Play interactive tour

Edit tour

Windows Analysis Report aaVb1xEmrd

Overview

General Information

Sample Name:	aaVb1xEmrd (renamed file extension from none to exe)
Analysis ID:	478309
MD5:	c428b176eca6b17cda3f5729abaddf0b
SHA1:	65262ee5ea9c832436c6eba4a5e58d69900aea72
SHA256:	b139dd73d811c0d20602ebd74f962724d2c9e31958bdea9326473bf4bbd746b9
Tags:	exeHawkEye
Infos:
Most interesting Screenshot:

Detection

HawkEye MailPassView PredatorPainRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Yara detected HawkEye Keylogger

Yara detected PredatorPainRAT

System process connects to network (likely due to code injection or exploit)

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Detected HawkEye Rat

Multi AV Scanner detection for dropped file

Sigma detected: System File Execution Location Anomaly

Creates multiple autostart registry keys

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Suspicious Svchost Process

Tries to steal Mail credentials (via file access)

Drops PE files with benign system names

Sample uses process hollowing technique

Installs a global keyboard hook

Disables Windows system restore

Writes to foreign memory regions

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Changes the view of files in windows explorer (hidden files and folders)

Yara detected WebBrowserPassView password recovery tool

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Tries to steal Instant Messenger accounts or passwords

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Checks if the current process is being debugged

Launches processes in debugging mode, may be used to hinder debugging

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Sigma detected: PowerShell Script Run in AppData

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

May infect USB drives

Found potential string decryption / allocating functions

Contains functionality to call native functions

Enables debug privileges

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to detect virtual machines (SLDT)

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Contains functionality to query network adapater information

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

aaVb1xEmrd.exe (PID: 2432 cmdline: 'C:\Users\user\Desktop\aaVb1xEmrd.exe' MD5: C428B176ECA6B17CDA3F5729ABADDF0B)

MULTIBOT_NEWW.exe (PID: 4768 cmdline: 'C:\Users\user\AppData\Local\Temp\MULTIBOT_NEWW.exe' MD5: 3F620FFD8BE649D1D31AB54F73A559BE)

svchost.exe (PID: 4280 cmdline: 'C:\Users\user\AppData\Local\Temp\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)

svchost.exe (PID: 6256 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)

taskhost.exe (PID: 4548 cmdline: 'C:\Users\user\AppData\Local\Temp\taskhost.exe' MD5: 83827B8CFFE67A789B03E342ED3B1572)

dw20.exe (PID: 6148 cmdline: dw20.exe -x -s 2200 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)

vbc.exe (PID: 6280 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

WerFault.exe (PID: 6612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

vbc.exe (PID: 6292 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

WerFault.exe (PID: 6624 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

iExplorer.exe (PID: 1352 cmdline: 'C:\Users\user\AppData\Local\Temp\iExplorer.exe' MD5: A0DBD1314D214588960B1E0BCED5F4E0)

Windows Update.exe (PID: 5204 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: A0DBD1314D214588960B1E0BCED5F4E0)

dw20.exe (PID: 6724 cmdline: dw20.exe -x -s 2324 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)

vbc.exe (PID: 6912 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 6928 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

WerFault.exe (PID: 5276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5200 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2336 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 6440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6740 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)

svchost.exe (PID: 6960 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7088 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4920 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

WindowsUpdate.exe (PID: 6112 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 83827B8CFFE67A789B03E342ED3B1572)

dw20.exe (PID: 4068 cmdline: dw20.exe -x -s 1168 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)

svchost.exe (PID: 3396 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6376 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6468 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)

WindowsUpdate.exe (PID: 6656 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 83827B8CFFE67A789B03E342ED3B1572)

dw20.exe (PID: 7084 cmdline: dw20.exe -x -s 1096 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)

svchost.exe (PID: 1752 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5168 cmdline: 'C:\Users\gghfgh\AppData\Roaming\Microsoft\Local\svchost.exe' MD5: A273A781070D239BA99D3FD8EF341E6C)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Windows Update.exe	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x7b7df:$string1: holderwb.txt 0x7b7fb:$string1: holderwb.txt 0x7b961:$string3: There is a file attached to this email 0x7bf35:$string4: screens\screenshot 0x7a364:$string5: Disablelogger 0x7a30e:$string6: \pidloc.txt 0x79e1c:$string7: clearie 0x79e34:$string8: clearff 0x7a5c5:$string9: emails should be sent to you shortly 0x7aad9:$string11: open=Sys.exe 0x7a326:$ver1: PredatorLogger 0x7a9a8:$ver3: Predator Pain 0x7b79b:$ver3: Predator Pain 0x7b910:$ver3: Predator Pain 0x7bb27:$ver3: Predator Pain
C:\Users\user\AppData\Roaming\Windows Update.exe	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x615f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Roaming\Windows Update.exe	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
C:\Users\user\AppData\Roaming\Windows Update.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
C:\Users\user\AppData\Roaming\Windows Update.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Roaming\Windows Update.exe	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b7df:$string1: holderwb.txt 0x7b7fb:$string1: holderwb.txt 0x7b961:$string3: There is a file attached to this email 0x7bf35:$string4: screens\screenshot 0x7a364:$string5: Disablelogger 0x7a30e:$string6: \pidloc.txt 0x79e1c:$string7: clearie 0x79e34:$string8: clearff 0x7a5c5:$string9: emails should be sent to you shortly 0x7aad9:$string11: open=Sys.exe 0x7a326:$ver1: PredatorLogger 0x7a9a8:$ver3: Predator Pain 0x7b79b:$ver3: Predator Pain 0x7b910:$ver3: Predator Pain 0x7bb27:$ver3: Predator Pain
C:\Users\user\AppData\Local\Temp\iExplorer.exe	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x7b7df:$string1: holderwb.txt 0x7b7fb:$string1: holderwb.txt 0x7b961:$string3: There is a file attached to this email 0x7bf35:$string4: screens\screenshot 0x7a364:$string5: Disablelogger 0x7a30e:$string6: \pidloc.txt 0x79e1c:$string7: clearie 0x79e34:$string8: clearff 0x7a5c5:$string9: emails should be sent to you shortly 0x7aad9:$string11: open=Sys.exe 0x7a326:$ver1: PredatorLogger 0x7a9a8:$ver3: Predator Pain 0x7b79b:$ver3: Predator Pain 0x7b910:$ver3: Predator Pain 0x7bb27:$ver3: Predator Pain
C:\Users\user\AppData\Local\Temp\iExplorer.exe	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x615f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Local\Temp\iExplorer.exe	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
C:\Users\user\AppData\Local\Temp\iExplorer.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
C:\Users\user\AppData\Local\Temp\iExplorer.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Local\Temp\iExplorer.exe	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b7df:$string1: holderwb.txt 0x7b7fb:$string1: holderwb.txt 0x7b961:$string3: There is a file attached to this email 0x7bf35:$string4: screens\screenshot 0x7a364:$string5: Disablelogger 0x7a30e:$string6: \pidloc.txt 0x79e1c:$string7: clearie 0x79e34:$string8: clearff 0x7a5c5:$string9: emails should be sent to you shortly 0x7aad9:$string11: open=Sys.exe 0x7a326:$ver1: PredatorLogger 0x7a9a8:$ver3: Predator Pain 0x7b79b:$ver3: Predator Pain 0x7b910:$ver3: Predator Pain 0x7bb27:$ver3: Predator Pain
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b88e:$key: HawkEyeKeylogger 0x7dae0:$salt: 099u787978786 0x7bedd:$string1: HawkEye_Keylogger 0x7cd30:$string1: HawkEye_Keylogger 0x7da40:$string1: HawkEye_Keylogger 0x7c2c6:$string2: holdermail.txt 0x7c2e6:$string2: holdermail.txt 0x7c208:$string3: wallet.dat 0x7c220:$string3: wallet.dat 0x7c236:$string3: wallet.dat 0x7d622:$string4: Keylog Records 0x7d93a:$string4: Keylog Records 0x7db38:$string5: do not script --> 0x7b876:$string6: \pidloc.txt 0x7b904:$string7: BSPLIT 0x7b914:$string7: BSPLIT
C:\Users\user\AppData\Local\Temp\taskhost.exe	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b88e:$key: HawkEyeKeylogger 0x7dae0:$salt: 099u787978786 0x7bedd:$string1: HawkEye_Keylogger 0x7cd30:$string1: HawkEye_Keylogger 0x7da40:$string1: HawkEye_Keylogger 0x7c2c6:$string2: holdermail.txt 0x7c2e6:$string2: holdermail.txt 0x7c208:$string3: wallet.dat 0x7c220:$string3: wallet.dat 0x7c236:$string3: wallet.dat 0x7d622:$string4: Keylog Records 0x7d93a:$string4: Keylog Records 0x7db38:$string5: do not script --> 0x7b876:$string6: \pidloc.txt 0x7b904:$string7: BSPLIT 0x7b914:$string7: BSPLIT
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Local\Temp\taskhost.exe	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
C:\Users\user\AppData\Local\Temp\taskhost.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
C:\Users\user\AppData\Local\Temp\taskhost.exe	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Local\Temp\taskhost.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf35:$hawkstr1: HawkEye Keylogger 0x7cd76:$hawkstr1: HawkEye Keylogger 0x7d0a5:$hawkstr1: HawkEye Keylogger 0x7d200:$hawkstr1: HawkEye Keylogger 0x7d363:$hawkstr1: HawkEye Keylogger 0x7d5fa:$hawkstr1: HawkEye Keylogger 0x7bac3:$hawkstr2: Dear HawkEye Customers! 0x7d0f8:$hawkstr2: Dear HawkEye Customers! 0x7d24f:$hawkstr2: Dear HawkEye Customers! 0x7d3b6:$hawkstr2: Dear HawkEye Customers! 0x7bbe4:$hawkstr3: HawkEye Logger Details:
C:\Users\user\AppData\Local\Temp\taskhost.exe	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf35:$hawkstr1: HawkEye Keylogger 0x7cd76:$hawkstr1: HawkEye Keylogger 0x7d0a5:$hawkstr1: HawkEye Keylogger 0x7d200:$hawkstr1: HawkEye Keylogger 0x7d363:$hawkstr1: HawkEye Keylogger 0x7d5fa:$hawkstr1: HawkEye Keylogger 0x7bac3:$hawkstr2: Dear HawkEye Customers! 0x7d0f8:$hawkstr2: Dear HawkEye Customers! 0x7d24f:$hawkstr2: Dear HawkEye Customers! 0x7d3b6:$hawkstr2: Dear HawkEye Customers! 0x7bbe4:$hawkstr3: HawkEye Logger Details:
Click to see the 19 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b68e:$key: HawkEyeKeylogger 0x7d8e0:$salt: 099u787978786 0x7bcdd:$string1: HawkEye_Keylogger 0x7cb30:$string1: HawkEye_Keylogger 0x7d840:$string1: HawkEye_Keylogger 0x7c0c6:$string2: holdermail.txt 0x7c0e6:$string2: holdermail.txt 0x7c008:$string3: wallet.dat 0x7c020:$string3: wallet.dat 0x7c036:$string3: wallet.dat 0x7d422:$string4: Keylog Records 0x7d73a:$string4: Keylog Records 0x7d938:$string5: do not script --> 0x7b676:$string6: \pidloc.txt 0x7b704:$string7: BSPLIT 0x7b714:$string7: BSPLIT
00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000005.00000000.227084659.00000000009C2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd35:$hawkstr1: HawkEye Keylogger 0x7cb76:$hawkstr1: HawkEye Keylogger 0x7cea5:$hawkstr1: HawkEye Keylogger 0x7d000:$hawkstr1: HawkEye Keylogger 0x7d163:$hawkstr1: HawkEye Keylogger 0x7d3fa:$hawkstr1: HawkEye Keylogger 0x7b8c3:$hawkstr2: Dear HawkEye Customers! 0x7cef8:$hawkstr2: Dear HawkEye Customers! 0x7d04f:$hawkstr2: Dear HawkEye Customers! 0x7d1b6:$hawkstr2: Dear HawkEye Customers! 0x7b9e4:$hawkstr3: HawkEye Logger Details:
00000008.00000000.283523438.0000000003B61000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000015.00000002.286698882.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000008.00000002.313456976.0000000003D6C000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x7b5df:$string1: holderwb.txt 0x7b5fb:$string1: holderwb.txt 0x7b761:$string3: There is a file attached to this email 0x7bd35:$string4: screens\screenshot 0x7a164:$string5: Disablelogger 0x7a10e:$string6: \pidloc.txt 0x79c1c:$string7: clearie 0x79c34:$string8: clearff 0x7a3c5:$string9: emails should be sent to you shortly 0x7a8d9:$string11: open=Sys.exe 0x7a126:$ver1: PredatorLogger 0x7a7a8:$ver3: Predator Pain 0x7b59b:$ver3: Predator Pain 0x7b710:$ver3: Predator Pain 0x7b927:$ver3: Predator Pain
00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000008.00000000.276336479.00000000003D2000.00000002.00020000.sdmp	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b5df:$string1: holderwb.txt 0x7b5fb:$string1: holderwb.txt 0x7b761:$string3: There is a file attached to this email 0x7bd35:$string4: screens\screenshot 0x7a164:$string5: Disablelogger 0x7a10e:$string6: \pidloc.txt 0x79c1c:$string7: clearie 0x79c34:$string8: clearff 0x7a3c5:$string9: emails should be sent to you shortly 0x7a8d9:$string11: open=Sys.exe 0x7a126:$ver1: PredatorLogger 0x7a7a8:$ver3: Predator Pain 0x7b59b:$ver3: Predator Pain 0x7b710:$ver3: Predator Pain 0x7b927:$ver3: Predator Pain
00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x3b81e:$key: HawkEyeKeylogger 0x3da70:$salt: 099u787978786 0x3be6d:$string1: HawkEye_Keylogger 0x3ccc0:$string1: HawkEye_Keylogger 0x3d9d0:$string1: HawkEye_Keylogger 0x3c256:$string2: holdermail.txt 0x3c276:$string2: holdermail.txt 0x3c198:$string3: wallet.dat 0x3c1b0:$string3: wallet.dat 0x3c1c6:$string3: wallet.dat 0x3d5b2:$string4: Keylog Records 0x3d8ca:$string4: Keylog Records 0x3dac8:$string5: do not script --> 0x3b806:$string6: \pidloc.txt 0x3b894:$string7: BSPLIT 0x3b8a4:$string7: BSPLIT
00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000005.00000003.247040604.0000000007404000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x3bec5:$hawkstr1: HawkEye Keylogger 0x3cd06:$hawkstr1: HawkEye Keylogger 0x3d035:$hawkstr1: HawkEye Keylogger 0x3d190:$hawkstr1: HawkEye Keylogger 0x3d2f3:$hawkstr1: HawkEye Keylogger 0x3d58a:$hawkstr1: HawkEye Keylogger 0x3ba53:$hawkstr2: Dear HawkEye Customers! 0x3d088:$hawkstr2: Dear HawkEye Customers! 0x3d1df:$hawkstr2: Dear HawkEye Customers! 0x3d346:$hawkstr2: Dear HawkEye Customers! 0x3bb74:$hawkstr3: HawkEye Logger Details:
00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x7b5df:$string1: holderwb.txt 0x7b5fb:$string1: holderwb.txt 0x7b761:$string3: There is a file attached to this email 0x7bd35:$string4: screens\screenshot 0x7a164:$string5: Disablelogger 0x7a10e:$string6: \pidloc.txt 0x79c1c:$string7: clearie 0x79c34:$string8: clearff 0x7a3c5:$string9: emails should be sent to you shortly 0x7a8d9:$string11: open=Sys.exe 0x7a126:$ver1: PredatorLogger 0x7a7a8:$ver3: Predator Pain 0x7b59b:$ver3: Predator Pain 0x7b710:$ver3: Predator Pain 0x7b927:$ver3: Predator Pain
00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000008.00000000.247374939.00000000003D2000.00000002.00020000.sdmp	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b5df:$string1: holderwb.txt 0x7b5fb:$string1: holderwb.txt 0x7b761:$string3: There is a file attached to this email 0x7bd35:$string4: screens\screenshot 0x7a164:$string5: Disablelogger 0x7a10e:$string6: \pidloc.txt 0x79c1c:$string7: clearie 0x79c34:$string8: clearff 0x7a3c5:$string9: emails should be sent to you shortly 0x7a8d9:$string11: open=Sys.exe 0x7a126:$ver1: PredatorLogger 0x7a7a8:$ver3: Predator Pain 0x7b59b:$ver3: Predator Pain 0x7b710:$ver3: Predator Pain 0x7b927:$ver3: Predator Pain
00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x7b5df:$string1: holderwb.txt 0x7b5fb:$string1: holderwb.txt 0x7b761:$string3: There is a file attached to this email 0x7bd35:$string4: screens\screenshot 0x7a164:$string5: Disablelogger 0x7a10e:$string6: \pidloc.txt 0x79c1c:$string7: clearie 0x79c34:$string8: clearff 0x7a3c5:$string9: emails should be sent to you shortly 0x7a8d9:$string11: open=Sys.exe 0x7a126:$ver1: PredatorLogger 0x7a7a8:$ver3: Predator Pain 0x7b59b:$ver3: Predator Pain 0x7b710:$ver3: Predator Pain 0x7b927:$ver3: Predator Pain
00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000008.00000002.310765345.00000000003D2000.00000002.00020000.sdmp	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b5df:$string1: holderwb.txt 0x7b5fb:$string1: holderwb.txt 0x7b761:$string3: There is a file attached to this email 0x7bd35:$string4: screens\screenshot 0x7a164:$string5: Disablelogger 0x7a10e:$string6: \pidloc.txt 0x79c1c:$string7: clearie 0x79c34:$string8: clearff 0x7a3c5:$string9: emails should be sent to you shortly 0x7a8d9:$string11: open=Sys.exe 0x7a126:$ver1: PredatorLogger 0x7a7a8:$ver3: Predator Pain 0x7b59b:$ver3: Predator Pain 0x7b710:$ver3: Predator Pain 0x7b927:$ver3: Predator Pain
00000008.00000000.293259909.0000000003B61000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b68e:$key: HawkEyeKeylogger 0x7d8e0:$salt: 099u787978786 0x7bcdd:$string1: HawkEye_Keylogger 0x7cb30:$string1: HawkEye_Keylogger 0x7d840:$string1: HawkEye_Keylogger 0x7c0c6:$string2: holdermail.txt 0x7c0e6:$string2: holdermail.txt 0x7c008:$string3: wallet.dat 0x7c020:$string3: wallet.dat 0x7c036:$string3: wallet.dat 0x7d422:$string4: Keylog Records 0x7d73a:$string4: Keylog Records 0x7d938:$string5: do not script --> 0x7b676:$string6: \pidloc.txt 0x7b704:$string7: BSPLIT 0x7b714:$string7: BSPLIT
00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000022.00000002.340891533.00000000007E2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd35:$hawkstr1: HawkEye Keylogger 0x7cb76:$hawkstr1: HawkEye Keylogger 0x7cea5:$hawkstr1: HawkEye Keylogger 0x7d000:$hawkstr1: HawkEye Keylogger 0x7d163:$hawkstr1: HawkEye Keylogger 0x7d3fa:$hawkstr1: HawkEye Keylogger 0x7b8c3:$hawkstr2: Dear HawkEye Customers! 0x7cef8:$hawkstr2: Dear HawkEye Customers! 0x7d04f:$hawkstr2: Dear HawkEye Customers! 0x7d1b6:$hawkstr2: Dear HawkEye Customers! 0x7b9e4:$hawkstr3: HawkEye Logger Details:
0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b68e:$key: HawkEyeKeylogger 0x7d8e0:$salt: 099u787978786 0x7bcdd:$string1: HawkEye_Keylogger 0x7cb30:$string1: HawkEye_Keylogger 0x7d840:$string1: HawkEye_Keylogger 0x7c0c6:$string2: holdermail.txt 0x7c0e6:$string2: holdermail.txt 0x7c008:$string3: wallet.dat 0x7c020:$string3: wallet.dat 0x7c036:$string3: wallet.dat 0x7d422:$string4: Keylog Records 0x7d73a:$string4: Keylog Records 0x7d938:$string5: do not script --> 0x7b676:$string6: \pidloc.txt 0x7b704:$string7: BSPLIT 0x7b714:$string7: BSPLIT
0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001A.00000000.286586806.0000000000472000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd35:$hawkstr1: HawkEye Keylogger 0x7cb76:$hawkstr1: HawkEye Keylogger 0x7cea5:$hawkstr1: HawkEye Keylogger 0x7d000:$hawkstr1: HawkEye Keylogger 0x7d163:$hawkstr1: HawkEye Keylogger 0x7d3fa:$hawkstr1: HawkEye Keylogger 0x7b8c3:$hawkstr2: Dear HawkEye Customers! 0x7cef8:$hawkstr2: Dear HawkEye Customers! 0x7d04f:$hawkstr2: Dear HawkEye Customers! 0x7d1b6:$hawkstr2: Dear HawkEye Customers! 0x7b9e4:$hawkstr3: HawkEye Logger Details:
00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x4d108:$string1: holderwb.txt 0x4d134:$string1: holderwb.txt 0x423e0:$string3: There is a file attached to this email 0x45060:$string4: screens\screenshot 0x2e02c:$string5: Disablelogger 0x2dfa4:$string6: \pidloc.txt 0x25c6c:$string7: clearie 0x25c94:$string8: clearff 0x3f942:$string9: emails should be sent to you shortly 0x406d2:$string9: emails should be sent to you shortly 0x2dfcc:$ver1: PredatorLogger 0x3fe38:$ver3: Predator Pain 0x42380:$ver3: Predator Pain 0x4367c:$ver3: Predator Pain 0x44c00:$ver3: Predator Pain 0x4d0b4:$ver3: Predator Pain
00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
00000008.00000000.290325606.0000000002B61000.00000004.00000001.sdmp	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x4d108:$string1: holderwb.txt 0x4d134:$string1: holderwb.txt 0x423e0:$string3: There is a file attached to this email 0x45060:$string4: screens\screenshot 0x2e02c:$string5: Disablelogger 0x2dfa4:$string6: \pidloc.txt 0x25c6c:$string7: clearie 0x25c94:$string8: clearff 0x3f942:$string9: emails should be sent to you shortly 0x406d2:$string9: emails should be sent to you shortly 0x2dfcc:$ver1: PredatorLogger 0x3fe38:$ver3: Predator Pain 0x42380:$ver3: Predator Pain 0x4367c:$ver3: Predator Pain 0x44c00:$ver3: Predator Pain 0x4d0b4:$ver3: Predator Pain
00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x7b5df:$string1: holderwb.txt 0x7b5fb:$string1: holderwb.txt 0x7b761:$string3: There is a file attached to this email 0x7bd35:$string4: screens\screenshot 0x7a164:$string5: Disablelogger 0x7a10e:$string6: \pidloc.txt 0x79c1c:$string7: clearie 0x79c34:$string8: clearff 0x7a3c5:$string9: emails should be sent to you shortly 0x7a8d9:$string11: open=Sys.exe 0x7a126:$ver1: PredatorLogger 0x7a7a8:$ver3: Predator Pain 0x7b59b:$ver3: Predator Pain 0x7b710:$ver3: Predator Pain 0x7b927:$ver3: Predator Pain
00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000000.228658758.00000000006D2000.00000002.00020000.sdmp	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b5df:$string1: holderwb.txt 0x7b5fb:$string1: holderwb.txt 0x7b761:$string3: There is a file attached to this email 0x7bd35:$string4: screens\screenshot 0x7a164:$string5: Disablelogger 0x7a10e:$string6: \pidloc.txt 0x79c1c:$string7: clearie 0x79c34:$string8: clearff 0x7a3c5:$string9: emails should be sent to you shortly 0x7a8d9:$string11: open=Sys.exe 0x7a126:$ver1: PredatorLogger 0x7a7a8:$ver3: Predator Pain 0x7b59b:$ver3: Predator Pain 0x7b710:$ver3: Predator Pain 0x7b927:$ver3: Predator Pain
00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b68e:$key: HawkEyeKeylogger 0x7d8e0:$salt: 099u787978786 0x7bcdd:$string1: HawkEye_Keylogger 0x7cb30:$string1: HawkEye_Keylogger 0x7d840:$string1: HawkEye_Keylogger 0x7c0c6:$string2: holdermail.txt 0x7c0e6:$string2: holdermail.txt 0x7c008:$string3: wallet.dat 0x7c020:$string3: wallet.dat 0x7c036:$string3: wallet.dat 0x7d422:$string4: Keylog Records 0x7d73a:$string4: Keylog Records 0x7d938:$string5: do not script --> 0x7b676:$string6: \pidloc.txt 0x7b704:$string7: BSPLIT 0x7b714:$string7: BSPLIT
00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000022.00000000.321958872.00000000007E2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd35:$hawkstr1: HawkEye Keylogger 0x7cb76:$hawkstr1: HawkEye Keylogger 0x7cea5:$hawkstr1: HawkEye Keylogger 0x7d000:$hawkstr1: HawkEye Keylogger 0x7d163:$hawkstr1: HawkEye Keylogger 0x7d3fa:$hawkstr1: HawkEye Keylogger 0x7b8c3:$hawkstr2: Dear HawkEye Customers! 0x7cef8:$hawkstr2: Dear HawkEye Customers! 0x7d04f:$hawkstr2: Dear HawkEye Customers! 0x7d1b6:$hawkstr2: Dear HawkEye Customers! 0x7b9e4:$hawkstr3: HawkEye Logger Details:
00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x7b5df:$string1: holderwb.txt 0x7b5fb:$string1: holderwb.txt 0x7b761:$string3: There is a file attached to this email 0x7bd35:$string4: screens\screenshot 0x7a164:$string5: Disablelogger 0x7a10e:$string6: \pidloc.txt 0x79c1c:$string7: clearie 0x79c34:$string8: clearff 0x7a3c5:$string9: emails should be sent to you shortly 0x7a8d9:$string11: open=Sys.exe 0x7a126:$ver1: PredatorLogger 0x7a7a8:$ver3: Predator Pain 0x7b59b:$ver3: Predator Pain 0x7b710:$ver3: Predator Pain 0x7b927:$ver3: Predator Pain
00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000002.248071796.00000000006D2000.00000002.00020000.sdmp	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b5df:$string1: holderwb.txt 0x7b5fb:$string1: holderwb.txt 0x7b761:$string3: There is a file attached to this email 0x7bd35:$string4: screens\screenshot 0x7a164:$string5: Disablelogger 0x7a10e:$string6: \pidloc.txt 0x79c1c:$string7: clearie 0x79c34:$string8: clearff 0x7a3c5:$string9: emails should be sent to you shortly 0x7a8d9:$string11: open=Sys.exe 0x7a126:$ver1: PredatorLogger 0x7a7a8:$ver3: Predator Pain 0x7b59b:$ver3: Predator Pain 0x7b710:$ver3: Predator Pain 0x7b927:$ver3: Predator Pain
00000014.00000002.274318737.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b68e:$key: HawkEyeKeylogger 0x7d8e0:$salt: 099u787978786 0x7bcdd:$string1: HawkEye_Keylogger 0x7cb30:$string1: HawkEye_Keylogger 0x7d840:$string1: HawkEye_Keylogger 0x7c0c6:$string2: holdermail.txt 0x7c0e6:$string2: holdermail.txt 0x7c008:$string3: wallet.dat 0x7c020:$string3: wallet.dat 0x7c036:$string3: wallet.dat 0x7d422:$string4: Keylog Records 0x7d73a:$string4: Keylog Records 0x7d938:$string5: do not script --> 0x7b676:$string6: \pidloc.txt 0x7b704:$string7: BSPLIT 0x7b714:$string7: BSPLIT
00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000005.00000002.320662138.00000000009C2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd35:$hawkstr1: HawkEye Keylogger 0x7cb76:$hawkstr1: HawkEye Keylogger 0x7cea5:$hawkstr1: HawkEye Keylogger 0x7d000:$hawkstr1: HawkEye Keylogger 0x7d163:$hawkstr1: HawkEye Keylogger 0x7d3fa:$hawkstr1: HawkEye Keylogger 0x7b8c3:$hawkstr2: Dear HawkEye Customers! 0x7cef8:$hawkstr2: Dear HawkEye Customers! 0x7d04f:$hawkstr2: Dear HawkEye Customers! 0x7d1b6:$hawkstr2: Dear HawkEye Customers! 0x7b9e4:$hawkstr3: HawkEye Logger Details:
00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x3aabf:$string1: holderwb.txt 0x3aadb:$string1: holderwb.txt 0x3ac41:$string3: There is a file attached to this email 0x3b215:$string4: screens\screenshot 0x39644:$string5: Disablelogger 0x395ee:$string6: \pidloc.txt 0x390fc:$string7: clearie 0x39114:$string8: clearff 0x398a5:$string9: emails should be sent to you shortly 0x39db9:$string11: open=Sys.exe 0x39606:$ver1: PredatorLogger 0x39c88:$ver3: Predator Pain 0x3aa7b:$ver3: Predator Pain 0x3abf0:$ver3: Predator Pain 0x3ae07:$ver3: Predator Pain
00000007.00000003.242361286.0000000000EC4000.00000004.00000001.sdmp	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
Process Memory Space: taskhost.exe PID: 4548	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: taskhost.exe PID: 4548	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: iExplorer.exe PID: 1352	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: Windows Update.exe PID: 5204	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: vbc.exe PID: 6912	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Click to see the 65 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.0.Windows Update.exe.3d0000.10.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x7b7df:$string1: holderwb.txt 0x7b7fb:$string1: holderwb.txt 0x7b961:$string3: There is a file attached to this email 0x7bf35:$string4: screens\screenshot 0x7a364:$string5: Disablelogger 0x7a30e:$string6: \pidloc.txt 0x79e1c:$string7: clearie 0x79e34:$string8: clearff 0x7a5c5:$string9: emails should be sent to you shortly 0x7aad9:$string11: open=Sys.exe 0x7a326:$ver1: PredatorLogger 0x7a9a8:$ver3: Predator Pain 0x7b79b:$ver3: Predator Pain 0x7b910:$ver3: Predator Pain 0x7bb27:$ver3: Predator Pain
8.0.Windows Update.exe.3d0000.10.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x615f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
8.0.Windows Update.exe.3d0000.10.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
8.0.Windows Update.exe.3d0000.10.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
8.0.Windows Update.exe.3d0000.10.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
8.0.Windows Update.exe.3d0000.10.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b7df:$string1: holderwb.txt 0x7b7fb:$string1: holderwb.txt 0x7b961:$string3: There is a file attached to this email 0x7bf35:$string4: screens\screenshot 0x7a364:$string5: Disablelogger 0x7a30e:$string6: \pidloc.txt 0x79e1c:$string7: clearie 0x79e34:$string8: clearff 0x7a5c5:$string9: emails should be sent to you shortly 0x7aad9:$string11: open=Sys.exe 0x7a326:$ver1: PredatorLogger 0x7a9a8:$ver3: Predator Pain 0x7b79b:$ver3: Predator Pain 0x7b910:$ver3: Predator Pain 0x7bb27:$ver3: Predator Pain
5.0.taskhost.exe.a1fa72.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.taskhost.exe.30d936c.5.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x5210:$key: HawkEyeKeylogger 0x592c:$salt: 099u787978786 0x1c59c:$string1: HawkEye_Keylogger 0x3aab4:$string1: HawkEye_Keylogger 0x37b68:$string2: holdermail.txt 0x37b98:$string2: holdermail.txt 0x37f8c:$string2: holdermail.txt 0x1e632:$string3: wallet.dat 0x1e65a:$string3: wallet.dat 0x1e680:$string3: wallet.dat 0x20750:$string4: Keylog Records 0x20a86:$string4: Keylog Records 0xa0b8:$string5: do not script --> 0x51e8:$string6: \pidloc.txt 0x52f0:$string7: BSPLIT 0x5310:$string7: BSPLIT
5.2.taskhost.exe.30d936c.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x3bdcb:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
5.2.taskhost.exe.30d936c.5.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
5.2.taskhost.exe.30d936c.5.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1c62c:$hawkstr1: HawkEye Keylogger 0x1f118:$hawkstr1: HawkEye Keylogger 0x1f504:$hawkstr1: HawkEye Keylogger 0x20728:$hawkstr1: HawkEye Keylogger 0x3ab0c:$hawkstr1: HawkEye Keylogger 0x1c0a4:$hawkstr2: Dear HawkEye Customers! 0x1f17c:$hawkstr2: Dear HawkEye Customers! 0x1f568:$hawkstr2: Dear HawkEye Customers! 0x1c1d6:$hawkstr3: HawkEye Logger Details:
8.0.Windows Update.exe.3b67e00.15.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.taskhost.exe.311411c.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.iExplorer.exe.72e7ae.3.raw.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x1ee31:$string1: holderwb.txt 0x1ee4d:$string1: holderwb.txt 0x1efb3:$string3: There is a file attached to this email 0x1f587:$string4: screens\screenshot 0x1d9b6:$string5: Disablelogger 0x1d960:$string6: \pidloc.txt 0x1d46e:$string7: clearie 0x1d486:$string8: clearff 0x1dc17:$string9: emails should be sent to you shortly 0x1e12b:$string11: open=Sys.exe 0x1d978:$ver1: PredatorLogger 0x1dffa:$ver3: Predator Pain 0x1eded:$ver3: Predator Pain 0x1ef62:$ver3: Predator Pain 0x1f179:$ver3: Predator Pain
7.0.iExplorer.exe.72e7ae.3.raw.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
7.0.iExplorer.exe.72e7ae.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.iExplorer.exe.72e7ae.3.raw.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x1ee31:$string1: holderwb.txt 0x1ee4d:$string1: holderwb.txt 0x1efb3:$string3: There is a file attached to this email 0x1f587:$string4: screens\screenshot 0x1d9b6:$string5: Disablelogger 0x1d960:$string6: \pidloc.txt 0x1d46e:$string7: clearie 0x1d486:$string8: clearff 0x1dc17:$string9: emails should be sent to you shortly 0x1e12b:$string11: open=Sys.exe 0x1d978:$ver1: PredatorLogger 0x1dffa:$ver3: Predator Pain 0x1eded:$ver3: Predator Pain 0x1ef62:$ver3: Predator Pain 0x1f179:$ver3: Predator Pain
8.0.Windows Update.exe.42e7ae.13.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.iExplorer.exe.6d0000.0.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x7b7df:$string1: holderwb.txt 0x7b7fb:$string1: holderwb.txt 0x7b961:$string3: There is a file attached to this email 0x7bf35:$string4: screens\screenshot 0x7a364:$string5: Disablelogger 0x7a30e:$string6: \pidloc.txt 0x79e1c:$string7: clearie 0x79e34:$string8: clearff 0x7a5c5:$string9: emails should be sent to you shortly 0x7aad9:$string11: open=Sys.exe 0x7a326:$ver1: PredatorLogger 0x7a9a8:$ver3: Predator Pain 0x7b79b:$ver3: Predator Pain 0x7b910:$ver3: Predator Pain 0x7bb27:$ver3: Predator Pain
7.0.iExplorer.exe.6d0000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x615f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.iExplorer.exe.6d0000.0.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
7.0.iExplorer.exe.6d0000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.iExplorer.exe.6d0000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.iExplorer.exe.6d0000.0.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b7df:$string1: holderwb.txt 0x7b7fb:$string1: holderwb.txt 0x7b961:$string3: There is a file attached to this email 0x7bf35:$string4: screens\screenshot 0x7a364:$string5: Disablelogger 0x7a30e:$string6: \pidloc.txt 0x79e1c:$string7: clearie 0x79e34:$string8: clearff 0x7a5c5:$string9: emails should be sent to you shortly 0x7aad9:$string11: open=Sys.exe 0x7a326:$ver1: PredatorLogger 0x7a9a8:$ver3: Predator Pain 0x7b79b:$ver3: Predator Pain 0x7b910:$ver3: Predator Pain 0x7bb27:$ver3: Predator Pain
7.0.iExplorer.exe.6d8949.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
8.0.Windows Update.exe.42e7ae.5.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.taskhost.exe.40d0240.7.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
8.2.Windows Update.exe.3b67e00.5.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.taskhost.exe.a1fa72.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dc1c:$key: HawkEyeKeylogger 0x1fe6e:$salt: 099u787978786 0x1e26b:$string1: HawkEye_Keylogger 0x1f0be:$string1: HawkEye_Keylogger 0x1fdce:$string1: HawkEye_Keylogger 0x1e654:$string2: holdermail.txt 0x1e674:$string2: holdermail.txt 0x1e596:$string3: wallet.dat 0x1e5ae:$string3: wallet.dat 0x1e5c4:$string3: wallet.dat 0x1f9b0:$string4: Keylog Records 0x1fcc8:$string4: Keylog Records 0x1fec6:$string5: do not script --> 0x1dc04:$string6: \pidloc.txt 0x1dc92:$string7: BSPLIT 0x1dca2:$string7: BSPLIT
5.2.taskhost.exe.a1fa72.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.taskhost.exe.a1fa72.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
5.2.taskhost.exe.a1fa72.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e2c3:$hawkstr1: HawkEye Keylogger 0x1f104:$hawkstr1: HawkEye Keylogger 0x1f433:$hawkstr1: HawkEye Keylogger 0x1f58e:$hawkstr1: HawkEye Keylogger 0x1f6f1:$hawkstr1: HawkEye Keylogger 0x1f988:$hawkstr1: HawkEye Keylogger 0x1de51:$hawkstr2: Dear HawkEye Customers! 0x1f486:$hawkstr2: Dear HawkEye Customers! 0x1f5dd:$hawkstr2: Dear HawkEye Customers! 0x1f744:$hawkstr2: Dear HawkEye Customers! 0x1df72:$hawkstr3: HawkEye Logger Details:
8.0.Windows Update.exe.3b67e00.9.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
8.2.Windows Update.exe.42e7ae.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.iExplorer.exe.72e7ae.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.iExplorer.exe.6d8949.2.raw.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x74c96:$string1: holderwb.txt 0x74cb2:$string1: holderwb.txt 0x74e18:$string3: There is a file attached to this email 0x753ec:$string4: screens\screenshot 0x7381b:$string5: Disablelogger 0x737c5:$string6: \pidloc.txt 0x732d3:$string7: clearie 0x732eb:$string8: clearff 0x73a7c:$string9: emails should be sent to you shortly 0x73f90:$string11: open=Sys.exe 0x737dd:$ver1: PredatorLogger 0x73e5f:$ver3: Predator Pain 0x74c52:$ver3: Predator Pain 0x74dc7:$ver3: Predator Pain 0x74fde:$ver3: Predator Pain
7.0.iExplorer.exe.6d8949.2.raw.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
7.0.iExplorer.exe.6d8949.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.iExplorer.exe.6d8949.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.iExplorer.exe.6d8949.2.raw.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x74c96:$string1: holderwb.txt 0x74cb2:$string1: holderwb.txt 0x74e18:$string3: There is a file attached to this email 0x753ec:$string4: screens\screenshot 0x7381b:$string5: Disablelogger 0x737c5:$string6: \pidloc.txt 0x732d3:$string7: clearie 0x732eb:$string8: clearff 0x73a7c:$string9: emails should be sent to you shortly 0x73f90:$string11: open=Sys.exe 0x737dd:$ver1: PredatorLogger 0x73e5f:$ver3: Predator Pain 0x74c52:$ver3: Predator Pain 0x74dc7:$ver3: Predator Pain 0x74fde:$ver3: Predator Pain
7.2.iExplorer.exe.72e7ae.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
8.0.Windows Update.exe.42e7ae.5.raw.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x1ee31:$string1: holderwb.txt 0x1ee4d:$string1: holderwb.txt 0x1efb3:$string3: There is a file attached to this email 0x1f587:$string4: screens\screenshot 0x1d9b6:$string5: Disablelogger 0x1d960:$string6: \pidloc.txt 0x1d46e:$string7: clearie 0x1d486:$string8: clearff 0x1dc17:$string9: emails should be sent to you shortly 0x1e12b:$string11: open=Sys.exe 0x1d978:$ver1: PredatorLogger 0x1dffa:$ver3: Predator Pain 0x1eded:$ver3: Predator Pain 0x1ef62:$ver3: Predator Pain 0x1f179:$ver3: Predator Pain
8.0.Windows Update.exe.42e7ae.5.raw.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
8.0.Windows Update.exe.42e7ae.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
8.0.Windows Update.exe.42e7ae.5.raw.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x1ee31:$string1: holderwb.txt 0x1ee4d:$string1: holderwb.txt 0x1efb3:$string3: There is a file attached to this email 0x1f587:$string4: screens\screenshot 0x1d9b6:$string5: Disablelogger 0x1d960:$string6: \pidloc.txt 0x1d46e:$string7: clearie 0x1d486:$string8: clearff 0x1dc17:$string9: emails should be sent to you shortly 0x1e12b:$string11: open=Sys.exe 0x1d978:$ver1: PredatorLogger 0x1dffa:$ver3: Predator Pain 0x1eded:$ver3: Predator Pain 0x1ef62:$ver3: Predator Pain 0x1f179:$ver3: Predator Pain
7.0.iExplorer.exe.6d6f44.1.raw.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x7669b:$string1: holderwb.txt 0x766b7:$string1: holderwb.txt 0x7681d:$string3: There is a file attached to this email 0x76df1:$string4: screens\screenshot 0x75220:$string5: Disablelogger 0x751ca:$string6: \pidloc.txt 0x74cd8:$string7: clearie 0x74cf0:$string8: clearff 0x75481:$string9: emails should be sent to you shortly 0x75995:$string11: open=Sys.exe 0x751e2:$ver1: PredatorLogger 0x75864:$ver3: Predator Pain 0x76657:$ver3: Predator Pain 0x767cc:$ver3: Predator Pain 0x769e3:$ver3: Predator Pain
7.0.iExplorer.exe.6d6f44.1.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.0.iExplorer.exe.6d6f44.1.raw.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
7.0.iExplorer.exe.6d6f44.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.0.iExplorer.exe.6d6f44.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.0.iExplorer.exe.6d6f44.1.raw.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x7669b:$string1: holderwb.txt 0x766b7:$string1: holderwb.txt 0x7681d:$string3: There is a file attached to this email 0x76df1:$string4: screens\screenshot 0x75220:$string5: Disablelogger 0x751ca:$string6: \pidloc.txt 0x74cd8:$str

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report aaVb1xEmrd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs