home

direct.downthat.com

Domains By Proxy, LLC  (Proxy Registrant)

Domain Information

The domain direct.downthat.com is registered by proxy through GODADDY.COM, LLC and was originally registered in August of 2014. This domain has been known to host and distribute adware as well as other potentially unwanted software. The hosted servers are located in Ashburn, Virginia within the United States which resides on the Amazon Technologies Inc. network. The domain uses the Amazon Web Services (AWS) cloud computing platform.
Registrar:
GODADDY.COM, LLC

Server location:
Virginia, United States (US)

Create date:
Sunday, August 24, 2014

Expires date:
Wednesday, August 24, 2016

Updated date:
Wednesday, April 22, 2015

ASN:
AS14618 AMAZON-AES - Amazon.com, Inc.,US

Root domain:
downthat.com

Whois:
1 downthat.com record

Scanner detections:
Detections  (100% detected)

Scan engine
Details
Detections

ESET NOD32
MSIL/Adware.Imali (variant), Win32/Adware.Imali (variant)
100.00%

Avira AntiVirus
TR/Trash.Gen, TR/Dropper.MSIL.Gen, ADWARE/Adware.Gen7
100.00%

Baidu Antivirus
Adware.MSIL.Imali
100.00%

IKARUS anti.virus
AdWare.MSIL.Imali
100.00%

Kaspersky
not-a-virus:AdWare.MSIL.Agent, Trojan-Downloader.Win32.Genome, HEUR:Trojan-Downloader.Win32.Generic
100.00%

avast!
MSIL:Downloader-NG [PUP], Win32:GenMaliciousA-FOI [Adw], Win32:Adware-gen [Adw]
100.00%

G Data
MSIL.Adware.OfferInstaller, Application.Generic.1204413, Gen:Variant.Adware.Graftor.179625, Gen:Variant.Kazy.578645
100.00%

Fortinet FortiGate
Adware/Imali, Riskware/Imali, W32/Generic.B!tr.dldr
100.00%

AVG
Downloader, Generic
100.00%

Sophos
PUA 'Offer Installer', Generic PUA ML
85.71%

VIPRE Antivirus
MSIL.Adware.Imali, Trojan.Win32.Generic, Threat.4150696
85.71%

Bitdefender
Application.Generic.1204413, Gen:Variant.Adware.Graftor.179625, Gen:Variant.Kazy.578645
85.71%

MicroWorld eScan
Application.Generic.1204413, Gen:Variant.Adware.Graftor.179625, Gen:Variant.Kazy.578645
71.43%

Malwarebytes
PUP.Optional.OfferInstaller.C
71.43%

Lavasoft Ad-Aware
Application.Generic.1204413, Gen:Variant.Adware.Graftor.179625, Gen:Variant.Kazy.578645
71.43%

The domain direct.downthat.com has been seen to resolve to the following IP address.

52.1.45.42
ec2-52-1-45-42.compute-1.amazonaws.com
January 3, 2016

File downloads found at URLs served by direct.downthat.com.

55 / 68    (PUP)
http://direct.downthat.com/.../OfferInstaller_dotnet2.exe  (xsu1f8a.exe)

6 / 68      (PUP)
http://direct.downthat.com/.../OfferInstaller_dotnet4.exe  (offerinstaller.exe)

22 / 68    (PUP)
http://direct.downthat.com/.../OfferInstaller_dotnet2.exe  (mvob6.exe)

24 / 68    (Adware)
http://direct.downthat.com/.../bdl_2015-03-24_1059.exe  (79d8bc6e82deb0348d59903627392a7e)

9 / 68      (PUP)
http://direct.downthat.com/.../OfferInstaller_dotnet4.exe  (pemf7a0.exe)

25 / 68    (Adware)
http://direct.downthat.com/.../bundle_353.exe  (nsh6f1b.tmp)

10 / 68    (PUP)
http://direct.downthat.com/.../OfferInstaller_dotnet4.exe  (mvo75da.exe)

The following 1102 files have been seen to comunicate with direct.downthat.com in live environments.

TCP » 52.1.45.42:80
nsh379f.tmp

TCP » 52.1.45.42:80
fsd814a.exe (Installer)

TCP » 52.1.45.42:80
syk160.exe (SilentInstaller)

TCP » 52.1.45.42:80
fsd57e.exe (Installer)

TCP » 52.1.45.42:80
sykc278.exe (SilentInstaller)

TCP » 52.1.45.42:80
dbupdater.exe

TCP » 52.1.45.42:80
dbupdater.exe

TCP » 52.1.45.42:80
dbupdater.exe

TCP » 52.1.45.42:80
dbupdater.exe

TCP » 52.1.45.42:80
SilentInstaller_dotnet4.exe (sol0506)

TCP » 52.1.45.42:80
dbupdater.exe

TCP » 52.1.45.42:80
adv_154.exe (chromium-installer-sharp)

TCP » 52.1.45.42:80
dbupdater.exe

TCP » 52.1.45.42:80
dbupdater.exe

TCP » 52.1.45.42:80
dbupdater.exe

TCP » 52.1.45.42:80
dbupdater.exe

TCP » 52.1.45.42:80
dbupdater.exe

TCP » 52.1.45.42:80
dbupdater.exe

TCP » 52.1.45.42:80
dbupdater.exe

TCP » 52.1.45.42:80
dbupdater.exe

 
Latest 20 of 1,102 files

URL:
http://direct.downthat.com/

Network:
Amazon Web Services (AWS), running an EC2 instance

Web server:
nginx

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.