marbaj1 0 Posted February 21, 2020 Posted February 21, 2020 Hi, I have some alerts on NOD Eset management console: blocked by PUA blacklist - it seems as something is opening a website ofhappinyer.com I have scaned the system of the user, I have checked the chrome extentions, I have checked the history of visited sites, there is nothing special, also no new programs have been installed since the user is not local admin. Does anyone have similar problems, can you help me remove this from the unit and get rid of this every day alerts? Thank you
itman 1,801 Posted February 21, 2020 Posted February 21, 2020 (edited) Hybrid-Analysis scan of the site which also includes Virus Total results shows the web site is 100% clean: https://www.hybrid-analysis.com/sample/8993479e8b7d46961d12bbacdb6bb58d6cb659b236b08f5cb3fd2f16a21de852 . This means Eset doesn't detect the site on VT. Suspect you are being redirected to somewhere else; i.e. phishing. Post the Eset event log entry details for the PUA detection. Edited February 21, 2020 by itman
itman 1,801 Posted February 21, 2020 Posted February 21, 2020 Here is an alienvault analysis for ofhappinyear.com: https://otx.alienvault.com/indicator/domain/ofhappinyer.com . It also doesn't find anything suspect about the domain.
itman 1,801 Posted February 21, 2020 Posted February 21, 2020 What is occurring is some type of redirect to supposedly ofhappinyer.com. If you try to access it directly via URL: https://ofhappinyear.com/ , you will get a browser connection error. Strongly suspect it is some type of adware site.
marbaj1 0 Posted February 24, 2020 Author Posted February 24, 2020 Attached is the log export file. NOD-log-export.txt
itman 1,801 Posted February 24, 2020 Posted February 24, 2020 (edited) 6 hours ago, marbaj1 said: Attached is the log export file. NOD-log-export.txtUnavailable Only Eset moderators can read forum attachments. I asked you to copy the Eset PUA alert log entry from Eset's Filtered websites log and paste the entry into a forum reply. Edited February 24, 2020 by itman
itman 1,801 Posted February 24, 2020 Posted February 24, 2020 There is a detailed analysis of ofhappinyer.com here: https://hybrid-analysis.com/sample/8993479e8b7d46961d12bbacdb6bb58d6cb659b236b08f5cb3fd2f16a21de852?environmentId=100 In this analysis, the URL is being run via rundll32.exe which is definitely suspect behavior.
Recommended Posts