Search
Keyword: URL
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It downloads a file from a certain URL then renames
-a, --algo=ALGO specify the algorithm to use( cryptonight, cryptonight-lite, cryptonight-heavy) -o, --url=URL URL of mining server -O, --userpass=U:P username:password pair for mining server -u, --user
}.86.129:80 {BLOCKED}.{BLOCKED}.99.221:80 workforce.{BLOCKED}list.com It does the following: Accepts the following parameters: -a, --algo=ALGO specify the algorithm to use cryptonight -o, --url=URL URL of
Firefox This malware does any of the following depending on the reply from the C&C: Sleep and wait for next reply Receive download URL to download other possibly malicious files The file names used for its
the following website to send and receive information: http://{BLOCKED}nflatei35.onion.link:80/paid?id={generated 16 hex values} - ransom payment URL http://{BLOCKED}nflatei35.onion.link:80/static/win -
silverlake v48d0250s1 It connects to the following URL to send information: {BLOCKED}tazce-ru.com:443 W32/Shiz.NCP!tr.spy (Fortinet); Win32/Spy.Shiz.NCP (ESET); Dropped by other malware, Downloaded from the
to get the affected system's IP address: http://icanhazip.com/ It deletes the initially executed copy of itself NOTES: This Trojan connects to the URL http://{BLOCKED}.{BLOCKED}.90.166:{port number
system's IP address: http://icanhazip.com/ It deletes the initially executed copy of itself NOTES: This Trojan connects to the URL http://{BLOCKED}.{BLOCKED}.90.166:{port number}/09SAL11/{data} to report
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It downloads a file from a certain URL then renames it
{807BF02B-3F5F-4570-970A-8AADBAA55AC1} . "36A900E5-0AE5-4ca6-84B4-45A05B42E705}_262144_124160" is decrypted from code section. It uses "Caguen1aMar" as encryption key for communications with the C&C server. It uses the following URL
remote shell, process termination, etc.) The commands it receives for downloading other files contains the URL where the said files can be downloaded. Backdoor:Win32/Hupigon.EC (Microsoft) Propagates via
NOTES: It connects to the following URL to download files: www.{BLOCKED}o.com/setting.doc However, the said page do not exist. It save the downloaded file as: %System%\setting.ini Worm:Win32/Nuqel.BD
and port number depends on the following file. If the said file is not present, it uses the default proxy settings: {malware path}\mpc.dat It accesses the following URL to read its configuration:
RECYCLE.BIN Recycler TEMP APPDATA AppData Temp ProgramData Microsoft It connects to the following URL to send the victim ID: http://{BLOCKED}lloworld.com/mars.php?id={victim ID} - RAA NOTES: This ransomware
connects to the URL http://{BLOCKED}.{BLOCKED}.90.166:{port number}/29T11/{data} to report infection of the affected system. The variable {port number} may be any of the following: 12130 12131 12128 It
to access the following URL upon visiting any of the targeted bank-related sites: https://{BLOCKED}ommote.com/gate/script/{BOTID}/JP/{target bank-related URL}/{scriptname}.js PWS:Win32/Zbot!rfn
"Obter Senha" button will open the browser with the URL https://{BLOCKED}y.com/p/F8S3/ and display the following: https://{BLOCKED}y.com is a legitimate site where people can buy and sell digital products
when visiting malicious sites. Other Details This Coinminer does the following: Accepts the following parameters: -a, --algo=ALGO specify the algorithm to use cryptonight -o, --url=URL URL of mining
credentials from the following: Microsoft Outlook Other Details This Backdoor does the following: It connects to the following URL to download updates of itself and inject it to the currently running process of
1009956 - HPE Intelligent Management Center 'PlatNavigationToBean' URL Expression Language Injection Vulnerability (CVE-2019-5387) 1009902 - HPE Intelligent Management Center 'perfSelectTask' Expression