Threat Feed | Online Malware Sandbox

JScript

26KTGJ208 ORDER SHEET.JS

malicious

SHA256: 614bb0a32abf7ae93d76a6ac4434ec9c9d06be4dda3be519f308fe00a884e0bb

VMRay Threat Identifiers

Severity

Operation

5/5

Malicious content matched by YARA rules

5/5

Sets up server that accepts incoming connections

5/5

Monitors keyboard input

5/5

Combination of other detections shows multiple input capture behaviors

5/5

PhantomStealer configuration was extracted

5/5

Tries to read cached credentials of various applications

4/5

Tries to detect the presence of antivirus software

4/5

Injects a file into another process

4/5

Connects to SMTP server

4/5

Malicious content matched by YARA rules

3/5

Takes screenshot

3/5

Reads sensitive mail data

3/5

Suspicious content matched by YARA rules

3/5

Captures clipboard data

2/5

Possibly does reconnaissance

2/5

Installs system startup script or application

2/5

Searches for sensitive browser data

2/5

Enables process privileges

2/5

Searches for sensitive FTP data

2/5

Queries OS info via WMI

2/5

Reads network adapter information

2/5

Performs DNS request

2/5

Checks external IP address

2/5

Suspicious content matched by YARA rules

2/5

Drops PE file

2/5

Executes dropped PE file

2/5

Collects hardware properties

2/5

Searches for sensitive mail data

1/5

Creates mutex

1/5

Timestamp manipulation

1/5

Connects to remote host

1/5

Executes WMI query

1/5

Query OS Information

1/5

Unusual large memory allocation

Spyware

Backdoor

Keylogger

Downloader

archivos-20260606-256639.hta

2026-06-15T16:38:34.352

HTML Application

archivos-20260606-256639.hta

malicious

SHA256: 6e11187808616f2ca687d468d5e3a089c9220b2cd97d2b0a8db9f6f3428e2f2a

VMRay Threat Identifiers

Severity

Operation

5/5

Injected process sets up server that accepts incoming connections

5/5

Malicious content matched by YARA rules

4/5

Process Hollowing

4/5

Reads from memory of another process

4/5

Writes into the memory of another process

4/5

Modifies control flow of another process

4/5

Attempts to connect through HTTP

4/5

Tries to detect the presence of antivirus software

4/5

Tries to detect the presence of anti-spyware software

3/5

Performs DNS request for known DDNS domain

3/5

Delays execution

3/5

Captures clipboard data

3/5

Bypasses PowerShell execution policy

2/5

Downloads file

2/5

Checks external IP address

2/5

Executes PowerShell with hidden window

2/5

Collects hardware properties

2/5

Performs DNS request

2/5

Executes PowerShell without default profile

1/5

Reads mouse position

1/5

Accesses Microsoft Security Software registry keys

1/5

Overwrites code

1/5

Collects BIOS properties

1/5

Unusual large memory allocation

1/5

Content matched by YARA rules

1/5

Query OS Information

1/5

Connects to remote host

Spyware

Backdoor

Injector

SPECIFICATIONS.js

2026-06-15T16:38:00.720

JScript

SPECIFICATIONS.js

malicious

SHA256: c48b4f43a3e30194eaa5c877fa8db49be22fe74a1777e267e68de3e9bc8577fd

VMRay Threat Identifiers

Severity

Operation

5/5

Malicious content matched by YARA rules

4/5

Writes into the memory of another process

4/5

Modifies control flow of another process

4/5

Process Hollowing

4/5

Reads from memory of another process

4/5

Makes indirect system call to possibly evade hooking based monitoring

4/5

Tries to detect kernel debugger

3/5

Bypasses PowerShell execution policy

3/5

Reads sensitive browser data

3/5

Captures clipboard data

3/5

Delays execution

2/5

Performs DNS request

2/5

Searches for sensitive browser data

2/5

Possibly does reconnaissance

2/5

Downloads file

2/5

Executes PowerShell without default profile

1/5

Connects to remote host

1/5

Accesses Microsoft Security Software registry keys

1/5

Query OS Information

1/5

Creates mutex

1/5

Enumerates running processes

1/5

URL contains a TLD highly associated with phishing

Spyware

Injector

PO#LHPE00044.JS

2026-06-15T16:32:45.698

JScript

PO#LHPE00044.JS

malicious

SHA256: 8996cbc60a9dc1b0bd726fe90daaeb6f26311faf9e845e7d439676d46af2909a

VMRay Threat Identifiers

Severity

Operation

5/5

Combination of other detections shows configuration discovery

5/5

Sets up server that accepts incoming connections

5/5

Malicious content matched by YARA rules

5/5

Agent Tesla configuration was extracted

5/5

Tries to read cached credentials of various applications

4/5

Tries to detect application sandbox

3/5

Reads sensitive browser data

3/5

Reads sensitive mail data

3/5

Classifies external IP address

2/5

Suspicious content matched by YARA rules

2/5

Reads network adapter information

2/5

Searches for sensitive mail data

2/5

Possibly does reconnaissance

2/5

Queries OS info via WMI

2/5

Collects hardware properties

2/5

Performs DNS request

2/5

Tries to connect using an uncommon port

2/5

Executes dropped PE file

2/5

Searches for sensitive browser data

2/5

Enables process privileges

1/5

Query OS Information

1/5

Connects to remote host

1/5

Unusual large memory allocation

1/5

Enumerates running processes

Spyware

Backdoor

Downloader

http://49.51.43.12/v3/signin/identifier?amp%3Bfollowup=https%3A%2F%2Faccounts.google.com&amp%3Bifkv=AWnogHe_pDujLaO-hl3d_3DQFjS6PW6JGM3LRrD13mxmiaQWTJuHz9b6nwmaSIh76M5SMOelnJex7g&amp%3Bpassive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&flowName=GlifWebSignIn&flowEntry=ServiceLogin&ifkv=AcDsRvzMM8f73WX6SyMSge-Mv4szfmOSlOOTbn1zvxolbxcocc4lOw806y9nM-vwC7KP5sOJOTmLdw&dsh=S-585488589%3A1781532804505650

2026-06-15T16:32:18.145

URL

malicious

SHA256:

VMRay Threat Identifiers

Severity

Operation

5/5

Combination of other detections indicates a phishing website

4/5

Phishing page detected via Machine Learning

2/5

Branded Logon form detected via Computer Vision

2/5

Page uses exact same title as that of a popular online service

1/5

Content matched by YARA rules

1/5

Page presents itself as a logon page

1/5

HTTPS page insecurely loads resources via HTTP

1/5

Branding image detected via Computer Vision

Phishing