Search
Keyword: URL
It decompresses the binary code from %User Temp%\tempCFA8.txt and drops and executes the following file: %User Temp%\{random}.exe - Detected as TSPY_DYRE.SNC It connects to the following URL to report
executes the following file: %User Temp%\{5letters}{2digits}.exe It connects to the following URL to report infection of the affected system: http://{BLOCKED}.{BLOCKED}.3.66:{random port}/3003uk12/{Host Name
overwrites with the encrypted binary from URL (Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server
strings it will monitor usually related to banking URL to send stolen information It gathers the following data: Data on Cookies (URLs) Email-related information such as account names, email addresses,
to the following URL to check the IP of the infected system: http://ipinfo.io/ip Ransom:Win32/Tescrypt.A (Microsoft); W32/Filecoder.EM!tr (Fortinet); Win32/Filecoder.EM (ESET-NOD32);
connects to the following URL to report infection of the affected system: http://{BLOCKED}.{BLOCKED}.228.4:{random port}/0512uk21/{computer name of affected system}/0/{OS version}-{service pack}/0/ http://
remote shell, process termination, etc.) The commands it receives for downloading other files contains the URL where the said files can be downloaded. Backdoor:Win32/Hupigon.EC (Microsoft) Propagates via
This Trojan executes the following commands from a remote malicious user: Download and execute files Perform Slowloris flooding Execute shell commands Open a URL Uninstall Update copy of itself It
opening the given URL in TOR browser: W32/Injector.KZWV!tr(Fortinet), Win32/Filecoder.DA trojan(Eset) Downloaded from the Internet, Dropped by other malware Drops files, Modifies files, Encrypts files
following URL to receive configuration setting for the installed browser extension: http://{BLOCKED}m.net/crx/i.php The sites accessed by this Trojan may vary depending on the received data from the
users agree to buy the software, it connects to the following URL to continue the purchase: http://{BLOCKED}reensboro.org/customers/buy.php
of the configuration file. The configuration file also contains the drop zone where it sends stolen information, the URL where the configuration file can be downloaded, the codes for web injection, and
}.86.129:80 {BLOCKED}.{BLOCKED}.99.221:80 workforce.{BLOCKED}list.com It does the following: Accepts the following parameters: -a, --algo=ALGO specify the algorithm to use cryptonight -o, --url=URL URL of
-a, --algo=ALGO specify the algorithm to use( cryptonight, cryptonight-lite, cryptonight-heavy) -o, --url=URL URL of mining server -O, --userpass=U:P username:password pair for mining server -u, --user
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It downloads a file from a certain URL then renames
http://mail.yahoo.com It does the following: It connects to a specific URL which will display the following: It creates the following service. Service Name: WindowsClientServerRunTimeSubsystem Service Path: %System%
Firefox This malware does any of the following depending on the reply from the C&C: Sleep and wait for next reply Receive download URL to download other possibly malicious files The file names used for its
the following website to send and receive information: http://{BLOCKED}nflatei35.onion.link:80/paid?id={generated 16 hex values} - ransom payment URL http://{BLOCKED}nflatei35.onion.link:80/static/win -
silverlake v48d0250s1 It connects to the following URL to send information: {BLOCKED}tazce-ru.com:443 W32/Shiz.NCP!tr.spy (Fortinet); Win32/Spy.Shiz.NCP (ESET); Dropped by other malware, Downloaded from the
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It downloads a file from a certain URL then renames it