19.3.start.exe.3d75810.2.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x696fa:$a1: logins.json
- 0x6965a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x69e7e:$s4: \mozsqlite3.dll
- 0x686ee:$s5: SMTP Password
|
19.3.start.exe.3d75810.2.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.3.start.exe.3d75810.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.start.exe.4bc23e0.4.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
13.2.start.exe.4bc23e0.4.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
13.2.start.exe.4bc23e0.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.start.exe.4bc23e0.4.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
11.2.start.exe.730000.1.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
|
11.2.start.exe.730000.1.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
|
11.2.start.exe.730000.1.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
11.2.start.exe.730000.1.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x81019:$str8: _DisableCommandPrompt
- 0x8111f:$str9: _WebsiteBlocker
- 0x8112f:$str9: _WebsiteBlocker
- 0x81005:$str10: _DisableTaskManager
- 0x81080:$str11: _AntiDebugger
- 0x8110a:$str12: _WebsiteVisitorSites
- 0x8102f:$str13: _DisableRegEdit
- 0x8108e:$str14: _ExecutionDelay
- 0x80fb3:$str15: _InstallStartupPersistance
|
17.2.start.exe.4aff1c9.3.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111efa:$s1: HawkEye Keylogger
- 0x111f63:$s1: HawkEye Keylogger
- 0x19c2ea:$s1: HawkEye Keylogger
- 0x19c353:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10b33d:$s2: _ScreenshotLogger
- 0x19572d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10b30a:$s3: _PasswordStealer
- 0x1956fa:$s3: _PasswordStealer
|
17.2.start.exe.4aff1c9.3.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x1118cd:$name: ConfuserEx
- 0x19bcbd:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x1105da:$compile: AssemblyTitle
- 0x19a9ca:$compile: AssemblyTitle
|
17.2.start.exe.4aff1c9.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
17.2.start.exe.4aff1c9.3.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10b30a:$str1: _PasswordStealer
- 0x1956fa:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10b31b:$str2: _KeyStrokeLogger
- 0x19570b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10b33d:$str3: _ScreenshotLogger
- 0x19572d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10b32c:$str4: _ClipboardLogger
- 0x19571c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10b34f:$str5: _WebCamLogger
- 0x19573f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b464:$str6: _AntiVirusKiller
- 0x195854:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b452:$str7: _ProcessElevation
- 0x195842:$str7: _ProcessElevation
|
23.3.start.exe.3f7db5a.2.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x11bb0:$a1: logins.json
- 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x12334:$s4: \mozsqlite3.dll
- 0x115a4:$s5: SMTP Password
|
23.3.start.exe.3f7db5a.2.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
1.2.RpDMpvgd55.exe.4b9f1c9.2.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
1.2.RpDMpvgd55.exe.4b9f1c9.2.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
1.2.RpDMpvgd55.exe.4b9f1c9.2.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
1.2.RpDMpvgd55.exe.4b9f1c9.2.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
9.2.start.exe.50a23e0.4.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
9.2.start.exe.50a23e0.4.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
9.2.start.exe.50a23e0.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
9.2.start.exe.50a23e0.4.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
11.3.start.exe.3fa5810.1.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b4fa:$a1: logins.json
- 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6bc7e:$s4: \mozsqlite3.dll
- 0x6a4ee:$s5: SMTP Password
|
11.3.start.exe.3fa5810.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
11.3.start.exe.3fa5810.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
1.2.RpDMpvgd55.exe.4dc8179.5.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111d61:$s1: HawkEye Keylogger
- 0x111dca:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10b1a4:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10b171:$s3: _PasswordStealer
|
1.2.RpDMpvgd55.exe.4dc8179.5.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x111734:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x110441:$compile: AssemblyTitle
|
1.2.RpDMpvgd55.exe.4dc8179.5.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
1.2.RpDMpvgd55.exe.4dc8179.5.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10b171:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10b182:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10b1a4:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10b193:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10b1b6:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b2cb:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b2b9:$str7: _ProcessElevation
- 0x81019:$str8: _DisableCommandPrompt
- 0x10b280:$str8: _DisableCommandPrompt
- 0x8111f:$str9: _WebsiteBlocker
- 0x8112f:$str9: _WebsiteBlocker
- 0x10b386:$str9: _WebsiteBlocker
- 0x10b396:$str9: _WebsiteBlocker
- 0x81005:$str10: _DisableTaskManager
|
9.2.start.exe.4e795c9.1.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
9.2.start.exe.4e795c9.1.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
9.2.start.exe.4e795c9.1.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
9.2.start.exe.4e795c9.1.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
19.3.start.exe.3dcdb5a.0.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x11bb0:$a1: logins.json
- 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x12334:$s4: \mozsqlite3.dll
- 0x115a4:$s5: SMTP Password
|
19.3.start.exe.3dcdb5a.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
9.2.start.exe.5018179.5.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
9.2.start.exe.5018179.5.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
9.2.start.exe.5018179.5.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
9.2.start.exe.5018179.5.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
23.2.start.exe.36b5950.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
11.2.start.exe.37d1990.3.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
11.2.start.exe.37d1990.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
9.2.start.exe.4e795c9.1.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111eea:$s1: HawkEye Keylogger
- 0x111f53:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10b32d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10b2fa:$s3: _PasswordStealer
|
9.2.start.exe.4e795c9.1.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x1118bd:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x1105ca:$compile: AssemblyTitle
|
9.2.start.exe.4e795c9.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
9.2.start.exe.4e795c9.1.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10b2fa:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10b30b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10b32d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10b31c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10b33f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b454:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b442:$str7: _ProcessElevation
- 0x81019:$str8: _DisableCommandPrompt
- 0x10b409:$str8: _DisableCommandPrompt
- 0x8111f:$str9: _WebsiteBlocker
- 0x8112f:$str9: _WebsiteBlocker
- 0x10b50f:$str9: _WebsiteBlocker
- 0x10b51f:$str9: _WebsiteBlocker
- 0x81005:$str10: _DisableTaskManager
|
1.2.RpDMpvgd55.exe.4dc8179.5.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
1.2.RpDMpvgd55.exe.4dc8179.5.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
1.2.RpDMpvgd55.exe.4dc8179.5.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
1.2.RpDMpvgd55.exe.4dc8179.5.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
33.2.vbc.exe.400000.0.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x147b0:$a1: logins.json
- 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x14f34:$s4: \mozsqlite3.dll
- 0x137a4:$s5: SMTP Password
|
33.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
11.2.start.exe.3735950.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.2.start.exe.3505950.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
1.2.RpDMpvgd55.exe.4c295c9.3.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111eea:$s1: HawkEye Keylogger
- 0x111f53:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10b32d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10b2fa:$s3: _PasswordStealer
|
1.2.RpDMpvgd55.exe.4c295c9.3.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x1118bd:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x1105ca:$compile: AssemblyTitle
|
1.2.RpDMpvgd55.exe.4c295c9.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
1.2.RpDMpvgd55.exe.4c295c9.3.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10b2fa:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10b30b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10b32d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10b31c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10b33f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b454:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b442:$str7: _ProcessElevation
- 0x81019:$str8: _DisableCommandPrompt
- 0x10b409:$str8: _DisableCommandPrompt
- 0x8111f:$str9: _WebsiteBlocker
- 0x8112f:$str9: _WebsiteBlocker
- 0x10b50f:$str9: _WebsiteBlocker
- 0x10b51f:$str9: _WebsiteBlocker
- 0x81005:$str10: _DisableTaskManager
|
13.2.start.exe.490f1c9.1.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
13.2.start.exe.490f1c9.1.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
13.2.start.exe.490f1c9.1.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.start.exe.490f1c9.1.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
11.3.start.exe.3ffdb5a.0.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
11.3.start.exe.3ffdb5a.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
17.2.start.exe.4db23e0.5.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111b1a:$s1: HawkEye Keylogger
- 0x111b83:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10af5d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10af2a:$s3: _PasswordStealer
|
17.2.start.exe.4db23e0.5.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x1114ed:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x1101fa:$compile: AssemblyTitle
|
17.2.start.exe.4db23e0.5.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
17.2.start.exe.4db23e0.5.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10af2a:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10af3b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10af5d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10af4c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10af6f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b084:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b072:$str7: _ProcessElevation
- 0x81019:$str8: _DisableCommandPrompt
- 0x10b039:$str8: _DisableCommandPrompt
- 0x8111f:$str9: _WebsiteBlocker
- 0x8112f:$str9: _WebsiteBlocker
- 0x10b13f:$str9: _WebsiteBlocker
- 0x10b14f:$str9: _WebsiteBlocker
- 0x81005:$str10: _DisableTaskManager
|
23.2.start.exe.520000.1.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
|
23.2.start.exe.520000.1.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
|
23.2.start.exe.520000.1.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
23.2.start.exe.520000.1.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x81019:$str8: _DisableCommandPrompt
- 0x8111f:$str9: _WebsiteBlocker
- 0x8112f:$str9: _WebsiteBlocker
- 0x81005:$str10: _DisableTaskManager
- 0x81080:$str11: _AntiDebugger
- 0x8110a:$str12: _WebsiteVisitorSites
- 0x8102f:$str13: _DisableRegEdit
- 0x8108e:$str14: _ExecutionDelay
- 0x80fb3:$str15: _InstallStartupPersistance
|
17.2.start.exe.4d28179.4.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111d61:$s1: HawkEye Keylogger
- 0x111dca:$s1: HawkEye Keylogger
- 0x19bd81:$s1: HawkEye Keylogger
- 0x19bdea:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10b1a4:$s2: _ScreenshotLogger
- 0x1951c4:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10b171:$s3: _PasswordStealer
- 0x195191:$s3: _PasswordStealer
|
17.2.start.exe.4d28179.4.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x111734:$name: ConfuserEx
- 0x19b754:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x110441:$compile: AssemblyTitle
- 0x19a461:$compile: AssemblyTitle
|
17.2.start.exe.4d28179.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
17.2.start.exe.4d28179.4.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10b171:$str1: _PasswordStealer
- 0x195191:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10b182:$str2: _KeyStrokeLogger
- 0x1951a2:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10b1a4:$str3: _ScreenshotLogger
- 0x1951c4:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10b193:$str4: _ClipboardLogger
- 0x1951b3:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10b1b6:$str5: _WebCamLogger
- 0x1951d6:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b2cb:$str6: _AntiVirusKiller
- 0x1952eb:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b2b9:$str7: _ProcessElevation
- 0x1952d9:$str7: _ProcessElevation
|
11.3.start.exe.3fa5810.1.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x696fa:$a1: logins.json
- 0x6965a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x69e7e:$s4: \mozsqlite3.dll
- 0x686ee:$s5: SMTP Password
|
11.3.start.exe.3fa5810.1.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
11.3.start.exe.3fa5810.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
9.2.start.exe.4def1c9.2.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
9.2.start.exe.4def1c9.2.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
9.2.start.exe.4def1c9.2.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
9.2.start.exe.4def1c9.2.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
17.2.start.exe.4aff1c9.3.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
17.2.start.exe.4aff1c9.3.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
17.2.start.exe.4aff1c9.3.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
17.2.start.exe.4aff1c9.3.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
25.2.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
23.3.start.exe.3f25b55.0.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b1b5:$a1: logins.json
- 0x6b115:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6b939:$s4: \mozsqlite3.dll
- 0x6a1a9:$s5: SMTP Password
|
23.3.start.exe.3f25b55.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
23.3.start.exe.3f25b55.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.2.start.exe.4b895c9.2.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111eea:$s1: HawkEye Keylogger
- 0x111f53:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10b32d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10b2fa:$s3: _PasswordStealer
|
17.2.start.exe.4b895c9.2.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x1118bd:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x1105ca:$compile: AssemblyTitle
|
17.2.start.exe.4b895c9.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
17.2.start.exe.4b895c9.2.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10b2fa:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10b30b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10b32d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10b31c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10b33f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b454:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b442:$str7: _ProcessElevation
- 0x81019:$str8: _DisableCommandPrompt
- 0x10b409:$str8: _DisableCommandPrompt
- 0x8111f:$str9: _WebsiteBlocker
- 0x8112f:$str9: _WebsiteBlocker
- 0x10b50f:$str9: _WebsiteBlocker
- 0x10b51f:$str9: _WebsiteBlocker
- 0x81005:$str10: _DisableTaskManager
|
11.3.start.exe.3fa5b55.2.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b1b5:$a1: logins.json
- 0x6b115:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6b939:$s4: \mozsqlite3.dll
- 0x6a1a9:$s5: SMTP Password
|
11.3.start.exe.3fa5b55.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
11.3.start.exe.3fa5b55.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.2.start.exe.4d28179.4.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
17.2.start.exe.4d28179.4.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
17.2.start.exe.4d28179.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
17.2.start.exe.4d28179.4.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
23.3.start.exe.3f25810.1.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b4fa:$a1: logins.json
- 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6bc7e:$s4: \mozsqlite3.dll
- 0x6a4ee:$s5: SMTP Password
|
23.3.start.exe.3f25810.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
23.3.start.exe.3f25810.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
33.2.vbc.exe.400000.0.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
33.2.vbc.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
1.2.RpDMpvgd55.exe.4b9f1c9.2.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111efa:$s1: HawkEye Keylogger
- 0x111f63:$s1: HawkEye Keylogger
- 0x19c2ea:$s1: HawkEye Keylogger
- 0x19c353:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10b33d:$s2: _ScreenshotLogger
- 0x19572d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10b30a:$s3: _PasswordStealer
- 0x1956fa:$s3: _PasswordStealer
|
1.2.RpDMpvgd55.exe.4b9f1c9.2.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x1118cd:$name: ConfuserEx
- 0x19bcbd:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x1105da:$compile: AssemblyTitle
- 0x19a9ca:$compile: AssemblyTitle
|
1.2.RpDMpvgd55.exe.4b9f1c9.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
1.2.RpDMpvgd55.exe.4b9f1c9.2.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10b30a:$str1: _PasswordStealer
- 0x1956fa:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10b31b:$str2: _KeyStrokeLogger
- 0x19570b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10b33d:$str3: _ScreenshotLogger
- 0x19572d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10b32c:$str4: _ClipboardLogger
- 0x19571c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10b34f:$str5: _WebCamLogger
- 0x19573f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b464:$str6: _AntiVirusKiller
- 0x195854:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b452:$str7: _ProcessElevation
- 0x195842:$str7: _ProcessElevation
|
23.3.start.exe.3f25b55.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.2.start.exe.500000.1.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
|
19.2.start.exe.500000.1.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
|
19.2.start.exe.500000.1.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.2.start.exe.500000.1.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x81019:$str8: _DisableCommandPrompt
- 0x8111f:$str9: _WebsiteBlocker
- 0x8112f:$str9: _WebsiteBlocker
- 0x81005:$str10: _DisableTaskManager
- 0x81080:$str11: _AntiDebugger
- 0x8110a:$str12: _WebsiteVisitorSites
- 0x8102f:$str13: _DisableRegEdit
- 0x8108e:$str14: _ExecutionDelay
- 0x80fb3:$str15: _InstallStartupPersistance
|
1.2.RpDMpvgd55.exe.4e523e0.4.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
|
1.2.RpDMpvgd55.exe.4e523e0.4.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
|
1.2.RpDMpvgd55.exe.4e523e0.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
1.2.RpDMpvgd55.exe.4e523e0.4.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x81019:$str8: _DisableCommandPrompt
- 0x8111f:$str9: _WebsiteBlocker
- 0x8112f:$str9: _WebsiteBlocker
- 0x81005:$str10: _DisableTaskManager
- 0x81080:$str11: _AntiDebugger
- 0x8110a:$str12: _WebsiteVisitorSites
- 0x8102f:$str13: _DisableRegEdit
- 0x8108e:$str14: _ExecutionDelay
- 0x80fb3:$str15: _InstallStartupPersistance
|
11.3.start.exe.3ffdb5a.0.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x11bb0:$a1: logins.json
- 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x12334:$s4: \mozsqlite3.dll
- 0x115a4:$s5: SMTP Password
|
11.3.start.exe.3ffdb5a.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.start.exe.490f1c9.1.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111efa:$s1: HawkEye Keylogger
- 0x111f63:$s1: HawkEye Keylogger
- 0x19c2ea:$s1: HawkEye Keylogger
- 0x19c353:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10b33d:$s2: _ScreenshotLogger
- 0x19572d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10b30a:$s3: _PasswordStealer
- 0x1956fa:$s3: _PasswordStealer
|
13.2.start.exe.490f1c9.1.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x1118cd:$name: ConfuserEx
- 0x19bcbd:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x1105da:$compile: AssemblyTitle
- 0x19a9ca:$compile: AssemblyTitle
|
13.2.start.exe.490f1c9.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.start.exe.490f1c9.1.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10b30a:$str1: _PasswordStealer
- 0x1956fa:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10b31b:$str2: _KeyStrokeLogger
- 0x19570b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10b33d:$str3: _ScreenshotLogger
- 0x19572d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10b32c:$str4: _ClipboardLogger
- 0x19571c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10b34f:$str5: _WebCamLogger
- 0x19573f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b464:$str6: _AntiVirusKiller
- 0x195854:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b452:$str7: _ProcessElevation
- 0x195842:$str7: _ProcessElevation
|
19.3.start.exe.3d75b55.1.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b1b5:$a1: logins.json
- 0x6b115:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6b939:$s4: \mozsqlite3.dll
- 0x6a1a9:$s5: SMTP Password
|
19.3.start.exe.3d75b55.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.3.start.exe.3d75b55.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
9.2.start.exe.50a23e0.4.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111b1a:$s1: HawkEye Keylogger
- 0x111b83:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10af5d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10af2a:$s3: _PasswordStealer
|
9.2.start.exe.50a23e0.4.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x1114ed:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x1101fa:$compile: AssemblyTitle
|
9.2.start.exe.50a23e0.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
9.2.start.exe.50a23e0.4.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10af2a:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10af3b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10af5d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10af4c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10af6f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b084:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b072:$str7: _ProcessElevation
- 0x81019:$str8: _DisableCommandPrompt
- 0x10b039:$str8: _DisableCommandPrompt
- 0x8111f:$str9: _WebsiteBlocker
- 0x8112f:$str9: _WebsiteBlocker
- 0x10b13f:$str9: _WebsiteBlocker
- 0x10b14f:$str9: _WebsiteBlocker
- 0x81005:$str10: _DisableTaskManager
|
1.2.RpDMpvgd55.exe.4c295c9.3.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
1.2.RpDMpvgd55.exe.4c295c9.3.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
1.2.RpDMpvgd55.exe.4c295c9.3.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
1.2.RpDMpvgd55.exe.4c295c9.3.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
11.2.start.exe.37d1990.3.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x11bb0:$a1: logins.json
- 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x12334:$s4: \mozsqlite3.dll
- 0x115a4:$s5: SMTP Password
|
11.2.start.exe.37d1990.3.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.start.exe.4b38179.5.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111d61:$s1: HawkEye Keylogger
- 0x111dca:$s1: HawkEye Keylogger
- 0x19bd81:$s1: HawkEye Keylogger
- 0x19bdea:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10b1a4:$s2: _ScreenshotLogger
- 0x1951c4:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10b171:$s3: _PasswordStealer
- 0x195191:$s3: _PasswordStealer
|
13.2.start.exe.4b38179.5.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x111734:$name: ConfuserEx
- 0x19b754:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x110441:$compile: AssemblyTitle
- 0x19a461:$compile: AssemblyTitle
|
13.2.start.exe.4b38179.5.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.start.exe.4b38179.5.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10b171:$str1: _PasswordStealer
- 0x195191:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10b182:$str2: _KeyStrokeLogger
- 0x1951a2:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10b1a4:$str3: _ScreenshotLogger
- 0x1951c4:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10b193:$str4: _ClipboardLogger
- 0x1951b3:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10b1b6:$str5: _WebCamLogger
- 0x1951d6:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b2cb:$str6: _AntiVirusKiller
- 0x1952eb:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b2b9:$str7: _ProcessElevation
- 0x1952d9:$str7: _ProcessElevation
|
19.3.start.exe.3d75810.2.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b4fa:$a1: logins.json
- 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6bc7e:$s4: \mozsqlite3.dll
- 0x6a4ee:$s5: SMTP Password
|
19.3.start.exe.3d75810.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.3.start.exe.3d75810.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.start.exe.4bc23e0.4.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111b1a:$s1: HawkEye Keylogger
- 0x111b83:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10af5d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10af2a:$s3: _PasswordStealer
|
13.2.start.exe.4bc23e0.4.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x1114ed:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x1101fa:$compile: AssemblyTitle
|
13.2.start.exe.4bc23e0.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.start.exe.4bc23e0.4.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10af2a:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10af3b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10af5d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10af4c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10af6f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b084:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b072:$str7: _ProcessElevation
- 0x81019:$str8: _DisableCommandPrompt
- 0x10b039:$str8: _DisableCommandPrompt
- 0x8111f:$str9: _WebsiteBlocker
- 0x8112f:$str9: _WebsiteBlocker
- 0x10b13f:$str9: _WebsiteBlocker
- 0x10b14f:$str9: _WebsiteBlocker
- 0x81005:$str10: _DisableTaskManager
|
13.2.start.exe.4b38179.5.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
13.2.start.exe.4b38179.5.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
13.2.start.exe.4b38179.5.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.start.exe.4b38179.5.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
17.2.start.exe.4db23e0.5.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
17.2.start.exe.4db23e0.5.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
17.2.start.exe.4db23e0.5.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
17.2.start.exe.4db23e0.5.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
13.2.start.exe.49995c9.3.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111eea:$s1: HawkEye Keylogger
- 0x111f53:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10b32d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10b2fa:$s3: _PasswordStealer
|
13.2.start.exe.49995c9.3.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x1118bd:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x1105ca:$compile: AssemblyTitle
|
13.2.start.exe.49995c9.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.start.exe.49995c9.3.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10b2fa:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10b30b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10b32d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10b31c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10b33f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b454:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b442:$str7: _ProcessElevation
- 0x81019:$str8: _DisableCommandPrompt
- 0x10b409:$str8: _DisableCommandPrompt
- 0x8111f:$str9: _WebsiteBlocker
- 0x8112f:$str9: _WebsiteBlocker
- 0x10b50f:$str9: _WebsiteBlocker
- 0x10b51f:$str9: _WebsiteBlocker
- 0x81005:$str10: _DisableTaskManager
|
1.2.RpDMpvgd55.exe.4e523e0.4.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
1.2.RpDMpvgd55.exe.4e523e0.4.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
1.2.RpDMpvgd55.exe.4e523e0.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
1.2.RpDMpvgd55.exe.4e523e0.4.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
11.3.start.exe.3fa5b55.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
23.2.start.exe.36b5950.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
9.2.start.exe.4def1c9.2.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111efa:$s1: HawkEye Keylogger
- 0x111f63:$s1: HawkEye Keylogger
- 0x19c2ea:$s1: HawkEye Keylogger
- 0x19c353:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10b33d:$s2: _ScreenshotLogger
- 0x19572d:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10b30a:$s3: _PasswordStealer
- 0x1956fa:$s3: _PasswordStealer
|
9.2.start.exe.4def1c9.2.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x1118cd:$name: ConfuserEx
- 0x19bcbd:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x1105da:$compile: AssemblyTitle
- 0x19a9ca:$compile: AssemblyTitle
|
9.2.start.exe.4def1c9.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
9.2.start.exe.4def1c9.2.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10b30a:$str1: _PasswordStealer
- 0x1956fa:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10b31b:$str2: _KeyStrokeLogger
- 0x19570b:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10b33d:$str3: _ScreenshotLogger
- 0x19572d:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10b32c:$str4: _ClipboardLogger
- 0x19571c:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10b34f:$str5: _WebCamLogger
- 0x19573f:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b464:$str6: _AntiVirusKiller
- 0x195854:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b452:$str7: _ProcessElevation
- 0x195842:$str7: _ProcessElevation
|
19.3.start.exe.3d75b55.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.start.exe.49995c9.3.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
13.2.start.exe.49995c9.3.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
13.2.start.exe.49995c9.3.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.start.exe.49995c9.3.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
28.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
25.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.2.start.exe.4b895c9.2.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85cfa:$s1: HawkEye Keylogger
- 0x85d63:$s1: HawkEye Keylogger
- 0x7f13d:$s2: _ScreenshotLogger
- 0x7f10a:$s3: _PasswordStealer
|
17.2.start.exe.4b895c9.2.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x856cd:$name: ConfuserEx
- 0x843da:$compile: AssemblyTitle
|
17.2.start.exe.4b895c9.2.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
17.2.start.exe.4b895c9.2.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x7f10a:$str1: _PasswordStealer
- 0x7f11b:$str2: _KeyStrokeLogger
- 0x7f13d:$str3: _ScreenshotLogger
- 0x7f12c:$str4: _ClipboardLogger
- 0x7f14f:$str5: _WebCamLogger
- 0x7f264:$str6: _AntiVirusKiller
- 0x7f252:$str7: _ProcessElevation
- 0x7f219:$str8: _DisableCommandPrompt
- 0x7f31f:$str9: _WebsiteBlocker
- 0x7f32f:$str9: _WebsiteBlocker
- 0x7f205:$str10: _DisableTaskManager
- 0x7f280:$str11: _AntiDebugger
- 0x7f30a:$str12: _WebsiteVisitorSites
- 0x7f22f:$str13: _DisableRegEdit
- 0x7f28e:$str14: _ExecutionDelay
- 0x7f1b3:$str15: _InstallStartupPersistance
|
19.3.start.exe.3dcdb5a.0.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
19.3.start.exe.3dcdb5a.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
23.3.start.exe.3f7db5a.2.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
23.3.start.exe.3f7db5a.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.2.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
28.2.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
23.3.start.exe.3f25810.1.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x696fa:$a1: logins.json
- 0x6965a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x69e7e:$s4: \mozsqlite3.dll
- 0x686ee:$s5: SMTP Password
|
23.3.start.exe.3f25810.1.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
23.3.start.exe.3f25810.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
11.2.start.exe.3735950.2.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0xaf1f0:$a1: logins.json
- 0xaf150:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0xaf974:$s4: \mozsqlite3.dll
- 0xae1e4:$s5: SMTP Password
|
11.2.start.exe.3735950.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
11.2.start.exe.3735950.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.2.start.exe.3505950.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
9.2.start.exe.5018179.5.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87afa:$s1: HawkEye Keylogger
- 0x87b63:$s1: HawkEye Keylogger
- 0x111d61:$s1: HawkEye Keylogger
- 0x111dca:$s1: HawkEye Keylogger
- 0x19bd81:$s1: HawkEye Keylogger
- 0x19bdea:$s1: HawkEye Keylogger
- 0x80f3d:$s2: _ScreenshotLogger
- 0x10b1a4:$s2: _ScreenshotLogger
- 0x1951c4:$s2: _ScreenshotLogger
- 0x80f0a:$s3: _PasswordStealer
- 0x10b171:$s3: _PasswordStealer
- 0x195191:$s3: _PasswordStealer
|
9.2.start.exe.5018179.5.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x874cd:$name: ConfuserEx
- 0x111734:$name: ConfuserEx
- 0x19b754:$name: ConfuserEx
- 0x861da:$compile: AssemblyTitle
- 0x110441:$compile: AssemblyTitle
- 0x19a461:$compile: AssemblyTitle
|
9.2.start.exe.5018179.5.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
9.2.start.exe.5018179.5.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x80f0a:$str1: _PasswordStealer
- 0x10b171:$str1: _PasswordStealer
- 0x195191:$str1: _PasswordStealer
- 0x80f1b:$str2: _KeyStrokeLogger
- 0x10b182:$str2: _KeyStrokeLogger
- 0x1951a2:$str2: _KeyStrokeLogger
- 0x80f3d:$str3: _ScreenshotLogger
- 0x10b1a4:$str3: _ScreenshotLogger
- 0x1951c4:$str3: _ScreenshotLogger
- 0x80f2c:$str4: _ClipboardLogger
- 0x10b193:$str4: _ClipboardLogger
- 0x1951b3:$str4: _ClipboardLogger
- 0x80f4f:$str5: _WebCamLogger
- 0x10b1b6:$str5: _WebCamLogger
- 0x1951d6:$str5: _WebCamLogger
- 0x81064:$str6: _AntiVirusKiller
- 0x10b2cb:$str6: _AntiVirusKiller
- 0x1952eb:$str6: _AntiVirusKiller
- 0x81052:$str7: _ProcessElevation
- 0x10b2b9:$str7: _ProcessElevation
- 0x1952d9:$str7: _ProcessElevation
|
17.2.start.exe.4936a10.1.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x2502b3:$s1: HawkEye Keylogger
- 0x25031c:$s1: HawkEye Keylogger
- 0x2da6b3:$s1: HawkEye Keylogger
- 0x2da71c:$s1: HawkEye Keylogger
- 0x364aa3:$s1: HawkEye Keylogger
- 0x364b0c:$s1: HawkEye Keylogger
- 0x2496f6:$s2: _ScreenshotLogger
- 0x2d3af6:$s2: _ScreenshotLogger
- 0x35dee6:$s2: _ScreenshotLogger
- 0x2496c3:$s3: _PasswordStealer
- 0x2d3ac3:$s3: _PasswordStealer
- 0x35deb3:$s3: _PasswordStealer
|
17.2.start.exe.4936a10.1.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x24fc86:$name: ConfuserEx
- 0x2da086:$name: ConfuserEx
- 0x364476:$name: ConfuserEx
- 0x130d3:$compile: AssemblyTitle
- 0x24e993:$compile: AssemblyTitle
- 0x2d8d93:$compile: AssemblyTitle
- 0x363183:$compile: AssemblyTitle
|
17.2.start.exe.4936a10.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
17.2.start.exe.4936a10.1.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x2496c3:$str1: _PasswordStealer
- 0x2d3ac3:$str1: _PasswordStealer
- 0x35deb3:$str1: _PasswordStealer
- 0x2496d4:$str2: _KeyStrokeLogger
- 0x2d3ad4:$str2: _KeyStrokeLogger
- 0x35dec4:$str2: _KeyStrokeLogger
- 0x2496f6:$str3: _ScreenshotLogger
- 0x2d3af6:$str3: _ScreenshotLogger
- 0x35dee6:$str3: _ScreenshotLogger
- 0x2496e5:$str4: _ClipboardLogger
- 0x2d3ae5:$str4: _ClipboardLogger
- 0x35ded5:$str4: _ClipboardLogger
- 0x249708:$str5: _WebCamLogger
- 0x2d3b08:$str5: _WebCamLogger
- 0x35def8:$str5: _WebCamLogger
- 0x24981d:$str6: _AntiVirusKiller
- 0x2d3c1d:$str6: _AntiVirusKiller
- 0x35e00d:$str6: _AntiVirusKiller
- 0x24980b:$str7: _ProcessElevation
- 0x2d3c0b:$str7: _ProcessElevation
- 0x35dffb:$str7: _ProcessElevation
|
1.2.RpDMpvgd55.exe.49d6a10.1.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x2502b3:$s1: HawkEye Keylogger
- 0x25031c:$s1: HawkEye Keylogger
- 0x2da6b3:$s1: HawkEye Keylogger
- 0x2da71c:$s1: HawkEye Keylogger
- 0x364aa3:$s1: HawkEye Keylogger
- 0x364b0c:$s1: HawkEye Keylogger
- 0x2496f6:$s2: _ScreenshotLogger
- 0x2d3af6:$s2: _ScreenshotLogger
- 0x35dee6:$s2: _ScreenshotLogger
- 0x2496c3:$s3: _PasswordStealer
- 0x2d3ac3:$s3: _PasswordStealer
- 0x35deb3:$s3: _PasswordStealer
|
1.2.RpDMpvgd55.exe.49d6a10.1.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x24fc86:$name: ConfuserEx
- 0x2da086:$name: ConfuserEx
- 0x364476:$name: ConfuserEx
- 0x130d3:$compile: AssemblyTitle
- 0x24e993:$compile: AssemblyTitle
- 0x2d8d93:$compile: AssemblyTitle
- 0x363183:$compile: AssemblyTitle
|
1.2.RpDMpvgd55.exe.49d6a10.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
1.2.RpDMpvgd55.exe.49d6a10.1.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x2496c3:$str1: _PasswordStealer
- 0x2d3ac3:$str1: _PasswordStealer
- 0x35deb3:$str1: _PasswordStealer
- 0x2496d4:$str2: _KeyStrokeLogger
- 0x2d3ad4:$str2: _KeyStrokeLogger
- 0x35dec4:$str2: _KeyStrokeLogger
- 0x2496f6:$str3: _ScreenshotLogger
- 0x2d3af6:$str3: _ScreenshotLogger
- 0x35dee6:$str3: _ScreenshotLogger
- 0x2496e5:$str4: _ClipboardLogger
- 0x2d3ae5:$str4: _ClipboardLogger
- 0x35ded5:$str4: _ClipboardLogger
- 0x249708:$str5: _WebCamLogger
- 0x2d3b08:$str5: _WebCamLogger
- 0x35def8:$str5: _WebCamLogger
- 0x24981d:$str6: _AntiVirusKiller
- 0x2d3c1d:$str6: _AntiVirusKiller
- 0x35e00d:$str6: _AntiVirusKiller
- 0x24980b:$str7: _ProcessElevation
- 0x2d3c0b:$str7: _ProcessElevation
- 0x35dffb:$str7: _ProcessElevation
|
13.2.start.exe.4746a10.2.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x2502b3:$s1: HawkEye Keylogger
- 0x25031c:$s1: HawkEye Keylogger
- 0x2da6b3:$s1: HawkEye Keylogger
- 0x2da71c:$s1: HawkEye Keylogger
- 0x364aa3:$s1: HawkEye Keylogger
- 0x364b0c:$s1: HawkEye Keylogger
- 0x2496f6:$s2: _ScreenshotLogger
- 0x2d3af6:$s2: _ScreenshotLogger
- 0x35dee6:$s2: _ScreenshotLogger
- 0x2496c3:$s3: _PasswordStealer
- 0x2d3ac3:$s3: _PasswordStealer
- 0x35deb3:$s3: _PasswordStealer
|
13.2.start.exe.4746a10.2.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x24fc86:$name: ConfuserEx
- 0x2da086:$name: ConfuserEx
- 0x364476:$name: ConfuserEx
- 0x130d3:$compile: AssemblyTitle
- 0x24e993:$compile: AssemblyTitle
- 0x2d8d93:$compile: AssemblyTitle
- 0x363183:$compile: AssemblyTitle
|
13.2.start.exe.4746a10.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.start.exe.4746a10.2.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x2496c3:$str1: _PasswordStealer
- 0x2d3ac3:$str1: _PasswordStealer
- 0x35deb3:$str1: _PasswordStealer
- 0x2496d4:$str2: _KeyStrokeLogger
- 0x2d3ad4:$str2: _KeyStrokeLogger
- 0x35dec4:$str2: _KeyStrokeLogger
- 0x2496f6:$str3: _ScreenshotLogger
- 0x2d3af6:$str3: _ScreenshotLogger
- 0x35dee6:$str3: _ScreenshotLogger
- 0x2496e5:$str4: _ClipboardLogger
- 0x2d3ae5:$str4: _ClipboardLogger
- 0x35ded5:$str4: _ClipboardLogger
- 0x249708:$str5: _WebCamLogger
- 0x2d3b08:$str5: _WebCamLogger
- 0x35def8:$str5: _WebCamLogger
- 0x24981d:$str6: _AntiVirusKiller
- 0x2d3c1d:$str6: _AntiVirusKiller
- 0x35e00d:$str6: _AntiVirusKiller
- 0x24980b:$str7: _ProcessElevation
- 0x2d3c0b:$str7: _ProcessElevation
- 0x35dffb:$str7: _ProcessElevation
|
9.2.start.exe.4c26a10.3.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x2502b3:$s1: HawkEye Keylogger
- 0x25031c:$s1: HawkEye Keylogger
- 0x2da6b3:$s1: HawkEye Keylogger
- 0x2da71c:$s1: HawkEye Keylogger
- 0x364aa3:$s1: HawkEye Keylogger
- 0x364b0c:$s1: HawkEye Keylogger
- 0x2496f6:$s2: _ScreenshotLogger
- 0x2d3af6:$s2: _ScreenshotLogger
- 0x35dee6:$s2: _ScreenshotLogger
- 0x2496c3:$s3: _PasswordStealer
- 0x2d3ac3:$s3: _PasswordStealer
- 0x35deb3:$s3: _PasswordStealer
|
9.2.start.exe.4c26a10.3.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x24fc86:$name: ConfuserEx
- 0x2da086:$name: ConfuserEx
- 0x364476:$name: ConfuserEx
- 0x130d3:$compile: AssemblyTitle
- 0x24e993:$compile: AssemblyTitle
- 0x2d8d93:$compile: AssemblyTitle
- 0x363183:$compile: AssemblyTitle
|
9.2.start.exe.4c26a10.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
9.2.start.exe.4c26a10.3.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x2496c3:$str1: _PasswordStealer
- 0x2d3ac3:$str1: _PasswordStealer
- 0x35deb3:$str1: _PasswordStealer
- 0x2496d4:$str2: _KeyStrokeLogger
- 0x2d3ad4:$str2: _KeyStrokeLogger
- 0x35dec4:$str2: _KeyStrokeLogger
- 0x2496f6:$str3: _ScreenshotLogger
- 0x2d3af6:$str3: _ScreenshotLogger
- 0x35dee6:$str3: _ScreenshotLogger
- 0x2496e5:$str4: _ClipboardLogger
- 0x2d3ae5:$str4: _ClipboardLogger
- 0x35ded5:$str4: _ClipboardLogger
- 0x249708:$str5: _WebCamLogger
- 0x2d3b08:$str5: _WebCamLogger
- 0x35def8:$str5: _WebCamLogger
- 0x24981d:$str6: _AntiVirusKiller
- 0x2d3c1d:$str6: _AntiVirusKiller
- 0x35e00d:$str6: _AntiVirusKiller
- 0x24980b:$str7: _ProcessElevation
- 0x2d3c0b:$str7: _ProcessElevation
- 0x35dffb:$str7: _ProcessElevation
|
Click to see the 215 entries |