0

When I was running fiddler I've discovered that I have a suspicious GET request running in background that's using iexplore.exe. It runs every couple of seconds and has encoded data in the request URL

One of the requests: 

http://136.243.24.246/H7giAGAb/nJO4fqhPN6Q0UaltIOnMwqpGp2YnmvJeK34G1j3FP7Mh20+HQ+JSX2MdaWMkMtdTgfIzJgZM/ZcbB7HhdSMwLAC30LyZSgi5UFEXeDr+gqxX7LLdeYrZwQRIKjynuRhCirWGQGkj1uAkwL5A2EpWP4`

By looking at the contents of the IP in the browser it doesn't look like it's something "official" of Internet Explorer.

What can it be and how can I decode that request? My guess is that it somehow steals my data.

enter image description here

ADDED:

I did some further digging and it seems like it's because of m.exe malware:

https://cymon.io/136.243.24.4

http://vxvault.net/ViriFiche.php?ID=28404

Still, is there any way to decode the message?

Jan Doggen
  • 4,108
  • 10
  • 36
  • 51
Dominik Serafin
  • 121
  • 3
  • You would need to have an idea of what that program actually does. The URL might or might not be random as well as the data. It could be encrypted as well. – Seth Jan 20 '17 at 11:18
  • 1
    We are always glad to help, but you have two open questions related to a malware problem. It may be wise to take a few minutes to read through the previous question hyperlink that I posted above. There is a lot of good advice within that discussion. – Run5k Jan 20 '17 at 13:15
  • Googling for 'redsnapper malware' indeed shows suspicious stuff, e.g. [here](https://isc.sans.edu/forums/diary/Malicious+spam+with+Word+document/20225/). Sounds like you need to clean up. – Jan Doggen Jan 20 '17 at 14:10

0 Answers0