Threat Feed
2m03V2RE9KIFJqTX.exe
2026-07-09T16:47:40.215
malicious
Windows Exe (x86-32)
Close
2m03V2RE9KIFJqTX.exe
malicious
SHA256:
30a89a9b7c4fb3ca7ebaff802efedef6050bb95702a86273a68331b5aa25e167
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Combination of other detections shows configuration discovery
5/5
Malicious content matched by YARA rules
5/5
Tries to read cached credentials of various applications
5/5
Known malicious mutex name is created
5/5
SalatStealer configuration was extracted
4/5
Creates a Process with redirected Input
3/5
Takes screenshot
2/5
Reads network adapter information
2/5
Sets up server that accepts incoming connections
2/5
Suspicious content matched by YARA rules
2/5
Queries OS info via WMI
2/5
Searches for sensitive application data
2/5
Collects hardware properties
2/5
Schedules task
2/5
Searches for cryptocurrency wallet locations
2/5
Searches for sensitive browser data
2/5
Reads sensitive browser data
1/5
Enumerates running processes
1/5
Reads system data
1/5
Queries system time
1/5
Creates process with hidden window
1/5
Possibly does reconnaissance
1/5
Accesses Microsoft Security Software registry keys
1/5
Performs DNS request
1/5
Content matched by YARA rules
1/5
Resolves API functions dynamically
1/5
Drops PE file
1/5
Executes dropped PE file
1/5
Timestamp manipulation
1/5
Modifies application directory
1/5
Unusual large memory allocation
Spyware
wealth.exe
2026-07-09T16:45:32.502
malicious
Windows Exe (x86-32)
Close
wealth.exe
malicious
SHA256:
1f31686990b1715d79718451c1865512566cb6a0bcc65f9d421fc1567e5cf6e7
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Malicious content matched by YARA rules
4/5
Writes into the memory of another process
4/5
Process Hollowing
4/5
Modifies Windows Defender configuration
4/5
Modifies control flow of another process
4/5
Makes indirect system call to possibly evade hooking based monitoring
3/5
Bypasses PowerShell execution policy
3/5
Captures clipboard data
2/5
Reads sensitive browser data
2/5
Delays execution
2/5
Tries to detect kernel debugger
2/5
Executes PowerShell without default profile
2/5
Executes PowerShell with hidden window
2/5
Searches for sensitive browser data
1/5
Performs DNS request
1/5
Enumerates running processes
1/5
Creates process with hidden window
1/5
Creates a page with write and execute permissions
1/5
Installs system startup script or application
1/5
Creates mutex
1/5
Accesses Microsoft Security Software registry keys
1/5
Reads from memory of another process
1/5
Query OS Information
1/5
Enables process privileges
1/5
A monitored process crashed
1/5
Possibly does reconnaissance
1/5
Connects to remote host
1/5
Tries to detect debugger
Spyware
Injector
comprobante-swift-897785587645.wsf
2026-07-09T16:28:47.574
malicious
Windows Script File
Close
comprobante-swift-897785587645.wsf
malicious
SHA256:
cd9cd7e99fa61d55eb95b7b9fef01cb2c53404bd76ece24858d5dcbc841fc59a
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Malicious content matched by YARA rules
5/5
Injected process sets up server that accepts incoming connections
5/5
Combination of other detections shows configuration discovery
5/5
Tries to read cached credentials of various applications
5/5
Agent Tesla configuration was extracted
4/5
Tries to detect application sandbox
4/5
Process Hollowing
4/5
Writes into the memory of another process
4/5
Reads from memory of another process
3/5
Bypasses PowerShell execution policy
3/5
Reads sensitive mail data
3/5
Reads sensitive browser data
3/5
Classifies external IP address
2/5
Reads network adapter information
2/5
Executes PowerShell without default profile
2/5
Searches for sensitive browser data
2/5
Performs DNS request
2/5
Tries to connect using an uncommon port
2/5
Suspicious content matched by YARA rules
2/5
Possibly does reconnaissance
2/5
Searches for sensitive mail data
2/5
Enables process privileges
2/5
Queries OS info via WMI
2/5
Collects hardware properties
1/5
Connects to remote host
1/5
Queries system time
1/5
Enumerates running processes
1/5
Accesses Microsoft Security Software registry keys
1/5
Query OS Information
Spyware
Backdoor
Injector
7c6UrcM2Se82y1m0.exe
2026-07-09T16:27:41.697
malicious
Windows Exe (x86-32)
Close
7c6UrcM2Se82y1m0.exe
malicious
SHA256:
197c47c4e7ca4f386b0465f1c1147bf80b67a03b38ca2b42c3cc719baa3ff3da
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Malicious content matched by YARA rules
5/5
AsyncRAT configuration was extracted
2/5
Schedules task
2/5
Enumerates running processes
1/5
Connects to remote host
1/5
Tries to connect using an uncommon port
1/5
Resolves API functions dynamically
1/5
Drops PE file
1/5
Executes dropped PE file
1/5
Timestamp manipulation
1/5
Creates process with hidden window
1/5
Enumerates running processes
1/5
Possibly does reconnaissance
1/5
Creates mutex
1/5
Accesses volumes directly
1/5
Enables process privileges
1/5
Reads from memory of another process
1/5
Performs DNS request
Backdoor
http://49.51.43.12/v3/signin/identifier?amp%3Bfollowup=https%3A%2F%2Faccounts.google.com%2F&%3Bifkv=AQMjQ7QyROPzn0qaqnYvX4_aw7qH8RajahyDV4UI8mo2Mw7SaNi-z6QQG4MH4pDlzJ2gDPTt_nm2&%3Bpassive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&flowName=GlifWebSignIn&flowEntry=ServiceLogin&ifkv=Ac50bxvzQ6Pti-eER3iDi4Ypb7C9Cli2lpxo7t_UfFUP_Z7K655Vs4--uL8np7dthUZ0AtmxPSgVNg&dsh=S-66465587%3A1783603447501368
2026-07-09T16:26:57.331
malicious
URL
Close
http://49.51.43.12/v3/signin/identifier?amp%3Bfollowup=https%3A%2F%2Faccounts.google.com%2F&%3Bifkv=AQMjQ7QyROPzn0qaqnYvX4_aw7qH8RajahyDV4UI8mo2Mw7SaNi-z6QQG4MH4pDlzJ2gDPTt_nm2&%3Bpassive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&flowName=GlifWebSignIn&flowEntry=ServiceLogin&ifkv=Ac50bxvzQ6Pti-eER3iDi4Ypb7C9Cli2lpxo7t_UfFUP_Z7K655Vs4--uL8np7dthUZ0AtmxPSgVNg&dsh=S-66465587%3A1783603447501368
malicious
SHA256:
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Combination of other detections indicates a phishing website
4/5
Phishing page detected via Machine Learning
2/5
Branded Logon form detected via Computer Vision
2/5
Page uses exact same title as that of a popular online service
1/5
HTTPS page insecurely loads resources via HTTP
1/5
Branding image detected via Computer Vision
1/5
Page presents itself as a logon page
1/5
Content matched by YARA rules
Phishing