26.2.vbc.exe.400000.0.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x147b0:$a1: logins.json
- 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x14f34:$s4: \mozsqlite3.dll
- 0x137a4:$s5: SMTP Password
|
26.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b4fa:$a1: logins.json
- 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6bc7e:$s4: \mozsqlite3.dll
- 0x6a4ee:$s5: SMTP Password
|
8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.4571990.3.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
8.2.DHL_AWB_DOCUMENT_pdf.exe.4571990.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.596834a.6.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x11bb0:$a1: logins.json
- 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x12334:$s4: \mozsqlite3.dll
- 0x115a4:$s5: SMTP Password
|
8.2.DHL_AWB_DOCUMENT_pdf.exe.596834a.6.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d9dbda.1.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d9dbda.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.5910345.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
26.2.vbc.exe.400000.0.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
26.2.vbc.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x696fa:$a1: logins.json
- 0x6965a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x69e7e:$s4: \mozsqlite3.dll
- 0x686ee:$s5: SMTP Password
|
8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.5910000.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b4fa:$a1: logins.json
- 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6bc7e:$s4: \mozsqlite3.dll
- 0x6a4ee:$s5: SMTP Password
|
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.4571990.3.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x11bb0:$a1: logins.json
- 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x12334:$s4: \mozsqlite3.dll
- 0x115a4:$s5: SMTP Password
|
8.2.DHL_AWB_DOCUMENT_pdf.exe.4571990.3.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.596834a.6.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
8.2.DHL_AWB_DOCUMENT_pdf.exe.596834a.6.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45bd5.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.44d5950.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85e2e:$s1: HawkEye Keylogger
- 0x85e97:$s1: HawkEye Keylogger
- 0x7f271:$s2: _ScreenshotLogger
- 0x7f23e:$s3: _PasswordStealer
|
0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x85801:$name: ConfuserEx
- 0x8450e:$compile: AssemblyTitle
|
0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x85e2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
- 0x85e97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x7f23e:$str1: _PasswordStealer
- 0x7f24f:$str2: _KeyStrokeLogger
- 0x7f271:$str3: _ScreenshotLogger
- 0x7f260:$str4: _ClipboardLogger
- 0x7f283:$str5: _WebCamLogger
- 0x7f398:$str6: _AntiVirusKiller
- 0x7f386:$str7: _ProcessElevation
- 0x7f34d:$str8: _DisableCommandPrompt
- 0x7f453:$str9: _WebsiteBlocker
- 0x7f463:$str9: _WebsiteBlocker
- 0x7f339:$str10: _DisableTaskManager
- 0x7f3b4:$str11: _AntiDebugger
- 0x7f43e:$str12: _WebsiteVisitorSites
- 0x7f363:$str13: _DisableRegEdit
- 0x7f3c2:$str14: _ExecutionDelay
- 0x7f2e7:$str15: _InstallStartupPersistance
|
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d9dbda.1.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x11bb0:$a1: logins.json
- 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x12334:$s4: \mozsqlite3.dll
- 0x115a4:$s5: SMTP Password
|
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d9dbda.1.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x696fa:$a1: logins.json
- 0x6965a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x69e7e:$s4: \mozsqlite3.dll
- 0x686ee:$s5: SMTP Password
|
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45890.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87c2e:$s1: HawkEye Keylogger
- 0x87c97:$s1: HawkEye Keylogger
- 0x81071:$s2: _ScreenshotLogger
- 0x8103e:$s3: _PasswordStealer
|
8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x87601:$name: ConfuserEx
- 0x8630e:$compile: AssemblyTitle
|
8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.400000.0.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
- 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x8103e:$str1: _PasswordStealer
- 0x8104f:$str2: _KeyStrokeLogger
- 0x81071:$str3: _ScreenshotLogger
- 0x81060:$str4: _ClipboardLogger
- 0x81083:$str5: _WebCamLogger
- 0x81198:$str6: _AntiVirusKiller
- 0x81186:$str7: _ProcessElevation
- 0x8114d:$str8: _DisableCommandPrompt
- 0x81253:$str9: _WebsiteBlocker
- 0x81263:$str9: _WebsiteBlocker
- 0x81139:$str10: _DisableTaskManager
- 0x811b4:$str11: _AntiDebugger
- 0x8123e:$str12: _WebsiteVisitorSites
- 0x81163:$str13: _DisableRegEdit
- 0x811c2:$str14: _ExecutionDelay
- 0x810e7:$str15: _InstallStartupPersistance
|
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45bd5.0.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b1b5:$a1: logins.json
- 0x6b115:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6b939:$s4: \mozsqlite3.dll
- 0x6a1a9:$s5: SMTP Password
|
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45bd5.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.3.DHL_AWB_DOCUMENT_pdf.exe.4d45bd5.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87c2e:$s1: HawkEye Keylogger
- 0x87c97:$s1: HawkEye Keylogger
- 0x81071:$s2: _ScreenshotLogger
- 0x8103e:$s3: _PasswordStealer
|
0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x87601:$name: ConfuserEx
- 0x8630e:$compile: AssemblyTitle
|
0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
0.2.DHL_AWB_DOCUMENT_pdf.exe.4311cd0.3.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
- 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x8103e:$str1: _PasswordStealer
- 0x8104f:$str2: _KeyStrokeLogger
- 0x81071:$str3: _ScreenshotLogger
- 0x81060:$str4: _ClipboardLogger
- 0x81083:$str5: _WebCamLogger
- 0x81198:$str6: _AntiVirusKiller
- 0x81186:$str7: _ProcessElevation
- 0x8114d:$str8: _DisableCommandPrompt
- 0x81253:$str9: _WebsiteBlocker
- 0x81263:$str9: _WebsiteBlocker
- 0x81139:$str10: _DisableTaskManager
- 0x811b4:$str11: _AntiDebugger
- 0x8123e:$str12: _WebsiteVisitorSites
- 0x81163:$str13: _DisableRegEdit
- 0x811c2:$str14: _ExecutionDelay
- 0x810e7:$str15: _InstallStartupPersistance
|
13.2.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.5910345.4.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b1b5:$a1: logins.json
- 0x6b115:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6b939:$s4: \mozsqlite3.dll
- 0x6a1a9:$s5: SMTP Password
|
8.2.DHL_AWB_DOCUMENT_pdf.exe.5910345.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.5910345.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.DHL_AWB_DOCUMENT_pdf.exe.412ca50.2.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x26ceae:$s1: HawkEye Keylogger
- 0x26cf17:$s1: HawkEye Keylogger
- 0x2662f1:$s2: _ScreenshotLogger
- 0x2662be:$s3: _PasswordStealer
|
0.2.DHL_AWB_DOCUMENT_pdf.exe.412ca50.2.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x26c881:$name: ConfuserEx
- 0x16782:$compile: AssemblyTitle
- 0x26b58e:$compile: AssemblyTitle
|
0.2.DHL_AWB_DOCUMENT_pdf.exe.412ca50.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
0.2.DHL_AWB_DOCUMENT_pdf.exe.412ca50.2.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x26ceae:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
- 0x26cf17:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x2662be:$str1: _PasswordStealer
- 0x2662cf:$str2: _KeyStrokeLogger
- 0x2662f1:$str3: _ScreenshotLogger
- 0x2662e0:$str4: _ClipboardLogger
- 0x266303:$str5: _WebCamLogger
- 0x266418:$str6: _AntiVirusKiller
- 0x266406:$str7: _ProcessElevation
- 0x2663cd:$str8: _DisableCommandPrompt
- 0x2664d3:$str9: _WebsiteBlocker
- 0x2664e3:$str9: _WebsiteBlocker
- 0x2663b9:$str10: _DisableTaskManager
- 0x266434:$str11: _AntiDebugger
- 0x2664be:$str12: _WebsiteVisitorSites
- 0x2663e3:$str13: _DisableRegEdit
- 0x266442:$str14: _ExecutionDelay
- 0x266367:$str15: _InstallStartupPersistance
|
8.2.DHL_AWB_DOCUMENT_pdf.exe.44d5950.2.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0xaf1f0:$a1: logins.json
- 0xaf150:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0xaf974:$s4: \mozsqlite3.dll
- 0xae1e4:$s5: SMTP Password
|
8.2.DHL_AWB_DOCUMENT_pdf.exe.44d5950.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.DHL_AWB_DOCUMENT_pdf.exe.44d5950.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.DHL_AWB_DOCUMENT_pdf.exe.2e246e0.1.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
Click to see the 54 entries |