6.0.FacebookSecurityUpdate.exe.180000.0.unpack | Vermin_Keylogger_Jan18_1 | Detects Vermin Keylogger | Florian Roth | - 0x3697a:$x3: GetKeyloggerLogsResponse
- 0x35c51:$x4: GetKeyloggerLogs
- 0x35eea:$s1: <RunHidden>k__BackingField
- 0x36b42:$s2: set_SystemInfos
- 0x35f13:$s3: set_RunHidden
- 0x35aa6:$s4: set_RemotePath
- 0x30971:$s7: xClient.Core.ReverseProxy.Packets
|
6.0.FacebookSecurityUpdate.exe.180000.0.unpack | xRAT_1 | Detects Patchwork malware | Florian Roth | - 0x2f783:$x4: xClient.Properties.Resources.resources
- 0x2f621:$s4: Client.exe
- 0x35f13:$s7: set_RunHidden
|
6.0.FacebookSecurityUpdate.exe.180000.0.unpack | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x35ed7:$s1: DoUploadAndExecute
- 0x360e5:$s2: DoDownloadAndExecute
- 0x35cdb:$s3: DoShellExecute
- 0x360aa:$s4: set_Processname
- 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
- 0x7552:$op3: 00 04 03 69 91 1B 40
- 0x7da2:$op3: 00 04 03 69 91 1B 40
|
6.0.FacebookSecurityUpdate.exe.180000.0.unpack | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x3697a:$x1: GetKeyloggerLogsResponse
- 0x36bba:$s1: DoShellExecuteResponse
- 0x36533:$s2: GetPasswordsResponse
- 0x36a8d:$s3: GetStartupItemsResponse
- 0x35eeb:$s5: RunHidden
- 0x35f09:$s5: RunHidden
- 0x35f17:$s5: RunHidden
- 0x35f2b:$s5: RunHidden
|
6.0.FacebookSecurityUpdate.exe.180000.0.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x4011d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x402ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
|
6.0.FacebookSecurityUpdate.exe.180000.0.unpack | CN_disclosed_20180208_KeyLogger_1 | Detects malware from disclosed CN malware set | Florian Roth | - 0x425e5:$x2: Process already elevated.
- 0x342a0:$x4: get_encryptedPassword
- 0x360e5:$x5: DoDownloadAndExecute
|
6.0.FacebookSecurityUpdate.exe.180000.0.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack | Vermin_Keylogger_Jan18_1 | Detects Vermin Keylogger | Florian Roth | - 0x34b7a:$x3: GetKeyloggerLogsResponse
- 0x33e51:$x4: GetKeyloggerLogs
- 0x340ea:$s1: <RunHidden>k__BackingField
- 0x34d42:$s2: set_SystemInfos
- 0x34113:$s3: set_RunHidden
- 0x33ca6:$s4: set_RemotePath
- 0x2eb71:$s7: xClient.Core.ReverseProxy.Packets
|
0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack | xRAT_1 | Detects Patchwork malware | Florian Roth | - 0x2d983:$x4: xClient.Properties.Resources.resources
- 0x2d821:$s4: Client.exe
- 0x34113:$s7: set_RunHidden
|
0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x340d7:$s1: DoUploadAndExecute
- 0x342e5:$s2: DoDownloadAndExecute
- 0x33edb:$s3: DoShellExecute
- 0x342aa:$s4: set_Processname
- 0x4dc8:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x4cec:$op2: 00 17 03 1F 20 17 19 15 28
- 0x5752:$op3: 00 04 03 69 91 1B 40
- 0x5fa2:$op3: 00 04 03 69 91 1B 40
|
0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x34b7a:$x1: GetKeyloggerLogsResponse
- 0x34dba:$s1: DoShellExecuteResponse
- 0x34733:$s2: GetPasswordsResponse
- 0x34c8d:$s3: GetStartupItemsResponse
- 0x340eb:$s5: RunHidden
- 0x34109:$s5: RunHidden
- 0x34117:$s5: RunHidden
- 0x3412b:$s5: RunHidden
|
0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x3e31d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x3e4ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
|
0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack | CN_disclosed_20180208_KeyLogger_1 | Detects malware from disclosed CN malware set | Florian Roth | - 0x407e5:$x2: Process already elevated.
- 0x324a0:$x4: get_encryptedPassword
- 0x342e5:$x5: DoDownloadAndExecute
|
0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack | Vermin_Keylogger_Jan18_1 | Detects Vermin Keylogger | Florian Roth | - 0x34b7a:$x3: GetKeyloggerLogsResponse
- 0x33e51:$x4: GetKeyloggerLogs
- 0x340ea:$s1: <RunHidden>k__BackingField
- 0x34d42:$s2: set_SystemInfos
- 0x34113:$s3: set_RunHidden
- 0x33ca6:$s4: set_RemotePath
- 0x2eb71:$s7: xClient.Core.ReverseProxy.Packets
|
0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack | xRAT_1 | Detects Patchwork malware | Florian Roth | - 0x2d983:$x4: xClient.Properties.Resources.resources
- 0x2d821:$s4: Client.exe
- 0x34113:$s7: set_RunHidden
|
0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x340d7:$s1: DoUploadAndExecute
- 0x342e5:$s2: DoDownloadAndExecute
- 0x33edb:$s3: DoShellExecute
- 0x342aa:$s4: set_Processname
- 0x4dc8:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x4cec:$op2: 00 17 03 1F 20 17 19 15 28
- 0x5752:$op3: 00 04 03 69 91 1B 40
- 0x5fa2:$op3: 00 04 03 69 91 1B 40
|
0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x34b7a:$x1: GetKeyloggerLogsResponse
- 0x34dba:$s1: DoShellExecuteResponse
- 0x34733:$s2: GetPasswordsResponse
- 0x34c8d:$s3: GetStartupItemsResponse
- 0x340eb:$s5: RunHidden
- 0x34109:$s5: RunHidden
- 0x34117:$s5: RunHidden
- 0x3412b:$s5: RunHidden
|
0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x3e31d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x3e4ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
|
0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack | CN_disclosed_20180208_KeyLogger_1 | Detects malware from disclosed CN malware set | Florian Roth | - 0x407e5:$x2: Process already elevated.
- 0x324a0:$x4: get_encryptedPassword
- 0x342e5:$x5: DoDownloadAndExecute
|
0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
6.2.FacebookSecurityUpdate.exe.180000.0.unpack | Vermin_Keylogger_Jan18_1 | Detects Vermin Keylogger | Florian Roth | - 0x3697a:$x3: GetKeyloggerLogsResponse
- 0x35c51:$x4: GetKeyloggerLogs
- 0x35eea:$s1: <RunHidden>k__BackingField
- 0x36b42:$s2: set_SystemInfos
- 0x35f13:$s3: set_RunHidden
- 0x35aa6:$s4: set_RemotePath
- 0x30971:$s7: xClient.Core.ReverseProxy.Packets
|
6.2.FacebookSecurityUpdate.exe.180000.0.unpack | xRAT_1 | Detects Patchwork malware | Florian Roth | - 0x2f783:$x4: xClient.Properties.Resources.resources
- 0x2f621:$s4: Client.exe
- 0x35f13:$s7: set_RunHidden
|
6.2.FacebookSecurityUpdate.exe.180000.0.unpack | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x35ed7:$s1: DoUploadAndExecute
- 0x360e5:$s2: DoDownloadAndExecute
- 0x35cdb:$s3: DoShellExecute
- 0x360aa:$s4: set_Processname
- 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
- 0x7552:$op3: 00 04 03 69 91 1B 40
- 0x7da2:$op3: 00 04 03 69 91 1B 40
|
6.2.FacebookSecurityUpdate.exe.180000.0.unpack | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x3697a:$x1: GetKeyloggerLogsResponse
- 0x36bba:$s1: DoShellExecuteResponse
- 0x36533:$s2: GetPasswordsResponse
- 0x36a8d:$s3: GetStartupItemsResponse
- 0x35eeb:$s5: RunHidden
- 0x35f09:$s5: RunHidden
- 0x35f17:$s5: RunHidden
- 0x35f2b:$s5: RunHidden
|
6.2.FacebookSecurityUpdate.exe.180000.0.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x4011d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x402ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
|
6.2.FacebookSecurityUpdate.exe.180000.0.unpack | CN_disclosed_20180208_KeyLogger_1 | Detects malware from disclosed CN malware set | Florian Roth | - 0x425e5:$x2: Process already elevated.
- 0x342a0:$x4: get_encryptedPassword
- 0x360e5:$x5: DoDownloadAndExecute
|
6.2.FacebookSecurityUpdate.exe.180000.0.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
5.0.FacebookSecurityUpdate.exe.600000.0.unpack | Vermin_Keylogger_Jan18_1 | Detects Vermin Keylogger | Florian Roth | - 0x3697a:$x3: GetKeyloggerLogsResponse
- 0x35c51:$x4: GetKeyloggerLogs
- 0x35eea:$s1: <RunHidden>k__BackingField
- 0x36b42:$s2: set_SystemInfos
- 0x35f13:$s3: set_RunHidden
- 0x35aa6:$s4: set_RemotePath
- 0x30971:$s7: xClient.Core.ReverseProxy.Packets
|
2.0.FacebookSecurityUpdate.exe.d90000.0.unpack | Vermin_Keylogger_Jan18_1 | Detects Vermin Keylogger | Florian Roth | - 0x3697a:$x3: GetKeyloggerLogsResponse
- 0x35c51:$x4: GetKeyloggerLogs
- 0x35eea:$s1: <RunHidden>k__BackingField
- 0x36b42:$s2: set_SystemInfos
- 0x35f13:$s3: set_RunHidden
- 0x35aa6:$s4: set_RemotePath
- 0x30971:$s7: xClient.Core.ReverseProxy.Packets
|
5.0.FacebookSecurityUpdate.exe.600000.0.unpack | xRAT_1 | Detects Patchwork malware | Florian Roth | - 0x2f783:$x4: xClient.Properties.Resources.resources
- 0x2f621:$s4: Client.exe
- 0x35f13:$s7: set_RunHidden
|
5.0.FacebookSecurityUpdate.exe.600000.0.unpack | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x35ed7:$s1: DoUploadAndExecute
- 0x360e5:$s2: DoDownloadAndExecute
- 0x35cdb:$s3: DoShellExecute
- 0x360aa:$s4: set_Processname
- 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
- 0x7552:$op3: 00 04 03 69 91 1B 40
- 0x7da2:$op3: 00 04 03 69 91 1B 40
|
5.0.FacebookSecurityUpdate.exe.600000.0.unpack | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x3697a:$x1: GetKeyloggerLogsResponse
- 0x36bba:$s1: DoShellExecuteResponse
- 0x36533:$s2: GetPasswordsResponse
- 0x36a8d:$s3: GetStartupItemsResponse
- 0x35eeb:$s5: RunHidden
- 0x35f09:$s5: RunHidden
- 0x35f17:$s5: RunHidden
- 0x35f2b:$s5: RunHidden
|
5.0.FacebookSecurityUpdate.exe.600000.0.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x4011d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x402ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
|
5.0.FacebookSecurityUpdate.exe.600000.0.unpack | CN_disclosed_20180208_KeyLogger_1 | Detects malware from disclosed CN malware set | Florian Roth | - 0x425e5:$x2: Process already elevated.
- 0x342a0:$x4: get_encryptedPassword
- 0x360e5:$x5: DoDownloadAndExecute
|
2.0.FacebookSecurityUpdate.exe.d90000.0.unpack | xRAT_1 | Detects Patchwork malware | Florian Roth | - 0x2f783:$x4: xClient.Properties.Resources.resources
- 0x2f621:$s4: Client.exe
- 0x35f13:$s7: set_RunHidden
|
5.0.FacebookSecurityUpdate.exe.600000.0.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
2.0.FacebookSecurityUpdate.exe.d90000.0.unpack | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x35ed7:$s1: DoUploadAndExecute
- 0x360e5:$s2: DoDownloadAndExecute
- 0x35cdb:$s3: DoShellExecute
- 0x360aa:$s4: set_Processname
- 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
- 0x7552:$op3: 00 04 03 69 91 1B 40
- 0x7da2:$op3: 00 04 03 69 91 1B 40
|
2.0.FacebookSecurityUpdate.exe.d90000.0.unpack | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x3697a:$x1: GetKeyloggerLogsResponse
- 0x36bba:$s1: DoShellExecuteResponse
- 0x36533:$s2: GetPasswordsResponse
- 0x36a8d:$s3: GetStartupItemsResponse
- 0x35eeb:$s5: RunHidden
- 0x35f09:$s5: RunHidden
- 0x35f17:$s5: RunHidden
- 0x35f2b:$s5: RunHidden
|
2.0.FacebookSecurityUpdate.exe.d90000.0.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x4011d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x402ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
|
2.0.FacebookSecurityUpdate.exe.d90000.0.unpack | CN_disclosed_20180208_KeyLogger_1 | Detects malware from disclosed CN malware set | Florian Roth | - 0x425e5:$x2: Process already elevated.
- 0x342a0:$x4: get_encryptedPassword
- 0x360e5:$x5: DoDownloadAndExecute
|
2.0.FacebookSecurityUpdate.exe.d90000.0.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack | Vermin_Keylogger_Jan18_1 | Detects Vermin Keylogger | Florian Roth | - 0x34b7a:$x3: GetKeyloggerLogsResponse
- 0x33e51:$x4: GetKeyloggerLogs
- 0x340ea:$s1: <RunHidden>k__BackingField
- 0x34d42:$s2: set_SystemInfos
- 0x34113:$s3: set_RunHidden
- 0x33ca6:$s4: set_RemotePath
- 0x2eb71:$s7: xClient.Core.ReverseProxy.Packets
|
0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack | xRAT_1 | Detects Patchwork malware | Florian Roth | - 0x2d983:$x4: xClient.Properties.Resources.resources
- 0x2d821:$s4: Client.exe
- 0x34113:$s7: set_RunHidden
|
0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x340d7:$s1: DoUploadAndExecute
- 0x342e5:$s2: DoDownloadAndExecute
- 0x33edb:$s3: DoShellExecute
- 0x342aa:$s4: set_Processname
- 0x4dc8:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x4cec:$op2: 00 17 03 1F 20 17 19 15 28
- 0x5752:$op3: 00 04 03 69 91 1B 40
- 0x5fa2:$op3: 00 04 03 69 91 1B 40
|
0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x34b7a:$x1: GetKeyloggerLogsResponse
- 0x34dba:$s1: DoShellExecuteResponse
- 0x34733:$s2: GetPasswordsResponse
- 0x34c8d:$s3: GetStartupItemsResponse
- 0x340eb:$s5: RunHidden
- 0x34109:$s5: RunHidden
- 0x34117:$s5: RunHidden
- 0x3412b:$s5: RunHidden
|
0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x3e31d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x3e4ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
|
0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack | CN_disclosed_20180208_KeyLogger_1 | Detects malware from disclosed CN malware set | Florian Roth | - 0x407e5:$x2: Process already elevated.
- 0x324a0:$x4: get_encryptedPassword
- 0x342e5:$x5: DoDownloadAndExecute
|
0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack | Vermin_Keylogger_Jan18_1 | Detects Vermin Keylogger | Florian Roth | - 0x3697a:$x3: GetKeyloggerLogsResponse
- 0x35c51:$x4: GetKeyloggerLogs
- 0x35eea:$s1: <RunHidden>k__BackingField
- 0x36b42:$s2: set_SystemInfos
- 0x35f13:$s3: set_RunHidden
- 0x35aa6:$s4: set_RemotePath
- 0x30971:$s7: xClient.Core.ReverseProxy.Packets
|
0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack | xRAT_1 | Detects Patchwork malware | Florian Roth | - 0x2f783:$x4: xClient.Properties.Resources.resources
- 0x2f621:$s4: Client.exe
- 0x35f13:$s7: set_RunHidden
|
0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x35ed7:$s1: DoUploadAndExecute
- 0x360e5:$s2: DoDownloadAndExecute
- 0x35cdb:$s3: DoShellExecute
- 0x360aa:$s4: set_Processname
- 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
- 0x7552:$op3: 00 04 03 69 91 1B 40
- 0x7da2:$op3: 00 04 03 69 91 1B 40
|
0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x3697a:$x1: GetKeyloggerLogsResponse
- 0x36bba:$s1: DoShellExecuteResponse
- 0x36533:$s2: GetPasswordsResponse
- 0x36a8d:$s3: GetStartupItemsResponse
- 0x35eeb:$s5: RunHidden
- 0x35f09:$s5: RunHidden
- 0x35f17:$s5: RunHidden
- 0x35f2b:$s5: RunHidden
|
0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x4011d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x402ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
|
0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack | CN_disclosed_20180208_KeyLogger_1 | Detects malware from disclosed CN malware set | Florian Roth | - 0x425e5:$x2: Process already elevated.
- 0x342a0:$x4: get_encryptedPassword
- 0x360e5:$x5: DoDownloadAndExecute
|
0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
5.2.FacebookSecurityUpdate.exe.600000.0.unpack | Vermin_Keylogger_Jan18_1 | Detects Vermin Keylogger | Florian Roth | - 0x3697a:$x3: GetKeyloggerLogsResponse
- 0x35c51:$x4: GetKeyloggerLogs
- 0x35eea:$s1: <RunHidden>k__BackingField
- 0x36b42:$s2: set_SystemInfos
- 0x35f13:$s3: set_RunHidden
- 0x35aa6:$s4: set_RemotePath
- 0x30971:$s7: xClient.Core.ReverseProxy.Packets
|
5.2.FacebookSecurityUpdate.exe.600000.0.unpack | xRAT_1 | Detects Patchwork malware | Florian Roth | - 0x2f783:$x4: xClient.Properties.Resources.resources
- 0x2f621:$s4: Client.exe
- 0x35f13:$s7: set_RunHidden
|
5.2.FacebookSecurityUpdate.exe.600000.0.unpack | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x35ed7:$s1: DoUploadAndExecute
- 0x360e5:$s2: DoDownloadAndExecute
- 0x35cdb:$s3: DoShellExecute
- 0x360aa:$s4: set_Processname
- 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
- 0x7552:$op3: 00 04 03 69 91 1B 40
- 0x7da2:$op3: 00 04 03 69 91 1B 40
|
5.2.FacebookSecurityUpdate.exe.600000.0.unpack | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x3697a:$x1: GetKeyloggerLogsResponse
- 0x36bba:$s1: DoShellExecuteResponse
- 0x36533:$s2: GetPasswordsResponse
- 0x36a8d:$s3: GetStartupItemsResponse
- 0x35eeb:$s5: RunHidden
- 0x35f09:$s5: RunHidden
- 0x35f17:$s5: RunHidden
- 0x35f2b:$s5: RunHidden
|
5.2.FacebookSecurityUpdate.exe.600000.0.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x4011d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x402ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
|
5.2.FacebookSecurityUpdate.exe.600000.0.unpack | CN_disclosed_20180208_KeyLogger_1 | Detects malware from disclosed CN malware set | Florian Roth | - 0x425e5:$x2: Process already elevated.
- 0x342a0:$x4: get_encryptedPassword
- 0x360e5:$x5: DoDownloadAndExecute
|
5.2.FacebookSecurityUpdate.exe.600000.0.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
2.2.FacebookSecurityUpdate.exe.d90000.0.unpack | Vermin_Keylogger_Jan18_1 | Detects Vermin Keylogger | Florian Roth | - 0x3697a:$x3: GetKeyloggerLogsResponse
- 0x35c51:$x4: GetKeyloggerLogs
- 0x35eea:$s1: <RunHidden>k__BackingField
- 0x36b42:$s2: set_SystemInfos
- 0x35f13:$s3: set_RunHidden
- 0x35aa6:$s4: set_RemotePath
- 0x30971:$s7: xClient.Core.ReverseProxy.Packets
|
2.2.FacebookSecurityUpdate.exe.d90000.0.unpack | xRAT_1 | Detects Patchwork malware | Florian Roth | - 0x2f783:$x4: xClient.Properties.Resources.resources
- 0x2f621:$s4: Client.exe
- 0x35f13:$s7: set_RunHidden
|
2.2.FacebookSecurityUpdate.exe.d90000.0.unpack | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x35ed7:$s1: DoUploadAndExecute
- 0x360e5:$s2: DoDownloadAndExecute
- 0x35cdb:$s3: DoShellExecute
- 0x360aa:$s4: set_Processname
- 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
- 0x7552:$op3: 00 04 03 69 91 1B 40
- 0x7da2:$op3: 00 04 03 69 91 1B 40
|
2.2.FacebookSecurityUpdate.exe.d90000.0.unpack | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x3697a:$x1: GetKeyloggerLogsResponse
- 0x36bba:$s1: DoShellExecuteResponse
- 0x36533:$s2: GetPasswordsResponse
- 0x36a8d:$s3: GetStartupItemsResponse
- 0x35eeb:$s5: RunHidden
- 0x35f09:$s5: RunHidden
- 0x35f17:$s5: RunHidden
- 0x35f2b:$s5: RunHidden
|
2.2.FacebookSecurityUpdate.exe.d90000.0.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x4011d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x402ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
|
2.2.FacebookSecurityUpdate.exe.d90000.0.unpack | CN_disclosed_20180208_KeyLogger_1 | Detects malware from disclosed CN malware set | Florian Roth | - 0x425e5:$x2: Process already elevated.
- 0x342a0:$x4: get_encryptedPassword
- 0x360e5:$x5: DoDownloadAndExecute
|
2.2.FacebookSecurityUpdate.exe.d90000.0.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack | Vermin_Keylogger_Jan18_1 | Detects Vermin Keylogger | Florian Roth | - 0x3697a:$x3: GetKeyloggerLogsResponse
- 0x8f7b2:$x3: GetKeyloggerLogsResponse
- 0x35c51:$x4: GetKeyloggerLogs
- 0x8ea89:$x4: GetKeyloggerLogs
- 0x35eea:$s1: <RunHidden>k__BackingField
- 0x8ed22:$s1: <RunHidden>k__BackingField
- 0x36b42:$s2: set_SystemInfos
- 0x8f97a:$s2: set_SystemInfos
- 0x35f13:$s3: set_RunHidden
- 0x8ed4b:$s3: set_RunHidden
- 0x35aa6:$s4: set_RemotePath
- 0x8e8de:$s4: set_RemotePath
- 0x30971:$s7: xClient.Core.ReverseProxy.Packets
- 0x897a9:$s7: xClient.Core.ReverseProxy.Packets
|
0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack | xRAT_1 | Detects Patchwork malware | Florian Roth | - 0x2f783:$x4: xClient.Properties.Resources.resources
- 0x885bb:$x4: xClient.Properties.Resources.resources
- 0x2f621:$s4: Client.exe
- 0x88459:$s4: Client.exe
- 0x35f13:$s7: set_RunHidden
- 0x8ed4b:$s7: set_RunHidden
|
0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x35ed7:$s1: DoUploadAndExecute
- 0x8ed0f:$s1: DoUploadAndExecute
- 0x360e5:$s2: DoDownloadAndExecute
- 0x8ef1d:$s2: DoDownloadAndExecute
- 0x35cdb:$s3: DoShellExecute
- 0x8eb13:$s3: DoShellExecute
- 0x360aa:$s4: set_Processname
- 0x8eee2:$s4: set_Processname
- 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x5fa00:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
- 0x5f924:$op2: 00 17 03 1F 20 17 19 15 28
- 0x7552:$op3: 00 04 03 69 91 1B 40
- 0x7da2:$op3: 00 04 03 69 91 1B 40
- 0x6038a:$op3: 00 04 03 69 91 1B 40
- 0x60bda:$op3: 00 04 03 69 91 1B 40
|
0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x3697a:$x1: GetKeyloggerLogsResponse
- 0x8f7b2:$x1: GetKeyloggerLogsResponse
- 0x36bba:$s1: DoShellExecuteResponse
- 0x8f9f2:$s1: DoShellExecuteResponse
- 0x36533:$s2: GetPasswordsResponse
- 0x8f36b:$s2: GetPasswordsResponse
- 0x36a8d:$s3: GetStartupItemsResponse
- 0x8f8c5:$s3: GetStartupItemsResponse
- 0x35eeb:$s5: RunHidden
- 0x35f09:$s5: RunHidden
- 0x35f17:$s5: RunHidden
- 0x35f2b:$s5: RunHidden
- 0x8ed23:$s5: RunHidden
- 0x8ed41:$s5: RunHidden
- 0x8ed4f:$s5: RunHidden
- 0x8ed63:$s5: RunHidden
|
0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x4011d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x98f55:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x402ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
- 0x99125:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
|
0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack | CN_disclosed_20180208_KeyLogger_1 | Detects malware from disclosed CN malware set | Florian Roth | - 0x425e5:$x2: Process already elevated.
- 0x9b41d:$x2: Process already elevated.
- 0x342a0:$x4: get_encryptedPassword
- 0x8d0d8:$x4: get_encryptedPassword
- 0x360e5:$x5: DoDownloadAndExecute
- 0x8ef1d:$x5: DoDownloadAndExecute
|
0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x35ed7:$s1: DoUploadAndExecute
- 0x8ed1f:$s1: DoUploadAndExecute
- 0xe7b57:$s1: DoUploadAndExecute
- 0x360e5:$s2: DoDownloadAndExecute
- 0x8ef2d:$s2: DoDownloadAndExecute
- 0xe7d65:$s2: DoDownloadAndExecute
- 0x35cdb:$s3: DoShellExecute
- 0x8eb23:$s3: DoShellExecute
- 0xe795b:$s3: DoShellExecute
- 0x360aa:$s4: set_Processname
- 0x8eef2:$s4: set_Processname
- 0xe7d2a:$s4: set_Processname
- 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x5fa10:$op1: 04 1E FE 02 04 16 FE 01 60
- 0xb8848:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
- 0x5f934:$op2: 00 17 03 1F 20 17 19 15 28
- 0xb876c:$op2: 00 17 03 1F 20 17 19 15 28
- 0x7552:$op3: 00 04 03 69 91 1B 40
- 0x7da2:$op3: 00 04 03 69 91 1B 40
- 0x6039a:$op3: 00 04 03 69 91 1B 40
|
0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x3697a:$x1: GetKeyloggerLogsResponse
- 0x8f7c2:$x1: GetKeyloggerLogsResponse
- 0xe85fa:$x1: GetKeyloggerLogsResponse
- 0x36bba:$s1: DoShellExecuteResponse
- 0x8fa02:$s1: DoShellExecuteResponse
- 0xe883a:$s1: DoShellExecuteResponse
- 0x36533:$s2: GetPasswordsResponse
- 0x8f37b:$s2: GetPasswordsResponse
- 0xe81b3:$s2: GetPasswordsResponse
- 0x36a8d:$s3: GetStartupItemsResponse
- 0x8f8d5:$s3: GetStartupItemsResponse
- 0xe870d:$s3: GetStartupItemsResponse
- 0x35eeb:$s5: RunHidden
- 0x35f09:$s5: RunHidden
- 0x35f17:$s5: RunHidden
- 0x35f2b:$s5: RunHidden
- 0x8ed33:$s5: RunHidden
- 0x8ed51:$s5: RunHidden
- 0x8ed5f:$s5: RunHidden
- 0x8ed73:$s5: RunHidden
- 0xe7b6b:$s5: RunHidden
|
0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x4011d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x98f65:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0xf1d9d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
- 0x402ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
- 0x99135:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
- 0xf1f6d:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
|
0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
Click to see the 76 entries |