dnld.ironcustapps.com

Privacy Protection Service INC d/b/a PrivacyProtect.org  (Proxy Registrant)

Domain Information

The domain dnld.ironcustapps.com is registered by proxy through PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM and was originally registered in April of 2013. This domain has been known to host and distribute adware as well as other potentially unwanted software. The hosted servers are located in Dublin, Dublin City within Ireland which resides on the RIPE Network Coordination Centre network. The domain uses the Amazon Web Services (AWS) cloud computing platform from the US West (Northern California) region datacenter.
Registrar:
PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM

Server location:
Dublin City, Ireland (IE)

Create date:
Monday, April 22, 2013

Expires date:
Saturday, April 22, 2017

Updated date:
Wednesday, March 30, 2016

ASN:
AS16509 AMAZON-02 - Amazon.com, Inc.

Root domain:

Scanner detections:
Detections  (96% detected)

Scan engine
Details
Detections

Vba32 AntiVirus
Downware.InstallCore
72.73%

Dr.Web
Trojan.Packed.24524, Trojan.Packed.25266, Trojan.MulDrop5.10078, Adware.InstallCore.122, infected with Trojan.Packed.24524
63.64%

Reason Heuristics
PUP.Installer.STMSetup.j, PUP.Installer.WorldSetup.CC, PUP.Installer.IronPremium.e, PUP.Installer.IronPremium.CC, PUP.installCore.Installer, Threat.ironSource.Bundler, Threat.Installer.iSNS, Win32.Generic
59.09%

VIPRE Antivirus
InstallCore.b, Trojan.Win32.Generic, Threat.4150696, Threat.4786018
54.55%

McAfee Web Gateway
Artemis!BC7B2B5A0BA6, Artemis!652FC8EE874A, Artemis!415034D26494, RDN/Generic.dx!czt, Artemis!DF33D9FE4B20, Artemis!479C264F9A1E
54.55%

Avira AntiVirus
ADWARE/InstallCore.Gen7, ADWARE/InstallCore.Gen9, TR/Dropper.Gen, ADWARE/InstallCore.MUP, PUA/InstallCore.Gen, PUA/InstallCore.Gen7
54.55%

ESET NOD32
Win32/InstallCore.IJ (variant), Win32/InstallCore.DN (variant), Win32/InstallCore.OY (variant), Win32/InstallCore.OI (variant)
50.00%

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594, PE:Backdoor.Hupigon!6.1FD, PE:Malware.InstallCore!6.4
50.00%

ESET NOD32
Win32/Injected.F trojan, Win32/InstallCore.BY potentially unwanted application, Win32/InstallCore.CA.gen potentially unwanted application, Win32/InstallCore.VW potentially unwanted application
50.00%

Sophos
Install Core Click run software, Generic PUA HB, PUA 'Install Core Click run software'
45.45%

F-Prot
W32/InstallCore.R3.gen, W32/InstallCore.R.gen, W32/A-2d45491d, W32/A-dbe1ec51, W32/Sality.gen2
45.45%

AVG
MalSign.InstallC, InstallCore, Generic, MalSign.Generic, Win32/Sality
45.45%

McAfee
Artemis!BC7B2B5A0BA6, Artemis!652FC8EE874A, Artemis!415034D26494, Trojan.Artemis!FDD6AEA9E781, Trojan.Artemis!DF33D9FE4B20, Program.Artemis!479C264F9A1E, Artemis!83CEF0112309
40.91%

Comodo Security
ApplicUnwnt, UnclassifiedMalware, Application.Win32.Installcore.BA, Application.Win32.InstallCore.MZIV, Application.Win32.InstallCore.DQ
36.36%

K7 Gateway Antivirus
Unwanted-Program , Trojan
31.82%

The domain dnld.ironcustapps.com has been seen to resolve to the following 13 IP addresses.

s3-us-west-1-w.amazonaws.com
May 23, 2016

s3-us-west-1-w.amazonaws.com
April 21, 2016

s3-us-west-1-w.amazonaws.com
April 20, 2016

s3-us-west-1-w.amazonaws.com
April 13, 2016

s3-us-west-1-w.amazonaws.com
December 18, 2014

s3-us-west-1-w.amazonaws.com
December 2, 2014

s3-us-west-1-w.amazonaws.com
September 18, 2014

s3-us-west-1-w.amazonaws.com
May 28, 2014

s3-us-west-1-w.amazonaws.com
May 1, 2014

s3-us-west-1-w.amazonaws.com
April 25, 2014

s3-us-west-1-w.amazonaws.com
March 15, 2014

s3-us-west-1-w.amazonaws.com
February 6, 2014

s3-us-west-1-w.amazonaws.com
February 3, 2014

File downloads found at URLs served by dnld.ironcustapps.com.

10 / 68    (PUP)

7 / 68      (PUP)

21 / 68    (Adware)
http://dnld.ironcustapps.com/cust/.../Pivot_14042_s.exe  (94a1d12dd1df61cefbdfd8989b85a42d)

7 / 68      (Adware)

13 / 68    (Adware)

19 / 68    (Adware)

5 / 68      (PUP)

5 / 68      (Adware)

23 / 68    (Adware)

7 / 68      (Adware)

10 / 68    (Adware)

9 / 68      (Adware)

7 / 68      (Adware)

14 / 68    (Adware)

17 / 68    (Adware)

10 / 68    (PUP)

9 / 68      (Adware)

17 / 68    (Adware)
http://dnld.ironcustapps.com/cust/.../IP_ScanV2.0.4.14039.exe  (icreinstall_ip_scanv2.0.4.14039.exe)

The following 3 files have been seen to comunicate with dnld.ironcustapps.com in live environments.

URL:
http://dnld.ironcustapps.com/

Network:
Amazon Web Services (AWS)

Web server:
AmazonS3