Jump to content

Recommended Posts

Over the past few days we've been receiving tons of alerts from Malwarebytes for traffic to h[.]parrable[.]com. After a bit of analysis I found the file dropped from that site is gmpopenh264[.]dll[.]tmp but it is signed by Mozilla and deemed safe by VirusTotal. The file hash is:ced08ce5bc45dbe505fa94b3a4268c0830ccda016a23c0acb16dd7268cfa7a65

So it appears the site itself is just classified as malicious, does anyone know why or have they experienced this too recently?

Link to post
Share on other sites

35 minutes ago, JPopovic said:

The domain itself is infected.

Also, here are some detected files:

http://parrable.com/wp-includes/js/jquery/jquery.min.js
https://parrable.com/wp-content/themes/oceanwp/assets/js/scroll-effect.min.js 

Thank you.

Do you know where I can find more details on this infection?

Link to post
Share on other sites

6 minutes ago, Porthos said:

It is probably an extension in Chrome calling out to that site for whatever reason.

Any idea how to isolate that extension or troubleshoot otherwise to ensure that?  It appears to only happen when I have multiple tabs open in Incognito mode and closing that window stops the error from reappearing.  I didn't even think extensions worked in Incognito mode.

Link to post
Share on other sites

12 minutes ago, keep_going said:

Why might an extension call out to it?

Extensions do communicate. That is how they update and other things as well. Some go rouge as well sometimes.

Please follow the instructions in this topic then create a new topic in our malware removal area by clicking here and a malware removal specialist will guide you in checking and cleaning your system of any threats. 

Link to post
Share on other sites

1 minute ago, cyk said:

I get the alert from Malwarebytes every time I visit a certain websites. When I disabled all the extension I had on Chrome, I still get the alert. What does it mean?

Please follow the instructions in this topic then create a new topic in our malware removal area by clicking here and a malware removal specialist will guide you in checking and cleaning your system of any threats. 

Link to post
Share on other sites

On 9/21/2022 at 4:05 AM, AdvancedSetup said:

Since the site parrable.com has been taken down the threat is no longer present. We will remove the block

https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/

 

FYI:  Site linked (avast.io) gives a certificate warning in Firefox.

Still seeing a few of these h[dot]parrable[dhot]com blocks from a range of Nebula clients.  Chrome and Edge, no indication of Firefox yet but we have few users on FF.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.