Sign in

ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious


 IP AddressPortHostname
Source (local) 62200  
Destination  (United States) html (80)


Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection keep-alive
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept-Encoding gzip, deflate, sdch
Accept-Language en-US,en;q=0.8
req_or_response GET /boost-for-excel/wp-content/release/boost/boost-installer.exe HTTP/1.1
Upgrade-Insecure-Requests 1



  • A request to download a .exe file has occurred to a wordpress site.
  • Wordpress sites are frequently targeted by malware creators for distribution purposes. Why?:
    • These websites often have the virtue of being tied to known good (not blacklisted) infrastructure.
    • They are easy to set up insecurely and often subject to abandonment (user sets up their server and doesn't patch).
    • Throw away non-attributable infrastructure for hosting malware binaries.


False Positive:

  • YES
  • wspanalytics is a known good WordPress site.
  • They are legitimately distributing cleartext .exes via their site.
  • finds no security violations.



  • None



Powered by Zendesk