Threat Feed
PO AG25-SIRCA0003.vbs
2026-05-27T17:22:32.284
malicious
VBScript
Close
PO AG25-SIRCA0003.vbs
malicious
SHA256:
79f7a3f8639c9b7a6e5e9aad3028f4bb7c5ca47407916ad05ff4163863d5ef1f
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Combination of other detections shows multiple input capture behaviors
5/5
XWorm configuration was extracted
5/5
Monitors keyboard input
5/5
Malicious content matched by YARA rules
4/5
Tries to detect the presence of antivirus software
4/5
Process Hollowing
4/5
Reads from memory of another process
4/5
Writes into the memory of another process
4/5
Attempts to connect through HTTP
3/5
Bypasses PowerShell execution policy
2/5
Queries OS info via WMI
2/5
Collects hardware properties
2/5
Performs DNS request
2/5
Tries to detect debugger
2/5
Tries to connect using an uncommon port
2/5
Installs system startup script or application
2/5
Executes PowerShell without default profile
2/5
Executes PowerShell with hidden window
2/5
Enables process privileges
1/5
Query OS Information
1/5
Connects to remote host
1/5
Accesses Microsoft Security Software registry keys
1/5
Content matched by YARA rules
1/5
Creates mutex
1/5
Enumerates running processes
Spyware
Keylogger
Injector
purchase order.vbs
2026-05-27T17:22:12.715
malicious
VBScript
Close
purchase order.vbs
malicious
SHA256:
3a8ad866b898b0209ce831eac5236e0f2a79eee19c7b8c55c16712c731b9f5d6
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Agent Tesla configuration was extracted
5/5
Tries to read cached credentials of various applications
5/5
Monitors keyboard input
5/5
Sets up server that accepts incoming connections
5/5
Injected process sets up server that accepts incoming connections
5/5
Combination of other detections shows configuration discovery
5/5
Combination of other detections shows multiple input capture behaviors
5/5
XWorm configuration was extracted
5/5
Malicious content matched by YARA rules
4/5
Tries to detect the presence of antivirus software
4/5
Writes into the memory of another process
4/5
Process Hollowing
4/5
Tries to detect application sandbox
4/5
Reads from memory of another process
4/5
Attempts to connect through HTTP
3/5
Classifies external IP address
3/5
Executes powershell commands from environment variables
3/5
Obfuscates control flow
3/5
Reads sensitive mail data
3/5
Reads sensitive browser data
3/5
Suspicious content matched by YARA rules
3/5
Bypasses PowerShell execution policy
2/5
Performs DNS request
2/5
Writes an unusually large amount of data to the registry
2/5
Searches for sensitive browser data
2/5
Searches for sensitive mail data
2/5
Possibly does reconnaissance
2/5
Tries to detect debugger
2/5
Installs system startup script or application
2/5
Enables process privileges
2/5
Reads network adapter information
2/5
Collects hardware properties
2/5
Queries OS info via WMI
2/5
Tries to connect using an uncommon port
2/5
Suspicious content matched by YARA rules
2/5
Drops PE file
2/5
Executes PowerShell without default profile
2/5
Executes PowerShell with hidden window
2/5
Executes dropped PE file
1/5
Reads system data
1/5
Query OS Information
1/5
Accesses Microsoft Security Software registry keys
1/5
Executes WMI query
1/5
Creates mutex
1/5
Content matched by YARA rules
1/5
Enumerates running processes
1/5
Connects to remote host
Spyware
Backdoor
Keylogger
Downloader
Injector
hV33viiHfrThUiCF.exe
2026-05-27T17:21:19.185
malicious
Windows Exe (x86-32)
Close
hV33viiHfrThUiCF.exe
malicious
SHA256:
45fd70793d0f8523f9aaeae429f7e51d8e7dd00bb05273a12a4c2022c46745d0
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Combination of other detections shows multiple input capture behaviors
5/5
Tries to read cached credentials of various applications
4/5
Malicious content matched by YARA rules
3/5
Captures clipboard data
3/5
Sends data via a Telegram bot
3/5
Takes screenshot
3/5
Clears event logs
2/5
Searches for sensitive browser data
2/5
Suspicious content matched by YARA rules
2/5
Searches for sensitive application data
2/5
Queries OS info via WMI
2/5
Collects hardware properties
2/5
Deletes file after execution
2/5
Searches for sensitive mail data
2/5
Searches for cryptocurrency wallet locations
1/5
Connects to remote host
1/5
Enumerates running processes
1/5
Checks external IP address
1/5
Content matched by YARA rules
1/5
Resolves API functions dynamically
1/5
Query OS Information
1/5
Possibly does reconnaissance
1/5
Creates process with hidden window
1/5
Performs DNS request
1/5
Enables process privileges
Spyware
first_seen.pic.lnk
2026-05-27T17:16:15.474
malicious
PowerShell Script (Shell Link)
Close
first_seen.pic.lnk
malicious
SHA256:
8c6189f52f72d6c83e971c8d676a4ce65ff7e7f49dbf3c00bc8b718cad9e0442
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Creates an unusually large number of files
4/5
Attempts to connect through HTTP
3/5
Bypasses PowerShell execution policy
3/5
Suspicious content matched by YARA rules
2/5
Executes dropped PE file
2/5
Tries to connect using an uncommon port
2/5
Performs DNS request
1/5
Creates mutex
1/5
Accesses volumes directly
1/5
Connects to remote host
1/5
Content matched by YARA rules
1/5
Query OS Information
1/5
Accesses Microsoft Security Software registry keys
Setup.exe
2026-05-27T17:05:46.934
malicious
Windows Exe (x86-64)
Close
Setup.exe
malicious
SHA256:
f94f45a24746ee098abdc9b1a9e326c516010576c51a44a29d62c304657f9284
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Combination of other detections shows multiple input capture behaviors
5/5
Vidar configuration was extracted
5/5
Malicious content matched by YARA rules
5/5
Tries to read cached credentials of various applications
3/5
Reads installed applications
3/5
Takes screenshot
3/5
Uses HTTP to upload a large amount of data
3/5
Tries to evade debugger
2/5
Tries to detect application sandbox
2/5
Reads sensitive browser data
2/5
Searches for sensitive browser data
2/5
Searches for sensitive mail data
2/5
Searches for sensitive application data
2/5
Suspicious content matched by YARA rules
1/5
Resolves API functions dynamically
1/5
Overwrites code
1/5
Content matched by YARA rules
1/5
Possibly does reconnaissance
1/5
Reads from memory of another process
1/5
Enumerates running processes
1/5
Tries to detect debugger
1/5
Creates process with hidden window
1/5
Creates mutex
1/5
Query OS Information
1/5
Query CPU Properties
1/5
Unusual large memory allocation
1/5
Enables process privileges
Spyware