Jump to content

Weblogic Service "beasvc.exe" detected as ransomware


Recommended Posts

Hi

Weblogic Service executable "beasvc.exe" has been considered severalt times as ransomware by Malwarebytes and the Service got blocked. Could you please investigate the attached exe file and let us know whether there is something suspicious with it or not.

Thanks

Peter Hegg

netrics AG

Switzerland

beasvc.zip

Link to post
Share on other sites

I am going to have someone pop in to have a look. I'm sure he will be able to figure out what is happening.
He may want other logs but while waiting on him, can you grab a screenshot showing the version information from MBAM?
Settings>> about
Just a screenshot of the Version Information section should be good for now.

What steps would he have to take to reproduce the issue? Actually running the file or is it being detected by a scan or.. ?

Thanks!

Link to post
Share on other sites

you would have to install Oracle Weblogic Software .... beasvc.exe is part of this and is installed as a windows service .... probably not easy to reproduce

  • Oracle WebLogic Server 11g Release 1 (10.3.6.0) Upgrade
  • Oracle WebLogic Server Patch Set Update 10.3.6.0.171017
  • Java™ SE Development Kit 6, Update 161 (JDK 6u161)

mab-version.jpg

Link to post
Share on other sites

Hello,

It looks like MBAM is having trouble to reach our back-end where it gets the whitelisted info from.

Because the support tool was run as a limited user, it couldn't create certain logs. Let's try & get them with this.

Please download Farbar Recovery Scan Tool from here http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ and save it to your desktop.
Note: You need to run the version compatible with your system – for you, this would be the 64-bit version.

**After you click the Download Now 64-bit, another page will open — DO NOT CLICK ANY ADDITIONAL 'download now' buttons, just wait and look toward the bottom of your browser for the option to Run or Save. Click Save.

•Double-click to run it. When the tool opens click Yes to the disclaimer.

Note: If you are prompted by Windows SmartScreen, click More info followed by Run anyway.

•Click the Scan button.
•When the scan has finished, it will save 2 logs  in the same directory the tool was run from.  Please either attach or PM me the following logs:

Addition.txt
FRST.txt 

Thanks

Link to post
Share on other sites

Hi

the tool gives back  "Failet to update (1)" and this probably because the server is very restricted in the outgoing connections ... we need to open the firewall for that tool. Can you give us the ip addresses we need to open?

 

Link to post
Share on other sites

Hi

have you changed your ip's for updating/managing whatever malwarebytes needs to run properly? It looks like we cannot connect to these ip's here

 

image.png.20996fb0a0318696060dc216edbad8d7.png

 

image.png.e32f9eed4351d9caec9edf57ed96f14b.png

Edited by netrics
Link to post
Share on other sites

Not entirely sure yet what all the Farbar tool needs. Seems to be a cloudflare address. Not sure if this is even static.
It should still run though even if it cannot check back home for an updated version so I am not sure I would bother with DNS entries for FRST as it would be a one-time connection to check if there is an updated version of the tool then it would not be needed any more.

I am pretty sure though that the issue here is your server is unable to connect to our back-end when checking "goodware" file lists and such. I think once this is resolved, it'll be easier. We update the goodware lists many times/day & these lists are not downloaded to your machine like the definitions do. Instead they're in the cloud.
A good portion of the goodware rules & badware rules are in the definitions downloaded locally to the machine & a good portion of it all is in the cloud because it is faster. Some of this is updated constantly so being able to connect fair quick is important.

 

Link to post
Share on other sites

Hi @netrics - Have you allowed the following URL?

https://hubble.mb-cosmos.com

This is a more complete set of URLs which should be allowed through a firewall/appliance

https://data.service.malwarebytes.org Port 443 outbound
https://data-cdn.mbamupdates.com Port 443 outbound
https://hubble.mb-cosmos.com Port 443 outbound
https://keystone.mwbsys.com Port 443 outbound
https://meps.mwbsys.com Port 443 outbound
https://sirius.mwbsys.com Port 443 outbound
https://telemetry.malwarebytes.com Port 443 outbound

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.