Search

file from a certain URL. The URL where this malware downloads the said file depends on the parameter passed on to it by its components.

following URL to monitor the malicious user's generated account's activity: twitter.com It only runs after the date April, 3, 2015. It does not run on the following days of the week: Saturday Sunday It uses

http://{BLOCKED}.{BLOCKED}.15.172 NOTES: It may pass the following URL parameters: /stat?uptime={value}&downlink={value}&uplink={value}&id={id}&statpass={password}&vers

The URL where this malware downloads the said file depends on the parameter passed on to it by its components. Other Details This Trojan requires its main component to successfully perform its intended

\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.) It downloads a possibly malicious file from a certain URL. The URL where this malware

following: Accesses the following URL to get images for its fake web page: http://{BLOCKED}undantgraceogba.org/paged/content/new_bg.jpg http://{BLOCKED}undantgraceogba.org/paged/content/app_switcher.png Upon

its execution: Request data via HTTP GET from http://{BLOCKED}a.ru/write.php?exten=yes Sends the gathered GUID via HTTP POST to URL http://{BLOCKED}a.ru/write.php: The dropped ransome note

Displays a window when executed: Reads data from config file for the URL and Filename to be used in its download routine Trojan.Win32.Badur.htyo (Baidu-International), Trojan.Badur! (Agnitum),

the malicious link http://yxtz7.{BLOCKED}t.me : Upon clicking the link, it accesses the URL http://yxtz7.{BLOCKED}t.me/{url path} , which displays a fake Microsoft Office Outlook Web Access page. The

Description Name: URL in Deny List (Action is [Monitor and reset]) . This is Trend Micro detection for packets passing through HTTP network protocols that can be used as Command and Control Communication. This also indicates a malware infection. Belo...

Description Name: URL in Deny List (Action is [Monitor only]) . This is Trend Micro detection for packets passing through HTTP network protocols that can be used as Command and Control Communication. This also indicates a malware infection. Below are...

" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ sdp (Default) = URL:SDP Protocol HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ sdp URL Protocol = HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ sdp\shell\open\ command (Default) = "{Malware Filename

Description Name: Callback to URL in Suspicious Objects list . This is Trend Micro detection for packets passing through any network protocols that can be used as Command and Control Communication. This also indicates a malware infection. Below are s...

"/bin/httpdns" which is executed to connect to a URL "https://{BLOCKED}in.com/raw/gC0QiNsw" containing the bash script. The bash script contains the schedule task and the coinminer itself. Downloaded from the

Description Name: Data-stealing malware - URL used for callbacks and downloads - HTTP (Request) . This is Trend Micro detection for packets passing through HTTP network protocols that can be used as Command and Control Communication. This also indica...

Description Name: Malicious URL - HTTP (Request) - Variant 5 . This is Trend Micro detection for packets passing through HTTP network protocols that can be used as Command and Control Communication. This also indicates a malware infection. Below are ...

Description Name: Suspicious URL - IM . This is Trend Micro detection for packets passing through MSN and instant messaging network protocols that can be used as Point of Entry or Lateral Movement. This also indicates a malware infection. Below are s...

Description Name: Suspicious URL - HTTP (Request) - Variant 1 . This is Trend Micro detection for packets passing through any network protocols that can be used as Command and Control Communication. This also indicates a malware infection. Below are ...

capability. Other Details This Backdoor does the following: This backdoor connects to the following URL to get and execute an arbitrary codes: {BLOCKED}.{BLOCKED}.128.147:443 182.246.128.147:443 --> It does not

capability. Other Details This Backdoor does the following: It connects to the following URL to download backdoor modules: http://{random numbers}.api.{BLOCKED}-internal.com/stats/start-session?s_iv={value}