Threat Feed
Proto.js
2026-06-17T16:45:39.836
malicious
JScript
Close
Proto.js
malicious
SHA256:
64a2af19e27a0f87e12e1d81c96c3160e38790850b108ebfbddb9639f58135c9
VMRay Threat Identifiers
Close
Severity
Operation
5/5
GuLoader configuration was extracted
5/5
Sets up server that accepts incoming connections
5/5
Combination of other detections shows configuration discovery
5/5
Malicious content matched by YARA rules
5/5
Tries to read cached credentials of various applications
4/5
Reads from memory of another process
4/5
Malicious content matched by YARA rules
4/5
Makes unaligned API calls to possibly evade hooking based sandboxes
4/5
Tries to detect the presence of antivirus software
4/5
Connects to SMTP server
4/5
Creates a new process from a system binary
3/5
Suspicious content matched by YARA rules
3/5
Reads sensitive mail data
3/5
Deletes file after execution
3/5
Modifies native system functions
2/5
Searches for sensitive FTP data
2/5
Possibly does reconnaissance
2/5
Searches for sensitive mail data
2/5
Queries OS info via WMI
2/5
Reads network adapter information
2/5
Performs DNS request
2/5
Downloads file
2/5
Checks external IP address
2/5
Suspicious content matched by YARA rules
2/5
Drops PE file
2/5
Executes dropped PE file
2/5
Enumerates running processes
2/5
Enables process privileges
2/5
Collects hardware properties
2/5
Searches for sensitive browser data
1/5
Creates mutex
1/5
Query OS Information
1/5
Accesses Microsoft Security Software registry keys
1/5
Unusual large memory allocation
1/5
Connects to remote host
Spyware
Backdoor
Downloader
Filigran197.js
2026-06-17T16:45:31.687
malicious
JScript
Close
Filigran197.js
malicious
SHA256:
0fa1dc1bdf2d7ad71a1d2ba696f6906186f3a3d7e808db6565354be50c22f004
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Malicious content matched by YARA rules
5/5
Sets up server that accepts incoming connections
5/5
PhantomStealer configuration was extracted
5/5
GuLoader configuration was extracted
5/5
Tries to read cached credentials of various applications
5/5
Combination of other detections shows configuration discovery
5/5
Monitors keyboard input
4/5
Creates a new process from a system binary
4/5
Makes unaligned API calls to possibly evade hooking based sandboxes
4/5
Reads from memory of another process
4/5
Malicious content matched by YARA rules
4/5
Tries to evade debugger
4/5
Makes indirect system call to possibly evade hooking based monitoring
4/5
Tries to detect the presence of antivirus software
3/5
Modifies native system functions
3/5
Suspicious content matched by YARA rules
3/5
Reads sensitive mail data
2/5
Enumerates running processes
2/5
Installs system startup script or application
2/5
Enables process privileges
2/5
Collects hardware properties
2/5
Searches for sensitive browser data
2/5
Searches for sensitive mail data
2/5
Reads network adapter information
2/5
Queries OS info via WMI
2/5
Performs DNS request
2/5
Downloads file
2/5
Checks external IP address
2/5
Suspicious content matched by YARA rules
1/5
Connects to remote host
1/5
Creates mutex
1/5
Query OS Information
1/5
Unusual large memory allocation
1/5
Accesses Microsoft Security Software registry keys
Spyware
Backdoor
Keylogger
Downloader
Purchasing Order required Specification.exe
2026-06-17T16:40:08.121
malicious
Windows Exe (x86-32)
Close
Purchasing Order required Specification.exe
malicious
SHA256:
7793fb7a4046393296ead32e7f2861338a59d3350019ba8c17591236574423c0
VMRay Threat Identifiers
Close
Severity
Operation
5/5
FormBook configuration was extracted
5/5
Malicious content matched by YARA rules
4/5
Modifies control flow of another process
4/5
Writes into the memory of another process
4/5
Makes indirect system call to possibly evade hooking based monitoring
4/5
Process Hollowing
3/5
Captures clipboard data
2/5
Delays execution
2/5
Modifies control flow of a process started from a created or modified executable
2/5
Searches for sensitive browser data
2/5
Reads sensitive browser data
2/5
Tries to detect kernel debugger
1/5
Creates a page with write and execute permissions
1/5
Tries to detect debugger
1/5
Creates process with hidden window
1/5
Reads from memory of another process
1/5
Query OS Information
1/5
Connects to remote host
1/5
Performs DNS request
1/5
Possibly does reconnaissance
1/5
Creates mutex
1/5
URL contains a TLD highly associated with phishing
1/5
Downloads file
1/5
Enumerates running processes
Spyware
Injector
SOA_MAY_2026pdf.js
2026-06-17T16:31:41.415
malicious
JScript
Close
SOA_MAY_2026pdf.js
malicious
SHA256:
cc9bfcef740681572542702ea0201d44d148703b0d43954b03de7b72c2117704
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Malicious content matched by YARA rules
4/5
Modifies control flow of another process
4/5
Makes indirect system call to possibly evade hooking based monitoring
4/5
Writes into the memory of another process
4/5
Process Hollowing
4/5
Reads from memory of another process
4/5
Tries to detect kernel debugger
3/5
Delays execution
3/5
Bypasses PowerShell execution policy
3/5
Captures clipboard data
3/5
Reads sensitive browser data
2/5
Downloads file
2/5
Searches for sensitive browser data
2/5
Suspicious content matched by YARA rules
2/5
Loads a dropped DLL
2/5
Executes PowerShell without default profile
2/5
Executes PowerShell with hidden window
2/5
Enumerates running processes
2/5
Possibly does reconnaissance
2/5
Performs DNS request
1/5
Content matched by YARA rules
1/5
Connects to remote host
1/5
URL contains a TLD highly associated with phishing
1/5
Enumerates running processes
1/5
Creates mutex
1/5
Accesses Microsoft Security Software registry keys
1/5
Query OS Information
Spyware
Injector
http://49.51.43.12/v3/signin/identifier?amp%3Bfollowup=https%3A%2F%2Faccounts.google.com&%3Bifkv=AWnogHe_pDujLaO-hl3d_3DQFjS6PW6JGM3LRrD13mxmiaQWTJuHz9b6nwmaSIh76M5SMOelnJex7g&%3Bpassive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&flowName=GlifWebSignIn&flowEntry=ServiceLogin&ifkv=AcDsRvz37-buGZ4Er3KX7mAMMW1lH9UAlo-zeVVgB0Eh-_ilyrtr3Gj_ujSIWNn_yyKaEPEYEyY7sQ&dsh=S-770706593%3A1781706163413898
2026-06-17T16:26:43.585
malicious
URL
Close
http://49.51.43.12/v3/signin/identifier?amp%3Bfollowup=https%3A%2F%2Faccounts.google.com&%3Bifkv=AWnogHe_pDujLaO-hl3d_3DQFjS6PW6JGM3LRrD13mxmiaQWTJuHz9b6nwmaSIh76M5SMOelnJex7g&%3Bpassive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&flowName=GlifWebSignIn&flowEntry=ServiceLogin&ifkv=AcDsRvz37-buGZ4Er3KX7mAMMW1lH9UAlo-zeVVgB0Eh-_ilyrtr3Gj_ujSIWNn_yyKaEPEYEyY7sQ&dsh=S-770706593%3A1781706163413898
malicious
SHA256:
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Combination of other detections indicates a phishing website
4/5
Phishing page detected via Machine Learning
2/5
Branded Logon form detected via Computer Vision
2/5
Page uses exact same title as that of a popular online service
1/5
HTTPS page insecurely loads resources via HTTP
1/5
Branding image detected via Computer Vision
1/5
Page presents itself as a logon page
1/5
Content matched by YARA rules
Phishing