Search
Keyword: URL
Information Theft This Trojan Spy steals the following information: Internet Credentials: URL Username Password Stolen Information This Trojan Spy saves the stolen information in the following file: %User Temp%
password: Sends the gathered credentials to the following URL via HTTP POST: http://{BLOCKED}ssportcom.com/ostoj1/next.php Connects to the following URL(s) to display the fake document: http://{BLOCKED
/www/vhosts dir.log - contains the first directory found Other System Modifications This Trojan deletes the following files: ck.log dir.log Download Routine This Trojan downloads the file from the following URL
Trojan does not have rootkit capabilities. Other Details This Trojan does the following: It displays the following upon opening on a browser. It connects to the following URL to download a JavaScript file.
URL received through the request parameter name "php" Downloaded from the Internet, Dropped by other malware Executes commands
Application does the following: This file is a copy of xmrig 6.3.3 command-line binary for mac systems It accepts the following parameters: -o or --url={URL} -> URL of mining server -a or --algo={ALGO} ->
following URL to download a component which it will load in its memory and perform its malicious routine: http://{BLOCKED}.{BLOCKED}.22.148:443 http://82.118.22.148:443 --> However, as of this writing, the
connects to the following URL to download the main backdoor module: http://{BLOCKED}.{BLOCKED}.{BLOCKED}.15:62222/1wbS However, as of this writing, the said sites are inaccessible. It does not exploit any
Trojan does not have any backdoor routine. Rogue Antivirus Routine This Trojan displays the following fake alerts: When users agree to buy the software, it connects to the following URL to continue the
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It downloads a file from a certain URL then renames
Miley Cyrus, Lady Gaga, and Rihanna and was compromised through the insertion of an iframe tag that redirects users to a malicious URL where the exploit is hosted. How does this threat affect users?
ex_module_base ext_ip host hostname install_time is_admin lb login nick os pass qbot_version th_args th_flags th_title time url user It steals information by monitoring the following applications: firefox.exe
password used. It then sends the gathered data to a remote IP address. It monitors the HTTP headers being sent by searching for certain strings. It sends the stolen HTTP header to a remote URL as part of the
analysis of the codes, it has the following capabilities: Connects to this URL to get IP addresses that it sets as the new DNS server address: http://www.{BLOCKED}ckin.com/inlogger.php?h={computer name}&u=
affected system. This file contains a URL where it connects to possibly download other files. However, as of this writing, the said sites are inaccessible. Arrival Details This worm arrives via removable
connecting to the following URL: {Proxy server name}:{Port Number} The proxy server name and port number depends on the following file: {malware path}\conf.ini It accesses the following URL to read its
url update - overwrite script execute -execute file cmd - shell command Attack - continuous ping ourl - access a url close - terminate script restart - forced restart of machine command shutdown -
the following URL to read its configuration: http://{BLOCKED}cj.com/blog/wp-includes/pomo/index.php Its configuration contains the C&C domain name information. However, as of this writing, the said URL
URL of mining server -O, --userpass=U:P == username:password pair for mining server -u, --user=USERNAME == username for mining server -p, --pass=PASSWORD == password for mining server --cert=FILE ==
malicious script. NOTES: This malware has other capabilities: Base64 encryption/decryption URL encryption/decryption Full URL encryption Generate md5 hash Generate sha1 hash Generate crypt hash Generate CRC32