0.3.wscript.exe.1b86717d130.5.unpack | CN_disclosed_20180208_c | Detects malware from disclosed CN malware set | Florian Roth | - 0x2f30:$x1: cmd.exe /c ping 0 -n 2 & del "
- 0x3088:$s3: Executed As
- 0x306a:$s6: Download ERROR
|
0.3.wscript.exe.1b86717d130.5.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.3.wscript.exe.1b86717d130.5.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x2f9e:$a1: netsh firewall add allowedprogram
- 0x2f6e:$a2: SEE_MASK_NOZONECHECKS
- 0x3218:$b1: [TAP]
- 0x2f30:$c3: cmd.exe /c ping
|
0.3.wscript.exe.1b86717d130.5.unpack | Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group | - 0x2f6e:$reg: SEE_MASK_NOZONECHECKS
- 0x3046:$msg: Execute ERROR
- 0x30a2:$msg: Execute ERROR
- 0x2f30:$ping: cmd.exe /c ping 0 -n 2 & del
|
0.3.wscript.exe.1b8660a7cb0.0.unpack | MAL_Winnti_Sample_May18_1 | Detects malware sample from Burning Umbrella report - Generic Winnti Rule | Florian Roth | - 0xbf24:$s1: wireshark
- 0xbeee:$s2: procexp
|
0.3.wscript.exe.1b8660a7cb0.0.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.3.wscript.exe.1b8660a7cb0.0.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0xd86d:$a1: netsh firewall add allowedprogram
- 0xd9fd:$b1: [TAP]
- 0xc7b7:$b2: & exit
- 0xd7f3:$b2: & exit
- 0xd7c1:$c1: md.exe /k ping 0 & del
|
0.3.wscript.exe.1b8660a7cb0.0.raw.unpack | MAL_Winnti_Sample_May18_1 | Detects malware sample from Burning Umbrella report - Generic Winnti Rule | Florian Roth | - 0xdd24:$s1: wireshark
- 0xdcee:$s2: procexp
|
0.3.wscript.exe.1b8660a7cb0.0.raw.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.3.wscript.exe.1b8660a7cb0.0.raw.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0xf66d:$a1: netsh firewall add allowedprogram
- 0xf7fd:$b1: [TAP]
- 0xe5b7:$b2: & exit
- 0xf5f3:$b2: & exit
- 0xf5c1:$c1: md.exe /k ping 0 & del
|
0.3.wscript.exe.1b8660a7cb0.1.raw.unpack | MAL_Winnti_Sample_May18_1 | Detects malware sample from Burning Umbrella report - Generic Winnti Rule | Florian Roth | - 0xdd24:$s1: wireshark
- 0xdcee:$s2: procexp
|
0.3.wscript.exe.1b8660a7cb0.1.raw.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.3.wscript.exe.1b8660a7cb0.1.raw.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0xf66d:$a1: netsh firewall add allowedprogram
- 0xf7fd:$b1: [TAP]
- 0xe5b7:$b2: & exit
- 0xf5f3:$b2: & exit
- 0xf5c1:$c1: md.exe /k ping 0 & del
|
8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack | MAL_Winnti_Sample_May18_1 | Detects malware sample from Burning Umbrella report - Generic Winnti Rule | Florian Roth | - 0xdd24:$s1: wireshark
- 0xdcee:$s2: procexp
|
8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0xf66d:$a1: netsh firewall add allowedprogram
- 0xf7fd:$b1: [TAP]
- 0xe5b7:$b2: & exit
- 0xf5f3:$b2: & exit
- 0xf5c1:$c1: md.exe /k ping 0 & del
|
13.2.tmpFB21.tmp.exe.8a0000.0.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b8e8:$key: HawkEyeKeylogger
- 0x7dae2:$salt: 099u787978786
- 0x7bf11:$string1: HawkEye_Keylogger
- 0x7cd50:$string1: HawkEye_Keylogger
- 0x7da42:$string1: HawkEye_Keylogger
- 0x7c2e6:$string2: holdermail.txt
- 0x7c306:$string2: holdermail.txt
- 0x7c228:$string3: wallet.dat
- 0x7c240:$string3: wallet.dat
- 0x7c256:$string3: wallet.dat
- 0x7d624:$string4: Keylog Records
- 0x7d93c:$string4: Keylog Records
- 0x7db3a:$string5: do not script -->
- 0x7b8d0:$string6: \pidloc.txt
- 0x7b92a:$string7: BSPLIT
- 0x7b93a:$string7: BSPLIT
|
13.2.tmpFB21.tmp.exe.8a0000.0.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
13.2.tmpFB21.tmp.exe.8a0000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.tmpFB21.tmp.exe.8a0000.0.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.tmpFB21.tmp.exe.8a0000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.tmpFB21.tmp.exe.8a0000.0.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf69:$hawkstr1: HawkEye Keylogger
- 0x7cd96:$hawkstr1: HawkEye Keylogger
- 0x7d0c5:$hawkstr1: HawkEye Keylogger
- 0x7d220:$hawkstr1: HawkEye Keylogger
- 0x7d383:$hawkstr1: HawkEye Keylogger
- 0x7d5fc:$hawkstr1: HawkEye Keylogger
- 0x7badb:$hawkstr2: Dear HawkEye Customers!
- 0x7d118:$hawkstr2: Dear HawkEye Customers!
- 0x7d26f:$hawkstr2: Dear HawkEye Customers!
- 0x7d3d6:$hawkstr2: Dear HawkEye Customers!
- 0x7bbfc:$hawkstr3: HawkEye Logger Details:
|
13.2.tmpFB21.tmp.exe.4040020.7.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
1.0.Tmp.exe.1d0000.0.unpack | MAL_Winnti_Sample_May18_1 | Detects malware sample from Burning Umbrella report - Generic Winnti Rule | Florian Roth | - 0xdd24:$s1: wireshark
- 0xdcee:$s2: procexp
|
1.0.Tmp.exe.1d0000.0.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
1.0.Tmp.exe.1d0000.0.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0xf66d:$a1: netsh firewall add allowedprogram
- 0xf7fd:$b1: [TAP]
- 0xe5b7:$b2: & exit
- 0xf5f3:$b2: & exit
- 0xf5c1:$c1: md.exe /k ping 0 & del
|
0.3.wscript.exe.1b86717d130.5.raw.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.3.wscript.exe.1b86717d130.5.raw.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x4d9e:$a1: netsh firewall add allowedprogram
- 0x4d6e:$a2: SEE_MASK_NOZONECHECKS
- 0x5018:$b1: [TAP]
- 0x4d30:$c3: cmd.exe /c ping
|
0.3.wscript.exe.1b86717d130.5.raw.unpack | Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group | - 0x4d6e:$reg: SEE_MASK_NOZONECHECKS
- 0x4e46:$msg: Execute ERROR
- 0x4ea2:$msg: Execute ERROR
- 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
|
0.3.wscript.exe.1b8660a7cb0.1.unpack | MAL_Winnti_Sample_May18_1 | Detects malware sample from Burning Umbrella report - Generic Winnti Rule | Florian Roth | - 0xbf24:$s1: wireshark
- 0xbeee:$s2: procexp
|
0.3.wscript.exe.1b8660a7cb0.1.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
0.3.wscript.exe.1b8660a7cb0.1.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0xd86d:$a1: netsh firewall add allowedprogram
- 0xd9fd:$b1: [TAP]
- 0xc7b7:$b2: & exit
- 0xd7f3:$b2: & exit
- 0xd7c1:$c1: md.exe /k ping 0 & del
|
13.2.tmpFB21.tmp.exe.8150000.11.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
2.2.pgr.exe.3a3fd88.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b8e8:$key: HawkEyeKeylogger
- 0x7dae2:$salt: 099u787978786
- 0x7bf11:$string1: HawkEye_Keylogger
- 0x7cd50:$string1: HawkEye_Keylogger
- 0x7da42:$string1: HawkEye_Keylogger
- 0x7c2e6:$string2: holdermail.txt
- 0x7c306:$string2: holdermail.txt
- 0x7c228:$string3: wallet.dat
- 0x7c240:$string3: wallet.dat
- 0x7c256:$string3: wallet.dat
- 0x7d624:$string4: Keylog Records
- 0x7d93c:$string4: Keylog Records
- 0x7db3a:$string5: do not script -->
- 0x7b8d0:$string6: \pidloc.txt
- 0x7b92a:$string7: BSPLIT
- 0x7b93a:$string7: BSPLIT
|
2.2.pgr.exe.3a3fd88.3.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
2.2.pgr.exe.3a3fd88.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
2.2.pgr.exe.3a3fd88.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
2.2.pgr.exe.3a3fd88.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
2.2.pgr.exe.3a3fd88.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf69:$hawkstr1: HawkEye Keylogger
- 0x7cd96:$hawkstr1: HawkEye Keylogger
- 0x7d0c5:$hawkstr1: HawkEye Keylogger
- 0x7d220:$hawkstr1: HawkEye Keylogger
- 0x7d383:$hawkstr1: HawkEye Keylogger
- 0x7d5fc:$hawkstr1: HawkEye Keylogger
- 0x7badb:$hawkstr2: Dear HawkEye Customers!
- 0x7d118:$hawkstr2: Dear HawkEye Customers!
- 0x7d26f:$hawkstr2: Dear HawkEye Customers!
- 0x7d3d6:$hawkstr2: Dear HawkEye Customers!
- 0x7bbfc:$hawkstr3: HawkEye Logger Details:
|
13.2.tmpFB21.tmp.exe.8100000.10.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
13.0.tmpFB21.tmp.exe.8a9c0d.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.0.tmpFB21.tmp.exe.8a0000.0.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b8e8:$key: HawkEyeKeylogger
- 0x7dae2:$salt: 099u787978786
- 0x7bf11:$string1: HawkEye_Keylogger
- 0x7cd50:$string1: HawkEye_Keylogger
- 0x7da42:$string1: HawkEye_Keylogger
- 0x7c2e6:$string2: holdermail.txt
- 0x7c306:$string2: holdermail.txt
- 0x7c228:$string3: wallet.dat
- 0x7c240:$string3: wallet.dat
- 0x7c256:$string3: wallet.dat
- 0x7d624:$string4: Keylog Records
- 0x7d93c:$string4: Keylog Records
- 0x7db3a:$string5: do not script -->
- 0x7b8d0:$string6: \pidloc.txt
- 0x7b92a:$string7: BSPLIT
- 0x7b93a:$string7: BSPLIT
|
13.0.tmpFB21.tmp.exe.8a0000.0.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
13.0.tmpFB21.tmp.exe.8a0000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.0.tmpFB21.tmp.exe.8a0000.0.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.0.tmpFB21.tmp.exe.8a0000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.0.tmpFB21.tmp.exe.8a0000.0.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf69:$hawkstr1: HawkEye Keylogger
- 0x7cd96:$hawkstr1: HawkEye Keylogger
- 0x7d0c5:$hawkstr1: HawkEye Keylogger
- 0x7d220:$hawkstr1: HawkEye Keylogger
- 0x7d383:$hawkstr1: HawkEye Keylogger
- 0x7d5fc:$hawkstr1: HawkEye Keylogger
- 0x7badb:$hawkstr2: Dear HawkEye Customers!
- 0x7d118:$hawkstr2: Dear HawkEye Customers!
- 0x7d26f:$hawkstr2: Dear HawkEye Customers!
- 0x7d3d6:$hawkstr2: Dear HawkEye Customers!
- 0x7bbfc:$hawkstr3: HawkEye Logger Details:
|
12.0.tmp87E4.tmp.exe.6e0000.0.unpack | JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | |
14.2.vbc.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.tmpFB21.tmp.exe.4027e00.6.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc76:$key: HawkEyeKeylogger
- 0x1fe70:$salt: 099u787978786
- 0x1e29f:$string1: HawkEye_Keylogger
- 0x1f0de:$string1: HawkEye_Keylogger
- 0x1fdd0:$string1: HawkEye_Keylogger
- 0x1e674:$string2: holdermail.txt
- 0x1e694:$string2: holdermail.txt
- 0x1e5b6:$string3: wallet.dat
- 0x1e5ce:$string3: wallet.dat
- 0x1e5e4:$string3: wallet.dat
- 0x1f9b2:$string4: Keylog Records
- 0x1fcca:$string4: Keylog Records
- 0x1fec8:$string5: do not script -->
- 0x1dc5e:$string6: \pidloc.txt
- 0x1dcb8:$string7: BSPLIT
- 0x1dcc8:$string7: BSPLIT
|
13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e2f7:$hawkstr1: HawkEye Keylogger
- 0x1f124:$hawkstr1: HawkEye Keylogger
- 0x1f453:$hawkstr1: HawkEye Keylogger
- 0x1f5ae:$hawkstr1: HawkEye Keylogger
- 0x1f711:$hawkstr1: HawkEye Keylogger
- 0x1f98a:$hawkstr1: HawkEye Keylogger
- 0x1de69:$hawkstr2: Dear HawkEye Customers!
- 0x1f4a6:$hawkstr2: Dear HawkEye Customers!
- 0x1f5fd:$hawkstr2: Dear HawkEye Customers!
- 0x1f764:$hawkstr2: Dear HawkEye Customers!
- 0x1df8a:$hawkstr3: HawkEye Logger Details:
|
2.2.pgr.exe.80000.0.unpack | CN_disclosed_20180208_c | Detects malware from disclosed CN malware set | Florian Roth | - 0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del "
- 0x4e88:$s3: Executed As
- 0x4e6a:$s6: Download ERROR
|
2.2.pgr.exe.80000.0.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
2.2.pgr.exe.80000.0.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x4d9e:$a1: netsh firewall add allowedprogram
- 0x4d6e:$a2: SEE_MASK_NOZONECHECKS
- 0x5018:$b1: [TAP]
- 0x4d30:$c3: cmd.exe /c ping
|
2.2.pgr.exe.80000.0.unpack | Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group | - 0x4d6e:$reg: SEE_MASK_NOZONECHECKS
- 0x4e46:$msg: Execute ERROR
- 0x4ea2:$msg: Execute ERROR
- 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
|
2.0.pgr.exe.80000.0.unpack | CN_disclosed_20180208_c | Detects malware from disclosed CN malware set | Florian Roth | - 0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del "
- 0x4e88:$s3: Executed As
- 0x4e6a:$s6: Download ERROR
|
2.0.pgr.exe.80000.0.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
2.0.pgr.exe.80000.0.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0x4d9e:$a1: netsh firewall add allowedprogram
- 0x4d6e:$a2: SEE_MASK_NOZONECHECKS
- 0x5018:$b1: [TAP]
- 0x4d30:$c3: cmd.exe /c ping
|
2.0.pgr.exe.80000.0.unpack | Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group | - 0x4d6e:$reg: SEE_MASK_NOZONECHECKS
- 0x4e46:$msg: Execute ERROR
- 0x4ea2:$msg: Execute ERROR
- 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
|
13.2.tmpFB21.tmp.exe.8a9c0d.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.tmpFB21.tmp.exe.4027e00.6.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.tmpFB21.tmp.exe.4027e00.6.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x754e0:$key: HawkEyeKeylogger
- 0x776da:$salt: 099u787978786
- 0x75b09:$string1: HawkEye_Keylogger
- 0x76948:$string1: HawkEye_Keylogger
- 0x7763a:$string1: HawkEye_Keylogger
- 0x75ede:$string2: holdermail.txt
- 0x75efe:$string2: holdermail.txt
- 0x75e20:$string3: wallet.dat
- 0x75e38:$string3: wallet.dat
- 0x75e4e:$string3: wallet.dat
- 0x7721c:$string4: Keylog Records
- 0x77534:$string4: Keylog Records
- 0x77732:$string5: do not script -->
- 0x754c8:$string6: \pidloc.txt
- 0x75522:$string7: BSPLIT
- 0x75532:$string7: BSPLIT
|
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b61:$hawkstr1: HawkEye Keylogger
- 0x7698e:$hawkstr1: HawkEye Keylogger
- 0x76cbd:$hawkstr1: HawkEye Keylogger
- 0x76e18:$hawkstr1: HawkEye Keylogger
- 0x76f7b:$hawkstr1: HawkEye Keylogger
- 0x771f4:$hawkstr1: HawkEye Keylogger
- 0x756d3:$hawkstr2: Dear HawkEye Customers!
- 0x76d10:$hawkstr2: Dear HawkEye Customers!
- 0x76e67:$hawkstr2: Dear HawkEye Customers!
- 0x76fce:$hawkstr2: Dear HawkEye Customers!
- 0x757f4:$hawkstr3: HawkEye Logger Details:
|
3.2.servieda.exe.a0000.0.unpack | MAL_Winnti_Sample_May18_1 | Detects malware sample from Burning Umbrella report - Generic Winnti Rule | Florian Roth | - 0xdd24:$s1: wireshark
- 0xdcee:$s2: procexp
|
3.2.servieda.exe.a0000.0.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
3.2.servieda.exe.a0000.0.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0xf66d:$a1: netsh firewall add allowedprogram
- 0xf7fd:$b1: [TAP]
- 0xe5b7:$b2: & exit
- 0xf5f3:$b2: & exit
- 0xf5c1:$c1: md.exe /k ping 0 & del
|
12.2.tmp87E4.tmp.exe.6e0000.0.unpack | JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | |
3.0.servieda.exe.a0000.0.unpack | MAL_Winnti_Sample_May18_1 | Detects malware sample from Burning Umbrella report - Generic Winnti Rule | Florian Roth | - 0xdd24:$s1: wireshark
- 0xdcee:$s2: procexp
|
3.0.servieda.exe.a0000.0.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
3.0.servieda.exe.a0000.0.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0xf66d:$a1: netsh firewall add allowedprogram
- 0xf7fd:$b1: [TAP]
- 0xe5b7:$b2: & exit
- 0xf5f3:$b2: & exit
- 0xf5c1:$c1: md.exe /k ping 0 & del
|
1.2.Tmp.exe.1d0000.0.unpack | MAL_Winnti_Sample_May18_1 | Detects malware sample from Burning Umbrella report - Generic Winnti Rule | Florian Roth | - 0xdd24:$s1: wireshark
- 0xdcee:$s2: procexp
|
1.2.Tmp.exe.1d0000.0.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
1.2.Tmp.exe.1d0000.0.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0xf66d:$a1: netsh firewall add allowedprogram
- 0xf7fd:$b1: [TAP]
- 0xe5b7:$b2: & exit
- 0xf5f3:$b2: & exit
- 0xf5c1:$c1: md.exe /k ping 0 & del
|
15.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.0.tmpFB21.tmp.exe.8ffa72.3.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
2.2.pgr.exe.3a46190.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x754e0:$key: HawkEyeKeylogger
- 0x776da:$salt: 099u787978786
- 0x75b09:$string1: HawkEye_Keylogger
- 0x76948:$string1: HawkEye_Keylogger
- 0x7763a:$string1: HawkEye_Keylogger
- 0x75ede:$string2: holdermail.txt
- 0x75efe:$string2: holdermail.txt
- 0x75e20:$string3: wallet.dat
- 0x75e38:$string3: wallet.dat
- 0x75e4e:$string3: wallet.dat
- 0x7721c:$string4: Keylog Records
- 0x77534:$string4: Keylog Records
- 0x77732:$string5: do not script -->
- 0x754c8:$string6: \pidloc.txt
- 0x75522:$string7: BSPLIT
- 0x75532:$string7: BSPLIT
|
2.2.pgr.exe.3a46190.2.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
2.2.pgr.exe.3a46190.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
2.2.pgr.exe.3a46190.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
2.2.pgr.exe.3a46190.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
2.2.pgr.exe.3a46190.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b61:$hawkstr1: HawkEye Keylogger
- 0x7698e:$hawkstr1: HawkEye Keylogger
- 0x76cbd:$hawkstr1: HawkEye Keylogger
- 0x76e18:$hawkstr1: HawkEye Keylogger
- 0x76f7b:$hawkstr1: HawkEye Keylogger
- 0x771f4:$hawkstr1: HawkEye Keylogger
- 0x756d3:$hawkstr2: Dear HawkEye Customers!
- 0x76d10:$hawkstr2: Dear HawkEye Customers!
- 0x76e67:$hawkstr2: Dear HawkEye Customers!
- 0x76fce:$hawkstr2: Dear HawkEye Customers!
- 0x757f4:$hawkstr3: HawkEye Logger Details:
|
13.2.tmpFB21.tmp.exe.8ffa72.2.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73adb:$key: HawkEyeKeylogger
- 0x75cd5:$salt: 099u787978786
- 0x74104:$string1: HawkEye_Keylogger
- 0x74f43:$string1: HawkEye_Keylogger
- 0x75c35:$string1: HawkEye_Keylogger
- 0x744d9:$string2: holdermail.txt
- 0x744f9:$string2: holdermail.txt
- 0x7441b:$string3: wallet.dat
- 0x74433:$string3: wallet.dat
- 0x74449:$string3: wallet.dat
- 0x75817:$string4: Keylog Records
- 0x75b2f:$string4: Keylog Records
- 0x75d2d:$string5: do not script -->
- 0x73ac3:$string6: \pidloc.txt
- 0x73b1d:$string7: BSPLIT
- 0x73b2d:$string7: BSPLIT
|
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7415c:$hawkstr1: HawkEye Keylogger
- 0x74f89:$hawkstr1: HawkEye Keylogger
- 0x752b8:$hawkstr1: HawkEye Keylogger
- 0x75413:$hawkstr1: HawkEye Keylogger
- 0x75576:$hawkstr1: HawkEye Keylogger
- 0x757ef:$hawkstr1: HawkEye Keylogger
- 0x73cce:$hawkstr2: Dear HawkEye Customers!
- 0x7530b:$hawkstr2: Dear HawkEye Customers!
- 0x75462:$hawkstr2: Dear HawkEye Customers!
- 0x755c9:$hawkstr2: Dear HawkEye Customers!
- 0x73def:$hawkstr3: HawkEye Logger Details:
|
8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack | MAL_Winnti_Sample_May18_1 | Detects malware sample from Burning Umbrella report - Generic Winnti Rule | Florian Roth | - 0xdd24:$s1: wireshark
- 0xdcee:$s2: procexp
|
8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack | njrat1 | Identify njRat | Brian Wallace @botnet_hunter | - 0xf66d:$a1: netsh firewall add allowedprogram
- 0xf7fd:$b1: [TAP]
- 0xe5b7:$b2: & exit
- 0xf5f3:$b2: & exit
- 0xf5c1:$c1: md.exe /k ping 0 & del
|
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73adb:$key: HawkEyeKeylogger
- 0x75cd5:$salt: 099u787978786
- 0x74104:$string1: HawkEye_Keylogger
- 0x74f43:$string1: HawkEye_Keylogger
- 0x75c35:$string1: HawkEye_Keylogger
- 0x744d9:$string2: holdermail.txt
- 0x744f9:$string2: holdermail.txt
- 0x7441b:$string3: wallet.dat
- 0x74433:$string3: wallet.dat
- 0x74449:$string3: wallet.dat
- 0x75817:$string4: Keylog Records
- 0x75b2f:$string4: Keylog Records
- 0x75d2d:$string5: do not script -->
- 0x73ac3:$string6: \pidloc.txt
- 0x73b1d:$string7: BSPLIT
- 0x73b2d:$string7: BSPLIT
|
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7415c:$hawkstr1: HawkEye Keylogger
- 0x74f89:$hawkstr1: HawkEye Keylogger
- 0x752b8:$hawkstr1: HawkEye Keylogger
- 0x75413:$hawkstr1: HawkEye Keylogger
- 0x75576:$hawkstr1: HawkEye Keylogger
- 0x757ef:$hawkstr1: HawkEye Keylogger
- 0x73cce:$hawkstr2: Dear HawkEye Customers!
- 0x7530b:$hawkstr2: Dear HawkEye Customers!
- 0x75462:$hawkstr2: Dear HawkEye Customers!
- 0x755c9:$hawkstr2: Dear HawkEye Customers!
- 0x73def:$hawkstr3: HawkEye Logger Details:
|
13.2.tmpFB21.tmp.exe.4040020.7.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc76:$key: HawkEyeKeylogger
- 0x1fe70:$salt: 099u787978786
- 0x1e29f:$string1: HawkEye_Keylogger
- 0x1f0de:$string1: HawkEye_Keylogger
- 0x1fdd0:$string1: HawkEye_Keylogger
- 0x1e674:$string2: holdermail.txt
- 0x1e694:$string2: holdermail.txt
- 0x1e5b6:$string3: wallet.dat
- 0x1e5ce:$string3: wallet.dat
- 0x1e5e4:$string3: wallet.dat
- 0x1f9b2:$string4: Keylog Records
- 0x1fcca:$string4: Keylog Records
- 0x1fec8:$string5: do not script -->
- 0x1dc5e:$string6: \pidloc.txt
- 0x1dcb8:$string7: BSPLIT
- 0x1dcc8:$string7: BSPLIT
|
13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e2f7:$hawkstr1: HawkEye Keylogger
- 0x1f124:$hawkstr1: HawkEye Keylogger
- 0x1f453:$hawkstr1: HawkEye Keylogger
- 0x1f5ae:$hawkstr1: HawkEye Keylogger
- 0x1f711:$hawkstr1: HawkEye Keylogger
- 0x1f98a:$hawkstr1: HawkEye Keylogger
- 0x1de69:$hawkstr2: Dear HawkEye Customers!
- 0x1f4a6:$hawkstr2: Dear HawkEye Customers!
- 0x1f5fd:$hawkstr2: Dear HawkEye Customers!
- 0x1f764:$hawkstr2: Dear HawkEye Customers!
- 0x1df8a:$hawkstr3: HawkEye Logger Details:
|
15.2.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
2.2.pgr.exe.3a3fd88.3.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79ae8:$key: HawkEyeKeylogger
- 0x7bce2:$salt: 099u787978786
- 0x7a111:$string1: HawkEye_Keylogger
- 0x7af50:$string1: HawkEye_Keylogger
- 0x7bc42:$string1: HawkEye_Keylogger
- 0x7a4e6:$string2: holdermail.txt
- 0x7a506:$string2: holdermail.txt
- 0x7a428:$string3: wallet.dat
- 0x7a440:$string3: wallet.dat
- 0x7a456:$string3: wallet.dat
- 0x7b824:$string4: Keylog Records
- 0x7bb3c:$string4: Keylog Records
- 0x7bd3a:$string5: do not script -->
- 0x79ad0:$string6: \pidloc.txt
- 0x79b2a:$string7: BSPLIT
- 0x79b3a:$string7: BSPLIT
|
2.2.pgr.exe.3a3fd88.3.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
2.2.pgr.exe.3a3fd88.3.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
2.2.pgr.exe.3a3fd88.3.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
2.2.pgr.exe.3a3fd88.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
2.2.pgr.exe.3a3fd88.3.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a169:$hawkstr1: HawkEye Keylogger
- 0x7af96:$hawkstr1: HawkEye Keylogger
- 0x7b2c5:$hawkstr1: HawkEye Keylogger
- 0x7b420:$hawkstr1: HawkEye Keylogger
- 0x7b583:$hawkstr1: HawkEye Keylogger
- 0x7b7fc:$hawkstr1: HawkEye Keylogger
- 0x79cdb:$hawkstr2: Dear HawkEye Customers!
- 0x7b318:$hawkstr2: Dear HawkEye Customers!
- 0x7b46f:$hawkstr2: Dear HawkEye Customers!
- 0x7b5d6:$hawkstr2: Dear HawkEye Customers!
- 0x79dfc:$hawkstr3: HawkEye Logger Details:
|
2.2.pgr.exe.3a47b95.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.tmpFB21.tmp.exe.3068cf8.5.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x754e0:$key: HawkEyeKeylogger
- 0x776da:$salt: 099u787978786
- 0x75b09:$string1: HawkEye_Keylogger
- 0x76948:$string1: HawkEye_Keylogger
- 0x7763a:$string1: HawkEye_Keylogger
- 0x75ede:$string2: holdermail.txt
- 0x75efe:$string2: holdermail.txt
- 0x75e20:$string3: wallet.dat
- 0x75e38:$string3: wallet.dat
- 0x75e4e:$string3: wallet.dat
- 0x7721c:$string4: Keylog Records
- 0x77534:$string4: Keylog Records
- 0x77732:$string5: do not script -->
- 0x754c8:$string6: \pidloc.txt
- 0x75522:$string7: BSPLIT
- 0x75532:$string7: BSPLIT
|
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b61:$hawkstr1: HawkEye Keylogger
- 0x7698e:$hawkstr1: HawkEye Keylogger
- 0x76cbd:$hawkstr1: HawkEye Keylogger
- 0x76e18:$hawkstr1: HawkEye Keylogger
- 0x76f7b:$hawkstr1: HawkEye Keylogger
- 0x771f4:$hawkstr1: HawkEye Keylogger
- 0x756d3:$hawkstr2: Dear HawkEye Customers!
- 0x76d10:$hawkstr2: Dear HawkEye Customers!
- 0x76e67:$hawkstr2: Dear HawkEye Customers!
- 0x76fce:$hawkstr2: Dear HawkEye Customers!
- 0x757f4:$hawkstr3: HawkEye Logger Details:
|
2.2.pgr.exe.3a47b95.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73adb:$key: HawkEyeKeylogger
- 0x75cd5:$salt: 099u787978786
- 0x74104:$string1: HawkEye_Keylogger
- 0x74f43:$string1: HawkEye_Keylogger
- 0x75c35:$string1: HawkEye_Keylogger
- 0x744d9:$string2: holdermail.txt
- 0x744f9:$string2: holdermail.txt
- 0x7441b:$string3: wallet.dat
- 0x74433:$string3: wallet.dat
- 0x74449:$string3: wallet.dat
- 0x75817:$string4: Keylog Records
- 0x75b2f:$string4: Keylog Records
- 0x75d2d:$string5: do not script -->
- 0x73ac3:$string6: \pidloc.txt
- 0x73b1d:$string7: BSPLIT
- 0x73b2d:$string7: BSPLIT
|
2.2.pgr.exe.3a47b95.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
2.2.pgr.exe.3a47b95.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
2.2.pgr.exe.3a47b95.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
2.2.pgr.exe.3a47b95.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7415c:$hawkstr1: HawkEye Keylogger
- 0x74f89:$hawkstr1: HawkEye Keylogger
- 0x752b8:$hawkstr1: HawkEye Keylogger
- 0x75413:$hawkstr1: HawkEye Keylogger
- 0x75576:$hawkstr1: HawkEye Keylogger
- 0x757ef:$hawkstr1: HawkEye Keylogger
- 0x73cce:$hawkstr2: Dear HawkEye Customers!
- 0x7530b:$hawkstr2: Dear HawkEye Customers!
- 0x75462:$hawkstr2: Dear HawkEye Customers!
- 0x755c9:$hawkstr2: Dear HawkEye Customers!
- 0x73def:$hawkstr3: HawkEye Logger Details:
|
13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x20f13:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x18308:$hawkstr1: HawkEye Keylogger
- 0x1a4c8:$hawkstr1: HawkEye Keylogger
- 0x1a860:$hawkstr1: HawkEye Keylogger
- 0x1fc54:$hawkstr1: HawkEye Keylogger
- 0x17d54:$hawkstr2: Dear HawkEye Customers!
- 0x1a52c:$hawkstr2: Dear HawkEye Customers!
- 0x1a8c4:$hawkstr2: Dear HawkEye Customers!
- 0x17e86:$hawkstr3: HawkEye Logger Details:
|
Click to see the 127 entries |