Search

Description Name: Malicious URL - HTTP (Request) - Variant 5 . This is Trend Micro detection for packets passing through HTTP network protocols that can be used as Command and Control Communication. This also indicates a malware infection. Below are ...

Description Name: URL in Deny List (Action is [Monitor and reset]) . This is Trend Micro detection for packets passing through HTTP network protocols that can be used as Command and Control Communication. This also indicates a malware infection. Belo...

" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ sdp (Default) = URL:SDP Protocol HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ sdp URL Protocol = HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ sdp\shell\open\ command (Default) = "{Malware Filename

Description Name: URL in Deny List (Action is [Monitor only]) . This is Trend Micro detection for packets passing through HTTP network protocols that can be used as Command and Control Communication. This also indicates a malware infection. Below are...

Description Name: Callback to URL in Suspicious Objects list . This is Trend Micro detection for packets passing through any network protocols that can be used as Command and Control Communication. This also indicates a malware infection. Below are s...

"/bin/httpdns" which is executed to connect to a URL "https://{BLOCKED}in.com/raw/gC0QiNsw" containing the bash script. The bash script contains the schedule task and the coinminer itself. Downloaded from the

advertisements. The installation package consists of the following files: AllatPayCS.dll gdiplus.dll QBCautorun_new.exe QBreload.exe QuickBae_Call.exe It connects to the URL http://{BLOCKED}3.co.kr/cust to download

file from a certain URL. The URL where this malware downloads the said file depends on the parameter passed on to it by its components.

The URL where this malware downloads the said file depends on the following parameter(s) passed on to it by its components: dest Other Details This Trojan requires its main component to successfully

http://www.porno.org http://www.viagra.com Rogue Antivirus Routine When users agree to buy the software, it connects to the following URL to continue the purchase: http://{BLOCKED}tivir.com/purchase.php Connects to

It attempts to connect to the following: {BLOCKED}.{BLOCKED}.223.37 However, the URL is currently inaccessible.

following URL to monitor the malicious user's generated account's activity: twitter.com It only runs after the date April, 3, 2015. It does not run on the following days of the week: Saturday Sunday It uses

http://{BLOCKED}.{BLOCKED}.15.172 NOTES: It may pass the following URL parameters: /stat?uptime={value}&downlink={value}&uplink={value}&id={id}&statpass={password}&vers

The URL where this malware downloads the said file depends on the parameter passed on to it by its components. Other Details This Trojan requires its main component to successfully perform its intended

certain URL. The URL where this malware downloads the said file depends on the following parameter(s) passed on to it by its components: JbKMXsMps iElhPDl UcPgpbejQ Other Details This Trojan drops the

following: Accesses the following URL to get images for its fake web page: http://{BLOCKED}undantgraceogba.org/paged/content/new_bg.jpg http://{BLOCKED}undantgraceogba.org/paged/content/app_switcher.png Upon

downloaded file using the following file name: /tmp/sh However, the URL is already inaccessible during analysis. It performs self cleanup by deleting the following files: /tmp/.a /tmp/.b.c /tmp/.c /tmp/.d

its execution: Request data via HTTP GET from http://{BLOCKED}a.ru/write.php?exten=yes Sends the gathered GUID via HTTP POST to URL http://{BLOCKED}a.ru/write.php: The dropped ransome note

crash) or possibly execute arbitrary code via unspecified vectors involving URL parsing. adobe air 1.0,adobe air 1.01,adobe air 1.1,adobe air 1.5,adobe air 1.5.1,adobe flash_player 10.0.0.584,adobe

firefox.exe. NOTE: it has been debated as to whether the issue is in Internet Explorer or Firefox. As of 20070711, it is CVE's opinion that IE appears to be failing to properly delimit the URL argument when