app.gomlab.com

Gretech Corp.

Domain Information

The domain app.gomlab.com registered by Gretech Corp. was initially registered in January of 2008 through GABIA, INC.. This domain has been known to host and distribute adware as well as other potentially unwanted software. The hosted servers are located in Seattle, Washington within the United States which resides on the Amazon.com, Inc. network. The domain uses the Amazon Cloudfront CDN service which utilizes a number of proxy IP Addresses (see below).
Remove Malware from app.gomlab.com - Powered by Reason Core Security
Registrar:
GABIA, INC.

Server location:
Washington, United States (US)

Create date:
Tuesday, January 22, 2008

Expires date:
Sunday, January 22, 2017

Updated date:
Monday, December 07, 2015

ASN:
AS16509 AMAZON-02 - Amazon.com, Inc.,US

Root domain:

Google Safe Browsing:
unwanted

Scanner detections:
Detections  (64% detected)

Scan engine
Details
Detections

Reason Heuristics
PUP.Optional.Installer.Q, PUP.Optional.Installer.S, PUP.Optional.Installer.T, Win32.Generic.Installer.Meta, Threat.Installer.GRETECH
80.00%

ESET NOD32
Win32/OpenCandy, Win32/Toolbar.Babylon (variant), Win32/OpenCandy (variant), Win32/OpenCandy.C potentially unsafe (variant)
68.57%

Dr.Web
Adware.OpenCandy.3, Trojan.Click3.8961, Adware.OpenCandy.39, Adware.Babylon.15, Threat.Undefined, Adware.GamePlayLabs.67
62.86%

McAfee
Artemis!E85F6B223817, Artemis!A8AB058941BA, Artemis!972C0D4DB969, Artemis!F3B31EBBBE4C, Artemis!D37762E7B48D, Artemis!DD7E9CF3023C, Artemis!068DA71F8D3D, Artemis!5EE971074504, Artemis!7C89BB33961D, Artemis!26906337AD2B, Artemis!15D25FEB8775
62.86%

Malwarebytes
PUP.Optional.OpenCandy, PUP.Optional.Babylon.A
60.00%

Trend Micro House Call
TROJ_GEN.R0CBH01HE13, Suspicious_GEN.F47V0617, Suspicious_GEN.F47V0625, TROJ_GEN.F47V0331, Suspicious_GEN.F47V0626, Suspicious_GEN.F47V0723
60.00%

McAfee Web Gateway
Artemis!E85F6B223817, Artemis!A8AB058941BA, Artemis!972C0D4DB969, Artemis!DD7E9CF3023C, BehavesLike.Win32.Sytro.tc
60.00%

Rising Antivirus
PE:PUF.OpenCandy!1.9DE5, PE:Trojan.Win32.Generic.1313BCE2!320060642, PE:Malware.Generic(Thunder)!1.A1C4 [F]
51.43%

NANO AntiVirus
Riskware.Win32.OpenCandy.cumlxh, Riskware.Win32.OpenCandy.cyducd, Trojan.Win32.Generic.cqhqzq, Riskware.Win32.OpenCandy.dqmtwd
45.71%

G Data
NSIS.Application.OpenCandy, Win32.Adware.OpenCandy, NSIS.Adware.SoftBundled
45.71%

Bkav FE
W32.Clodacc.Trojan, W32.Clod82e.Trojan, W32.HfsAdware
40.00%

Fortinet FortiGate
Riskware/OpenCandy
37.14%

Agnitum Outpost
Adware.OpenCandy, PUA.Toolbar.Babylon, Riskware.Agent
34.29%

Baidu Antivirus
Adware.Win32.OpenCandy
25.71%

Antiy Labs AVL
Trojan[:HEUR]/Win32.Unknown, GrayWare[AdWare]/Win32.OpenCandy.aa
17.14%

The domain app.gomlab.com has been seen to resolve to the following 111 IP addresses.

server-54-230-103-118.iad2.r.cloudfront.net
February 13, 2016

server-54-230-103-109.iad2.r.cloudfront.net
February 13, 2016

server-54-230-103-76.iad2.r.cloudfront.net
February 13, 2016

server-54-230-103-66.iad2.r.cloudfront.net
February 13, 2016

server-54-230-103-45.iad2.r.cloudfront.net
February 13, 2016

server-54-230-103-19.iad2.r.cloudfront.net
February 13, 2016

server-54-230-103-129.iad2.r.cloudfront.net
February 13, 2016

server-54-230-103-119.iad2.r.cloudfront.net
February 13, 2016

server-54-230-100-222.iad2.r.cloudfront.net
February 9, 2016

server-54-230-100-173.iad2.r.cloudfront.net
February 9, 2016

server-54-230-100-170.iad2.r.cloudfront.net
February 9, 2016

server-54-230-100-112.iad2.r.cloudfront.net
February 9, 2016

server-54-230-193-155.iad53.r.cloudfront.net
February 9, 2016

server-54-230-193-103.iad53.r.cloudfront.net
February 9, 2016

server-54-230-193-87.iad53.r.cloudfront.net
February 9, 2016

server-54-230-193-80.iad53.r.cloudfront.net
February 9, 2016

server-54-230-193-68.iad53.r.cloudfront.net
February 9, 2016

server-54-230-193-117.iad53.r.cloudfront.net
February 6, 2016

server-54-230-193-71.iad53.r.cloudfront.net
February 6, 2016

server-54-230-193-130.iad53.r.cloudfront.net
February 2, 2016

server-54-230-193-102.iad53.r.cloudfront.net
February 2, 2016

server-54-230-193-28.iad53.r.cloudfront.net
February 2, 2016

server-54-230-193-26.iad53.r.cloudfront.net
February 2, 2016

server-54-230-193-246.iad53.r.cloudfront.net
February 2, 2016

server-54-230-193-220.iad53.r.cloudfront.net
February 2, 2016

server-54-230-193-150.iad53.r.cloudfront.net
February 2, 2016

server-54-230-193-139.iad53.r.cloudfront.net
February 2, 2016

server-54-230-100-148.iad2.r.cloudfront.net
January 30, 2016

server-54-230-100-147.iad2.r.cloudfront.net
January 30, 2016

server-54-230-100-54.iad2.r.cloudfront.net
January 30, 2016

 
Showing 30 of 111 IP Addresses

File downloads found at URLs served by app.gomlab.com.

0 / 68
https://app.gomlab.com/site/.../GOMPLAYERENSETUP.EXE  (ccc79c35aa808468d25820f9e57cfad8)

0 / 68
https://app.gomlab.com/tha/.../GOMPLAYERTHSETUP.EXE  (75e75dd137e2e3aa5a0e347518f6623f)

14 / 68    (PUP)
http://app.gomlab.com/eng/.../GOMPLAYERENSETUP.EXE  (5ee9710745049133c56a0f486abfc5a8)

7 / 68      (inconclusive)

3 / 68      (inconclusive)

14 / 68    (PUP)
https://app.gomlab.com/site/.../GOMPLAYERESSETUP.EXE  (dd9ea6297a48c2d76998ee1480d32dbd)

26 / 68    (PUP)
https://app.gomlab.com/cht/.../GOMPLAYERTWSETUP.EXE  (26906337ad2bd3035ee1e72270ad3e79)

0 / 68

1 / 68      (Malware)

26 / 68    (PUP)
http://app.gomlab.com/cht/.../GOMPLAYERTWSETUP.EXE  (26906337ad2bd3035ee1e72270ad3e79)

2 / 68      (PUP)
http://app.gomlab.com/rus/.../GOMPLAYERRUSETUP.EXE  (d78b2c611ca4d53fbf12b1b22b870463)

2 / 68      (PUP)
http://app.gomlab.com/rus/gom/.../GOMPLAYERRUSETUP.EXE  (ea5be730613f3eceac3323e1d053ded5)

14 / 68    (PUP)
https://app.gomlab.com/eng/.../GOMPLAYERENSETUP.EXE  (068da71f8d3d782cd3e8ed7e5952d1b5)

14 / 68    (PUP)
https://app.gomlab.com/esp/.../GOMPLAYERESSETUP.EXE  (003a23ece9dfe04fd8d8db4e7924e8f1)

10 / 68    (PUP)
http://app.gomlab.com/eng/.../GOMAUDIOGLOBALSETUP.EXE  (f3b31ebbbe4cdf0d6a6c76e30c1f54b9)

7 / 68      (PUP)
https://app.gomlab.com/eng/.../GOMPLAYEREN2KSETUP.EXE  (e9594e9c9f71861e2b92c7d8a4f62b99)

0 / 68
http://app.gomlab.com/eng/.../GOMTRAYGLOBALSETUP.EXE  (016b76f586867263094adfc11f55de87)

The following 4 files have been seen to comunicate with app.gomlab.com in live environments.

URL:
http://app.gomlab.com/

Network:
Amazon Cloudfront

SSL certificate subject:
CN=*.gomlab.com, OU=Development Team, O=Gretech Corp., L=Gangnam-gu, S=Seoul, C=KR

SSL certificate issuer:
CN=thawte SSL CA - G2, O="thawte, Inc.", C=US

Web server:
Apache

Remove Malware from app.gomlab.com - Powered by Reason Core Security