee.net.]
Reverse DNS authenticity: [unknown]
ASN: 33626
ASN Name: OVERSEE-DOT-NET
IP range connectivity: 7
Registrar (per ASN): ARIN
Country (per IP registrar): US [united States]
Country Currency: USD [united States Dollars]
Country IP Range: 208.73.128.0 to 208.73.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): -- []
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 208.73.210.48
This is going on with multiple computers/servers and all random exes communicating...need to find what is calling the malware to run and connect.
Question
sc302 Veteran
Apparently I have a piece of 0 day malware that seems to be attaching itself to different processes on different machines, everything from not very well known exes to well known exes. I need something that will break the exe apart, find out what it is calling, and find out what exactly is embedded in it. Yes yes, millions of lines of code....I don't feel like waiting for my av company to find the issue and fix it.
Executables that comodo seems to think are communicating to ips:
pc1
googlequicksearchbox.exe 208.73.210.48
pc2
svchost.exe 208.73.210.48
server1
btmservice.exe 208.73.210.48
Info about 208.73.210.48
IP address: 208.73.210.48
Reverse DNS: [No reverse DNS entry per ns1.oversee.net.]
Reverse DNS authenticity: [unknown]
ASN: 33626
ASN Name: OVERSEE-DOT-NET
IP range connectivity: 7
Registrar (per ASN): ARIN
Country (per IP registrar): US [united States]
Country Currency: USD [united States Dollars]
Country IP Range: 208.73.128.0 to 208.73.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): -- []
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 208.73.210.48
This is going on with multiple computers/servers and all random exes communicating...need to find what is calling the malware to run and connect.
Link to comment
Share on other sites
40 answers to this question
Recommended Posts