Threat Feed
YiQ3uGomLrPNNfGU.html
2026-04-22T11:19:10.298
malicious
HTML Document
Close
YiQ3uGomLrPNNfGU.html
malicious
SHA256:
c7783e23ca3ef2cfca6a09a817ffd6fddf379af1178bba49be33e77be929893a
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Combination of other detections indicates a phishing website
2/5
Page uses exact same title as that of a popular online service
2/5
The HTML file contains logon form
2/5
Branded Logon form detected via Computer Vision
1/5
Page presents itself as a logon page
Phishing
XClient...exe
2026-04-22T10:28:41.162
malicious
Windows Exe (x86-32)
Close
XClient...exe
malicious
SHA256:
2eea097e689004e05f44f04ff22909c96d43d04fa7e5936f3709cf0d3a36c041
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Malicious content matched by YARA rules
5/5
XWorm configuration was extracted
3/5
Monitors keyboard input
3/5
All network connection attempts failed
1/5
Connects to remote host
1/5
Enables process privileges
1/5
Tries to connect using an uncommon port
1/5
Creates mutex
1/5
Installs system startup script or application
1/5
Enumerates running processes
Spyware
http://49.51.43.12/v3/signin/identifier?amp%3Bfollowup=https%3A%2F%2Faccounts.google.com%2F&%3Bifkv=AQMjQ7QyROPzn0qaqnYvX4_aw7qH8RajahyDV4UI8mo2Mw7SaNi-z6QQG4MH4pDlzJ2gDPTt_nm2&%3Bpassive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&flowName=GlifWebSignIn&flowEntry=ServiceLogin&ifkv=AT1y2_W5NnsWQctEEIOVGkyAvgSHXTW9qGz1ig6j0I4XnQZHm3gh9dvBtuMJMkwRvUkiFQb9pLmZ-w&dsh=S406216958%3A1776845436973049
2026-04-22T10:23:45.892
malicious
URL
Close
http://49.51.43.12/v3/signin/identifier?amp%3Bfollowup=https%3A%2F%2Faccounts.google.com%2F&%3Bifkv=AQMjQ7QyROPzn0qaqnYvX4_aw7qH8RajahyDV4UI8mo2Mw7SaNi-z6QQG4MH4pDlzJ2gDPTt_nm2&%3Bpassive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&flowName=GlifWebSignIn&flowEntry=ServiceLogin&ifkv=AT1y2_W5NnsWQctEEIOVGkyAvgSHXTW9qGz1ig6j0I4XnQZHm3gh9dvBtuMJMkwRvUkiFQb9pLmZ-w&dsh=S406216958%3A1776845436973049
malicious
SHA256:
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Combination of other detections indicates a phishing website
4/5
Phishing page detected via Machine Learning
2/5
Page uses exact same title as that of a popular online service
2/5
Branded Logon form detected via Computer Vision
1/5
Content matched by YARA rules
1/5
HTTPS page insecurely loads resources via HTTP
1/5
Branding image detected via Computer Vision
1/5
Page presents itself as a logon page
Phishing
RE INV # SRWLPP4210.exe
2026-04-22T10:15:12.448
malicious
Windows Exe (x86-32)
Close
RE INV # SRWLPP4210.exe
malicious
SHA256:
f915aa460126cd14263bc210f9010843ee11746a20973a23ac5c6fd48c5c86e2
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Tries to read cached credentials of various applications
5/5
Malicious content matched by YARA rules
5/5
Agent Tesla configuration was extracted
5/5
Combination of other detections shows configuration discovery
4/5
Injected process sets up server that accepts incoming connections
4/5
Process Hollowing
3/5
Classifies external IP address
3/5
Suspicious content matched by YARA rules
2/5
Reads sensitive mail data
2/5
Reads sensitive browser data
2/5
Tries to detect application sandbox
2/5
Searches for sensitive browser data
2/5
Searches for sensitive mail data
2/5
Modifies control flow of a process started from a created or modified executable
2/5
Collects hardware properties
2/5
Queries OS info via WMI
1/5
Creates mutex
1/5
Creates process with hidden window
1/5
Reads from memory of another process
1/5
Possibly does reconnaissance
1/5
Creates a page with write and execute permissions
1/5
Performs DNS request
1/5
Connects to remote host
1/5
Tries to connect using an uncommon port
1/5
Content matched by YARA rules
1/5
Resolves API functions dynamically
1/5
Installs system startup script or application
1/5
Query OS Information
1/5
Enables process privileges
1/5
Enumerates running processes
Spyware
Backdoor
Injector
NEW REQUEST FOR NCT Holland 000BV.JS
2026-04-22T10:12:03.526
malicious
JScript
Close
NEW REQUEST FOR NCT Holland 000BV.JS
malicious
SHA256:
883afe2b37e36732b75454c2d309d45f9a6abbd1755ce70ee657f689b4a2f08b
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Tries to read cached credentials of various applications
5/5
Sets up server that accepts incoming connections
5/5
Malicious content matched by YARA rules
5/5
Agent Tesla configuration was extracted
5/5
Combination of other detections shows configuration discovery
4/5
Tries to detect application sandbox
4/5
Executes encoded PowerShell command
3/5
Classifies external IP address
3/5
Reads sensitive browser data
3/5
Reads sensitive mail data
2/5
Suspicious content matched by YARA rules
2/5
Collects hardware properties
2/5
Searches for sensitive browser data
2/5
Searches for sensitive mail data
2/5
Possibly does reconnaissance
2/5
Queries OS info via WMI
2/5
Performs DNS request
2/5
Tries to connect using an uncommon port
2/5
Executes PowerShell without default profile
2/5
Reads network adapter information
1/5
Query OS Information
1/5
Connects to remote host
Spyware
Backdoor