Jump to content
netrics

Weblogic Service "beasvc.exe" detected as ransomware

Recommended Posts

Hi

Weblogic Service executable "beasvc.exe" has been considered severalt times as ransomware by Malwarebytes and the Service got blocked. Could you please investigate the attached exe file and let us know whether there is something suspicious with it or not.

Thanks

Peter Hegg

netrics AG

Switzerland

beasvc.zip

Share this post


Link to post
Share on other sites

What do you mean by "some time"? It was recognize malware 3 time on 18th/19th June this week.

Share this post


Link to post
Share on other sites

I am going to have someone pop in to have a look. I'm sure he will be able to figure out what is happening.
He may want other logs but while waiting on him, can you grab a screenshot showing the version information from MBAM?
Settings>> about
Just a screenshot of the Version Information section should be good for now.

What steps would he have to take to reproduce the issue? Actually running the file or is it being detected by a scan or.. ?

Thanks!

Share this post


Link to post
Share on other sites

you would have to install Oracle Weblogic Software .... beasvc.exe is part of this and is installed as a windows service .... probably not easy to reproduce

  • Oracle WebLogic Server 11g Release 1 (10.3.6.0) Upgrade
  • Oracle WebLogic Server Patch Set Update 10.3.6.0.171017
  • Java™ SE Development Kit 6, Update 161 (JDK 6u161)

mab-version.jpg

Share this post


Link to post
Share on other sites

Thank you.

Can download & run the support tool as instructed on this page?

Post the resulting zip from your desktop please.

Either myself or Bob will have a look once posted.

Thanks!

Share this post


Link to post
Share on other sites

Hello,

It looks like MBAM is having trouble to reach our back-end where it gets the whitelisted info from.

Because the support tool was run as a limited user, it couldn't create certain logs. Let's try & get them with this.

Please download Farbar Recovery Scan Tool from here http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ and save it to your desktop.
Note: You need to run the version compatible with your system – for you, this would be the 64-bit version.

**After you click the Download Now 64-bit, another page will open — DO NOT CLICK ANY ADDITIONAL 'download now' buttons, just wait and look toward the bottom of your browser for the option to Run or Save. Click Save.

•Double-click to run it. When the tool opens click Yes to the disclaimer.

Note: If you are prompted by Windows SmartScreen, click More info followed by Run anyway.

•Click the Scan button.
•When the scan has finished, it will save 2 logs  in the same directory the tool was run from.  Please either attach or PM me the following logs:

Addition.txt
FRST.txt 

Thanks

Share this post


Link to post
Share on other sites

Hi

the tool gives back  "Failet to update (1)" and this probably because the server is very restricted in the outgoing connections ... we need to open the firewall for that tool. Can you give us the ip addresses we need to open?

 

Share this post


Link to post
Share on other sites

It won't run even though it cannot check for updates?
Let me find out what address(es) you will need to temporarily allow.

Share this post


Link to post
Share on other sites

Hi

have you changed your ip's for updating/managing whatever malwarebytes needs to run properly? It looks like we cannot connect to these ip's here

 

image.png.20996fb0a0318696060dc216edbad8d7.png

 

image.png.e32f9eed4351d9caec9edf57ed96f14b.png

Edited by netrics

Share this post


Link to post
Share on other sites

 

This info page might help:

Additional info I received from Ron here:
"best to use a DNS entry if it's for proxy reasons. The update servers are on CDN and those IP change per region."

Share this post


Link to post
Share on other sites

Tthanks - I will check with our networking team to verify on the firewall and to use dns.

 

What about the farbar-recovery-tool? Is that included in those dsn entries?

Share this post


Link to post
Share on other sites

Not entirely sure yet what all the Farbar tool needs. Seems to be a cloudflare address. Not sure if this is even static.
It should still run though even if it cannot check back home for an updated version so I am not sure I would bother with DNS entries for FRST as it would be a one-time connection to check if there is an updated version of the tool then it would not be needed any more.

I am pretty sure though that the issue here is your server is unable to connect to our back-end when checking "goodware" file lists and such. I think once this is resolved, it'll be easier. We update the goodware lists many times/day & these lists are not downloaded to your machine like the definitions do. Instead they're in the cloud.
A good portion of the goodware rules & badware rules are in the definitions downloaded locally to the machine & a good portion of it all is in the cloud because it is faster. Some of this is updated constantly so being able to connect fair quick is important.

 

Share this post


Link to post
Share on other sites

OK - then let's wait until we are sure, that all outgoing connections from this server to your services are correctly configured on our firewall......

Share this post


Link to post
Share on other sites

Hi Netrics,

Were you able to get your firewall & such set up so your MBAM can communicate OK? Let me know - if not, I'll have one of our techs pop in to have a look.

Share this post


Link to post
Share on other sites

Hi - the firewall rules were adapted last friday to let the mentionend url's pass. Unfortunately, the beasvc.exe got blocked again yesterday afternoon around 4 pm (swiss time).

 

Share this post


Link to post
Share on other sites

Hi @netrics - Have you allowed the following URL?

https://hubble.mb-cosmos.com

This is a more complete set of URLs which should be allowed through a firewall/appliance

https://data.service.malwarebytes.org Port 443 outbound
https://data-cdn.mbamupdates.com Port 443 outbound
https://hubble.mb-cosmos.com Port 443 outbound
https://keystone.mwbsys.com Port 443 outbound
https://meps.mwbsys.com Port 443 outbound
https://sirius.mwbsys.com Port 443 outbound
https://telemetry.malwarebytes.com Port 443 outbound

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.