7.0.NEW PO.exe.2d9bffc.45.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.2afd174.43.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.7ee0000.37.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.45fa72.29.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.45fa72.22.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.19.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.8660000.48.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
22.0.vbc.exe.400000.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.35f1ffc.44.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.409c0d.39.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.8.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
16.0.WindowsUpdate.exe.409c0d.14.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.39.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
10.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.NEW PO.exe.3ac2370.7.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.14.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.45fa72.14.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.14.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.14.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.42d9930.33.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.42d9930.33.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.45fa72.9.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
7.0.NEW PO.exe.45fa72.9.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.45fa72.9.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.45fa72.9.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
11.0.vbc.exe.400000.3.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.45fa72.17.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
7.0.NEW PO.exe.45fa72.17.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.45fa72.17.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.45fa72.17.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
16.2.WindowsUpdate.exe.409c0d.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.42f2370.34.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
10.0.vbc.exe.400000.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.2.WindowsUpdate.exe.8640000.9.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.45fa72.40.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.408208.17.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.408208.17.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.408208.17.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.408208.17.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.408208.17.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.408208.17.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
16.0.WindowsUpdate.exe.45fa72.17.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.45fa72.17.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.45fa72.17.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.45fa72.17.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.408208.40.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.408208.40.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.408208.40.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.408208.40.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.408208.40.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.408208.40.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
10.0.vbc.exe.400000.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.408208.8.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
7.0.NEW PO.exe.408208.8.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.408208.8.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.408208.8.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.408208.8.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.408208.8.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
11.2.vbc.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.409c0d.7.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
7.0.NEW PO.exe.409c0d.7.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.409c0d.7.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.409c0d.7.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.409c0d.7.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.45fa72.14.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
7.0.NEW PO.exe.45fa72.14.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.45fa72.14.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.45fa72.14.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.7ee0000.49.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.45fa72.14.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.409c0d.27.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.NEW PO.exe.7ee0000.10.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
22.0.vbc.exe.400000.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.45fa72.12.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.45fa72.12.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.45fa72.12.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.45fa72.12.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
11.0.vbc.exe.400000.1.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.400000.21.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.400000.21.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
16.0.WindowsUpdate.exe.400000.21.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.400000.21.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.400000.21.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.400000.21.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.409c0d.39.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
7.0.NEW PO.exe.409c0d.39.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.409c0d.39.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.409c0d.39.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.409c0d.39.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
18.2.WindowsUpdate.exe.42d9930.8.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.2.WindowsUpdate.exe.42d9930.8.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.409c0d.27.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
7.0.NEW PO.exe.409c0d.27.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.409c0d.27.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.409c0d.27.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.409c0d.27.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
7.2.NEW PO.exe.2af76d8.6.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.22.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.332d36c.31.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.2.NEW PO.exe.409c0d.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
7.2.NEW PO.exe.409c0d.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.2.NEW PO.exe.409c0d.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.2.NEW PO.exe.409c0d.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.NEW PO.exe.409c0d.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.8640000.35.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.409c0d.12.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.400000.6.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.400000.6.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
16.0.WindowsUpdate.exe.400000.6.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.400000.6.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.400000.6.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.400000.6.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.45fa72.23.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.45fa72.23.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.23.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.23.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
23.2.vbc.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.409c0d.19.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.35e4248.43.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.12.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
16.0.WindowsUpdate.exe.408208.23.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.408208.23.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
16.0.WindowsUpdate.exe.408208.23.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.408208.23.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.408208.23.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.408208.23.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
11.0.vbc.exe.400000.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.400000.11.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
7.0.NEW PO.exe.400000.11.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.400000.11.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.400000.11.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.400000.11.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.400000.11.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
18.2.WindowsUpdate.exe.400000.0.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
18.2.WindowsUpdate.exe.400000.0.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.2.WindowsUpdate.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.2.WindowsUpdate.exe.400000.0.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.2.WindowsUpdate.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.2.WindowsUpdate.exe.400000.0.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.409c0d.12.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.2.WindowsUpdate.exe.45fa72.3.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.45fa72.14.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.23.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.8640000.47.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.400000.6.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
7.0.NEW PO.exe.400000.6.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.400000.6.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.400000.6.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.400000.6.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.400000.6.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
16.2.WindowsUpdate.exe.400000.0.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.408208.7.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
16.2.WindowsUpdate.exe.400000.0.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.408208.7.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
16.2.WindowsUpdate.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.2.WindowsUpdate.exe.400000.0.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.2.WindowsUpdate.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.2.WindowsUpdate.exe.400000.0.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.408208.7.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.408208.7.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.408208.7.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.408208.7.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.400000.26.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.400000.26.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.400000.26.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.400000.26.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.400000.26.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.400000.26.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.2afd174.31.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
0.2.NEW PO.exe.474fbd0.5.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a59:$key: HawkEyeKeylogger
- 0x7bcd7:$salt: 099u787978786
- 0x7a0b6:$string1: HawkEye_Keylogger
- 0x7af09:$string1: HawkEye_Keylogger
- 0x7bc37:$string1: HawkEye_Keylogger
- 0x7a49f:$string2: holdermail.txt
- 0x7a4bf:$string2: holdermail.txt
- 0x7a3e1:$string3: wallet.dat
- 0x7a3f9:$string3: wallet.dat
- 0x7a40f:$string3: wallet.dat
- 0x7b7fb:$string4: Keylog Records
- 0x7bb13:$string4: Keylog Records
- 0x7bd2f:$string5: do not script -->
- 0x79a41:$string6: \pidloc.txt
- 0x79acf:$string7: BSPLIT
- 0x79adf:$string7: BSPLIT
|
0.2.NEW PO.exe.474fbd0.5.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
0.2.NEW PO.exe.474fbd0.5.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
0.2.NEW PO.exe.474fbd0.5.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
0.2.NEW PO.exe.474fbd0.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.NEW PO.exe.474fbd0.5.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10e:$hawkstr1: HawkEye Keylogger
- 0x7af4f:$hawkstr1: HawkEye Keylogger
- 0x7b27e:$hawkstr1: HawkEye Keylogger
- 0x7b3d9:$hawkstr1: HawkEye Keylogger
- 0x7b53c:$hawkstr1: HawkEye Keylogger
- 0x7b7d3:$hawkstr1: HawkEye Keylogger
- 0x79c80:$hawkstr2: Dear HawkEye Customers!
- 0x7b2d1:$hawkstr2: Dear HawkEye Customers!
- 0x7b428:$hawkstr2: Dear HawkEye Customers!
- 0x7b58f:$hawkstr2: Dear HawkEye Customers!
- 0x79da1:$hawkstr3: HawkEye Logger Details:
|
10.0.vbc.exe.400000.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.45fa72.22.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.45fa72.22.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.45fa72.22.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.45fa72.22.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.45fa72.38.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.45fa72.38.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.38.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.38.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
23.0.vbc.exe.400000.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.2.WindowsUpdate.exe.408208.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
16.2.WindowsUpdate.exe.408208.1.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
16.2.WindowsUpdate.exe.408208.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.2.WindowsUpdate.exe.408208.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.2.WindowsUpdate.exe.408208.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.2.WindowsUpdate.exe.408208.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.45fa72.40.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
7.0.NEW PO.exe.45fa72.40.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.45fa72.40.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.45fa72.40.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.45fa72.24.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
22.0.vbc.exe.400000.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.2.WindowsUpdate.exe.409c0d.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.3aa9930.46.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.3aa9930.46.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.2.WindowsUpdate.exe.409c0d.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.3aa9930.46.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.409c0d.19.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.45fa72.29.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.45fa72.29.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.29.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.29.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.409c0d.19.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.409c0d.19.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.409c0d.19.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.409c0d.19.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.409c0d.7.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
11.0.vbc.exe.400000.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.3ac2370.47.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.2.WindowsUpdate.exe.45fa72.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
16.2.WindowsUpdate.exe.45fa72.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.2.WindowsUpdate.exe.45fa72.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.2.WindowsUpdate.exe.45fa72.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
18.2.WindowsUpdate.exe.42d9930.8.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
23.0.vbc.exe.400000.3.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.409c0d.23.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
7.0.NEW PO.exe.409c0d.23.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.409c0d.23.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.409c0d.23.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.409c0d.23.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.2d94168.32.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
23.0.vbc.exe.400000.2.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.35e4248.32.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.2.WindowsUpdate.exe.408208.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
18.2.WindowsUpdate.exe.408208.2.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.2.WindowsUpdate.exe.408208.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.2.WindowsUpdate.exe.408208.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.2.WindowsUpdate.exe.408208.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.2.WindowsUpdate.exe.408208.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
11.0.vbc.exe.400000.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.39.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
23.0.vbc.exe.400000.1.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.42f2370.46.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.2.WindowsUpdate.exe.8660000.10.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.409c0d.27.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
23.0.vbc.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
22.0.vbc.exe.400000.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.38.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.2.NEW PO.exe.2acb1c8.5.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.332d36c.42.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
11.0.vbc.exe.400000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.409c0d.12.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
7.0.NEW PO.exe.409c0d.12.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.409c0d.12.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.409c0d.12.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.409c0d.12.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
22.0.vbc.exe.400000.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.18.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.NEW PO.exe.3ac2370.7.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.400000.16.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.400000.16.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.400000.16.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.400000.16.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.400000.16.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.400000.16.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
11.0.vbc.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
11.0.vbc.exe.400000.2.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.400000.38.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
7.0.NEW PO.exe.400000.38.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.400000.38.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.400000.38.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.400000.38.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.400000.38.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.400000.11.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.400000.11.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.400000.11.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.400000.11.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.400000.11.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.400000.11.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
11.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
22.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.7c60000.36.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.7.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
16.0.WindowsUpdate.exe.400000.4.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.400000.4.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
16.0.WindowsUpdate.exe.400000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.400000.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.400000.4.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
17.2.WindowsUpdate.exe.459fbd0.4.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a59:$key: HawkEyeKeylogger
- 0x7bcd7:$salt: 099u787978786
- 0x7a0b6:$string1: HawkEye_Keylogger
- 0x7af09:$string1: HawkEye_Keylogger
- 0x7bc37:$string1: HawkEye_Keylogger
- 0x7a49f:$string2: holdermail.txt
- 0x7a4bf:$string2: holdermail.txt
- 0x7a3e1:$string3: wallet.dat
- 0x7a3f9:$string3: wallet.dat
- 0x7a40f:$string3: wallet.dat
- 0x7b7fb:$string4: Keylog Records
- 0x7bb13:$string4: Keylog Records
- 0x7bd2f:$string5: do not script -->
- 0x79a41:$string6: \pidloc.txt
- 0x79acf:$string7: BSPLIT
- 0x79adf:$string7: BSPLIT
|
17.2.WindowsUpdate.exe.459fbd0.4.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
17.2.WindowsUpdate.exe.459fbd0.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
17.2.WindowsUpdate.exe.459fbd0.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
17.2.WindowsUpdate.exe.459fbd0.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.2.WindowsUpdate.exe.459fbd0.4.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10e:$hawkstr1: HawkEye Keylogger
- 0x7af4f:$hawkstr1: HawkEye Keylogger
- 0x7b27e:$hawkstr1: HawkEye Keylogger
- 0x7b3d9:$hawkstr1: HawkEye Keylogger
- 0x7b53c:$hawkstr1: HawkEye Keylogger
- 0x7b7d3:$hawkstr1: HawkEye Keylogger
- 0x79c80:$hawkstr2: Dear HawkEye Customers!
- 0x7b2d1:$hawkstr2: Dear HawkEye Customers!
- 0x7b428:$hawkstr2: Dear HawkEye Customers!
- 0x7b58f:$hawkstr2: Dear HawkEye Customers!
- 0x79da1:$hawkstr3: HawkEye Logger Details:
|
7.2.NEW PO.exe.409c0d.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
10.0.vbc.exe.400000.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.NEW PO.exe.3aa9930.8.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.400000.4.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.400000.4.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.400000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.400000.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.400000.4.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
10.2.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.42d9930.33.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.2d94168.44.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.408208.13.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.408208.13.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.408208.13.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.408208.13.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.408208.13.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.408208.13.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
10.0.vbc.exe.400000.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.408208.13.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
7.0.NEW PO.exe.408208.13.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.408208.13.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.408208.13.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.408208.13.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.408208.13.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
10.0.vbc.exe.400000.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.45fa72.12.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
10.0.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.19.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.45fa72.19.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.19.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.19.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
0.2.NEW PO.exe.33497d4.1.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
7.2.NEW PO.exe.7c60000.9.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.2.WindowsUpdate.exe.32fb060.5.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
16.0.WindowsUpdate.exe.409c0d.19.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.NEW PO.exe.408208.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
7.2.NEW PO.exe.408208.3.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.2.NEW PO.exe.408208.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.2.NEW PO.exe.408208.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.2.NEW PO.exe.408208.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.NEW PO.exe.408208.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
16.0.WindowsUpdate.exe.408208.9.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.408208.9.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
16.0.WindowsUpdate.exe.408208.9.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.408208.9.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.408208.9.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.408208.9.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.42d9930.45.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.45fa72.24.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
7.0.NEW PO.exe.45fa72.24.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.45fa72.24.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.45fa72.24.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
23.0.vbc.exe.400000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.408208.28.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
7.0.NEW PO.exe.408208.28.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.408208.28.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.408208.28.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.408208.28.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.408208.28.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
22.0.vbc.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.22.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.14.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.400000.6.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.400000.6.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.400000.6.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.400000.6.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.400000.6.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.400000.6.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
7.2.NEW PO.exe.45fa72.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
7.2.NEW PO.exe.45fa72.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.2.NEW PO.exe.45fa72.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.2.NEW PO.exe.45fa72.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
18.2.WindowsUpdate.exe.42f2370.7.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.3ac2370.34.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.45fa72.8.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.45fa72.8.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.45fa72.8.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.45fa72.8.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
23.0.vbc.exe.400000.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
23.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.42d9930.45.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.42d9930.45.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.2d9bffc.33.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.18.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.8660000.36.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.408208.24.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.408208.24.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.408208.24.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.408208.24.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.408208.24.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.408208.24.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.400000.37.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.400000.37.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.400000.37.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.400000.37.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.400000.37.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.400000.37.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.42f2370.34.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
22.2.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.409c0d.27.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
16.0.WindowsUpdate.exe.408208.13.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.408208.13.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
16.0.WindowsUpdate.exe.408208.13.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.408208.13.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.408208.13.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.408208.13.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.400000.21.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
7.0.NEW PO.exe.400000.21.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.400000.21.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.400000.21.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.400000.21.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.400000.21.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.408208.28.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.408208.28.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.408208.28.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.408208.28.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.408208.28.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.408208.28.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0xfd879:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0xffaf7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0xfded6:$string1: HawkEye_Keylogger
- 0xfed29:$string1: HawkEye_Keylogger
- 0xffa57:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0xfe2bf:$string2: holdermail.txt
- 0xfe2df:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0xfe201:$string3: wallet.dat
- 0xfe219:$string3: wallet.dat
- 0xfe22f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
|
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x89443:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.2.WindowsUpdate.exe.459fbd0.4.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0xfdf2e:$hawkstr1: HawkEye Keylogger
- 0xfed6f:$hawkstr1: HawkEye Keylogger
- 0xff09e:$hawkstr1: HawkEye Keylogger
- 0xff1f9:$hawkstr1: HawkEye Keylogger
- 0xff35c:$hawkstr1: HawkEye Keylogger
- 0xff5f3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0xfdaa0:$hawkstr2: Dear HawkEye Customers!
- 0xff0f1:$hawkstr2: Dear HawkEye Customers!
- 0xff248:$hawkstr2: Dear HawkEye Customers!
- 0xff3af:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
16.0.WindowsUpdate.exe.409c0d.7.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.408208.41.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
7.0.NEW PO.exe.408208.41.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.408208.41.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.408208.41.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.408208.41.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.408208.41.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
7.0.NEW PO.exe.3ac2370.34.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.2.WindowsUpdate.exe.42f2370.7.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.400000.16.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
7.0.NEW PO.exe.400000.16.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.400000.16.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.400000.16.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.400000.16.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.400000.16.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
16.0.WindowsUpdate.exe.45fa72.8.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.2.WindowsUpdate.exe.45fa72.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
18.2.WindowsUpdate.exe.45fa72.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.2.WindowsUpdate.exe.45fa72.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.2.WindowsUpdate.exe.45fa72.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
16.0.WindowsUpdate.exe.45fa72.17.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.45fa72.9.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.45fa72.17.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.2.WindowsUpdate.exe.409c0d.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.24.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.3aa9930.35.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.3aa9930.35.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.408208.22.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
7.0.NEW PO.exe.408208.22.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.408208.22.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.408208.22.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.408208.22.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.408208.22.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.409c0d.8.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.409c0d.23.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.2.WindowsUpdate.exe.45fa72.2.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
15.2.WindowsUpdate.exe.402fbd0.5.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a59:$key: HawkEyeKeylogger
- 0x7bcd7:$salt: 099u787978786
- 0x7a0b6:$string1: HawkEye_Keylogger
- 0x7af09:$string1: HawkEye_Keylogger
- 0x7bc37:$string1: HawkEye_Keylogger
- 0x7a49f:$string2: holdermail.txt
- 0x7a4bf:$string2: holdermail.txt
- 0x7a3e1:$string3: wallet.dat
- 0x7a3f9:$string3: wallet.dat
- 0x7a40f:$string3: wallet.dat
- 0x7b7fb:$string4: Keylog Records
- 0x7bb13:$string4: Keylog Records
- 0x7bd2f:$string5: do not script -->
- 0x79a41:$string6: \pidloc.txt
- 0x79acf:$string7: BSPLIT
- 0x79adf:$string7: BSPLIT
|
15.2.WindowsUpdate.exe.402fbd0.5.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
15.2.WindowsUpdate.exe.402fbd0.5.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
15.2.WindowsUpdate.exe.402fbd0.5.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
15.2.WindowsUpdate.exe.402fbd0.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
15.2.WindowsUpdate.exe.402fbd0.5.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10e:$hawkstr1: HawkEye Keylogger
- 0x7af4f:$hawkstr1: HawkEye Keylogger
- 0x7b27e:$hawkstr1: HawkEye Keylogger
- 0x7b3d9:$hawkstr1: HawkEye Keylogger
- 0x7b53c:$hawkstr1: HawkEye Keylogger
- 0x7b7d3:$hawkstr1: HawkEye Keylogger
- 0x79c80:$hawkstr2: Dear HawkEye Customers!
- 0x7b2d1:$hawkstr2: Dear HawkEye Customers!
- 0x7b428:$hawkstr2: Dear HawkEye Customers!
- 0x7b58f:$hawkstr2: Dear HawkEye Customers!
- 0x79da1:$hawkstr3: HawkEye Logger Details:
|
15.2.WindowsUpdate.exe.2c2982c.1.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
18.0.WindowsUpdate.exe.400000.21.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.400000.21.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
18.0.WindowsUpdate.exe.400000.21.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.400000.21.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.400000.21.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.400000.21.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.19.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.45fa72.9.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
18.0.WindowsUpdate.exe.45fa72.9.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.9.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.9.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
7.2.NEW PO.exe.45fa72.1.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.400000.16.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.400000.16.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
16.0.WindowsUpdate.exe.400000.16.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.400000.16.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.400000.16.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.400000.16.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
10.0.vbc.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.45fa72.29.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dbe7:$key: HawkEyeKeylogger
- 0x1fe65:$salt: 099u787978786
- 0x1e244:$string1: HawkEye_Keylogger
- 0x1f097:$string1: HawkEye_Keylogger
- 0x1fdc5:$string1: HawkEye_Keylogger
- 0x1e62d:$string2: holdermail.txt
- 0x1e64d:$string2: holdermail.txt
- 0x1e56f:$string3: wallet.dat
- 0x1e587:$string3: wallet.dat
- 0x1e59d:$string3: wallet.dat
- 0x1f989:$string4: Keylog Records
- 0x1fca1:$string4: Keylog Records
- 0x1febd:$string5: do not script -->
- 0x1dbcf:$string6: \pidloc.txt
- 0x1dc5d:$string7: BSPLIT
- 0x1dc6d:$string7: BSPLIT
|
7.0.NEW PO.exe.45fa72.29.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.45fa72.29.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.45fa72.29.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e29c:$hawkstr1: HawkEye Keylogger
- 0x1f0dd:$hawkstr1: HawkEye Keylogger
- 0x1f40c:$hawkstr1: HawkEye Keylogger
- 0x1f567:$hawkstr1: HawkEye Keylogger
- 0x1f6ca:$hawkstr1: HawkEye Keylogger
- 0x1f961:$hawkstr1: HawkEye Keylogger
- 0x1de0e:$hawkstr2: Dear HawkEye Customers!
- 0x1f45f:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b6:$hawkstr2: Dear HawkEye Customers!
- 0x1f71d:$hawkstr2: Dear HawkEye Customers!
- 0x1df2f:$hawkstr3: HawkEye Logger Details:
|
17.2.WindowsUpdate.exe.319982c.1.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
7.2.NEW PO.exe.3aa9930.8.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.2.NEW PO.exe.3aa9930.8.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.408208.18.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
7.0.NEW PO.exe.408208.18.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.408208.18.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.408208.18.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.408208.18.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.408208.18.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
22.0.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
18.0.WindowsUpdate.exe.45fa72.9.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.7c60000.48.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
23.0.vbc.exe.400000.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.3ac2370.47.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.3aa9930.35.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.400000.4.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
7.0.NEW PO.exe.400000.4.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.400000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.400000.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.400000.4.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.42f2370.46.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.400000.26.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
7.0.NEW PO.exe.400000.26.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.0.NEW PO.exe.400000.26.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.NEW PO.exe.400000.26.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.NEW PO.exe.400000.26.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.NEW PO.exe.400000.26.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
18.0.WindowsUpdate.exe.45fa72.29.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
22.0.vbc.exe.400000.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.400000.11.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.400000.11.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
16.0.WindowsUpdate.exe.400000.11.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.400000.11.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.400000.11.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.400000.11.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
7.2.NEW PO.exe.400000.0.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
- 0x7d913:$string4: Keylog Records
- 0x7db2f:$string5: do not script -->
- 0x7b841:$string6: \pidloc.txt
- 0x7b8cf:$string7: BSPLIT
- 0x7b8df:$string7: BSPLIT
|
7.2.NEW PO.exe.400000.0.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
7.2.NEW PO.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.2.NEW PO.exe.400000.0.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.2.NEW PO.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.NEW PO.exe.400000.0.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a4c:$key: HawkEyeKeylogger
- 0x75cca:$salt: 099u787978786
- 0x740a9:$string1: HawkEye_Keylogger
- 0x74efc:$string1: HawkEye_Keylogger
- 0x75c2a:$string1: HawkEye_Keylogger
- 0x74492:$string2: holdermail.txt
- 0x744b2:$string2: holdermail.txt
- 0x743d4:$string3: wallet.dat
- 0x743ec:$string3: wallet.dat
- 0x74402:$string3: wallet.dat
- 0x757ee:$string4: Keylog Records
- 0x75b06:$string4: Keylog Records
- 0x75d22:$string5: do not script -->
- 0x73a34:$string6: \pidloc.txt
- 0x73ac2:$string7: BSPLIT
- 0x73ad2:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.409c0d.24.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x74101:$hawkstr1: HawkEye Keylogger
- 0x74f42:$hawkstr1: HawkEye Keylogger
- 0x75271:$hawkstr1: HawkEye Keylogger
- 0x753cc:$hawkstr1: HawkEye Keylogger
- 0x7552f:$hawkstr1: HawkEye Keylogger
- 0x757c6:$hawkstr1: HawkEye Keylogger
- 0x73c73:$hawkstr2: Dear HawkEye Customers!
- 0x752c4:$hawkstr2: Dear HawkEye Customers!
- 0x7541b:$hawkstr2: Dear HawkEye Customers!
- 0x75582:$hawkstr2: Dear HawkEye Customers!
- 0x73d94:$hawkstr3: HawkEye Logger Details:
|
16.0.WindowsUpdate.exe.408208.18.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x75451:$key: HawkEyeKeylogger
- 0x776cf:$salt: 099u787978786
- 0x75aae:$string1: HawkEye_Keylogger
- 0x76901:$string1: HawkEye_Keylogger
- 0x7762f:$string1: HawkEye_Keylogger
- 0x75e97:$string2: holdermail.txt
- 0x75eb7:$string2: holdermail.txt
- 0x75dd9:$string3: wallet.dat
- 0x75df1:$string3: wallet.dat
- 0x75e07:$string3: wallet.dat
- 0x771f3:$string4: Keylog Records
- 0x7750b:$string4: Keylog Records
- 0x77727:$string5: do not script -->
- 0x75439:$string6: \pidloc.txt
- 0x754c7:$string7: BSPLIT
- 0x754d7:$string7: BSPLIT
|
16.0.WindowsUpdate.exe.408208.18.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
16.0.WindowsUpdate.exe.408208.18.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
16.0.WindowsUpdate.exe.408208.18.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
16.0.WindowsUpdate.exe.408208.18.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
16.0.WindowsUpdate.exe.408208.18.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b06:$hawkstr1: HawkEye Keylogger
- 0x76947:$hawkstr1: HawkEye Keylogger
- 0x76c76:$hawkstr1: HawkEye Keylogger
- 0x76dd1:$hawkstr1: HawkEye Keylogger
- 0x76f34:$hawkstr1: HawkEye Keylogger
- 0x771cb:$hawkstr1: HawkEye Keylogger
- 0x75678:$hawkstr2: Dear HawkEye Customers!
- 0x76cc9:$hawkstr2: Dear HawkEye Customers!
- 0x76e20:$hawkstr2: Dear HawkEye Customers!
- 0x76f87:$hawkstr2: Dear HawkEye Customers!
- 0x75799:$hawkstr3: HawkEye Logger Details:
|
0.2.NEW PO.exe.474fbd0.5.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0xfd879:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0xffaf7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0xfded6:$string1: HawkEye_Keylogger
- 0xfed29:$string1: HawkEye_Keylogger
- 0xffa57:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0xfe2bf:$string2: holdermail.txt
- 0xfe2df:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0xfe201:$string3: wallet.dat
- 0xfe219:$string3: wallet.dat
- 0xfe22f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
|
0.2.NEW PO.exe.474fbd0.5.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x89443:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
0.2.NEW PO.exe.474fbd0.5.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
0.2.NEW PO.exe.474fbd0.5.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
0.2.NEW PO.exe.474fbd0.5.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.NEW PO.exe.474fbd0.5.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0xfdf2e:$hawkstr1: HawkEye Keylogger
- 0xfed6f:$hawkstr1: HawkEye Keylogger
- 0xff09e:$hawkstr1: HawkEye Keylogger
- 0xff1f9:$hawkstr1: HawkEye Keylogger
- 0xff35c:$hawkstr1: HawkEye Keylogger
- 0xff5f3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0xfdaa0:$hawkstr2: Dear HawkEye Customers!
- 0xff0f1:$hawkstr2: Dear HawkEye Customers!
- 0xff248:$hawkstr2: Dear HawkEye Customers!
- 0xff3af:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b859:$key: HawkEyeKeylogger
- 0xfd879:$key: HawkEyeKeylogger
- 0x7dad7:$salt: 099u787978786
- 0xffaf7:$salt: 099u787978786
- 0x7beb6:$string1: HawkEye_Keylogger
- 0x7cd09:$string1: HawkEye_Keylogger
- 0x7da37:$string1: HawkEye_Keylogger
- 0xfded6:$string1: HawkEye_Keylogger
- 0xfed29:$string1: HawkEye_Keylogger
- 0xffa57:$string1: HawkEye_Keylogger
- 0x7c29f:$string2: holdermail.txt
- 0x7c2bf:$string2: holdermail.txt
- 0xfe2bf:$string2: holdermail.txt
- 0xfe2df:$string2: holdermail.txt
- 0x7c1e1:$string3: wallet.dat
- 0x7c1f9:$string3: wallet.dat
- 0x7c20f:$string3: wallet.dat
- 0xfe201:$string3: wallet.dat
- 0xfe219:$string3: wallet.dat
- 0xfe22f:$string3: wallet.dat
- 0x7d5fb:$string4: Keylog Records
|
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x89443:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
15.2.WindowsUpdate.exe.402fbd0.5.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0e:$hawkstr1: HawkEye Keylogger
- 0x7cd4f:$hawkstr1: HawkEye Keylogger
- 0x7d07e:$hawkstr1: HawkEye Keylogger
- 0x7d1d9:$hawkstr1: HawkEye Keylogger
- 0x7d33c:$hawkstr1: HawkEye Keylogger
- 0x7d5d3:$hawkstr1: HawkEye Keylogger
- 0xfdf2e:$hawkstr1: HawkEye Keylogger
- 0xfed6f:$hawkstr1: HawkEye Keylogger
- 0xff09e:$hawkstr1: HawkEye Keylogger
- 0xff1f9:$hawkstr1: HawkEye Keylogger
- 0xff35c:$hawkstr1: HawkEye Keylogger
- 0xff5f3:$hawkstr1: HawkEye Keylogger
- 0x7ba80:$hawkstr2: Dear HawkEye Customers!
- 0x7d0d1:$hawkstr2: Dear HawkEye Customers!
- 0x7d228:$hawkstr2: Dear HawkEye Customers!
- 0x7d38f:$hawkstr2: Dear HawkEye Customers!
- 0xfdaa0:$hawkstr2: Dear HawkEye Customers!
- 0xff0f1:$hawkstr2: Dear HawkEye Customers!
- 0xff248:$hawkstr2: Dear HawkEye Customers!
- 0xff3af:$hawkstr2: Dear HawkEye Customers!
- 0x7bba1:$hawkstr3: HawkEye Logger Details:
|
0.2.NEW PO.exe.43c56d8.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x405d51:$key: HawkEyeKeylogger
- 0x487d71:$key: HawkEyeKeylogger
- 0x407fcf:$salt: 099u787978786
- 0x489fef:$salt: 099u787978786
- 0x4063ae:$string1: HawkEye_Keylogger
- 0x407201:$string1: HawkEye_Keylogger
- 0x407f2f:$string1: HawkEye_Keylogger
- 0x4883ce:$string1: HawkEye_Keylogger
- 0x489221:$string1: HawkEye_Keylogger
- 0x489f4f:$string1: HawkEye_Keylogger
- 0x406797:$string2: holdermail.txt
- 0x4067b7:$string2: holdermail.txt
- 0x4887b7:$string2: holdermail.txt
- 0x4887d7:$string2: holdermail.txt
- 0x4066d9:$string3: wallet.dat
- 0x4066f1:$string3: wallet.dat
- 0x406707:$string3: wallet.dat
- 0x4886f9:$string3: wallet.dat
- 0x488711:$string3: wallet.dat
- 0x488727:$string3: wallet.dat
- 0x407af3:$string4: Keylog Records
|
0.2.NEW PO.exe.43c56d8.3.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x39191b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x41393b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
0.2.NEW PO.exe.43c56d8.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
0.2.NEW PO.exe.43c56d8.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
0.2.NEW PO.exe.43c56d8.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.NEW PO.exe.43c56d8.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x406406:$hawkstr1: HawkEye Keylogger
- 0x407247:$hawkstr1: HawkEye Keylogger
- 0x407576:$hawkstr1: HawkEye Keylogger
- 0x4076d1:$hawkstr1: HawkEye Keylogger
- 0x407834:$hawkstr1: HawkEye Keylogger
- 0x407acb:$hawkstr1: HawkEye Keylogger
- 0x488426:$hawkstr1: HawkEye Keylogger
- 0x489267:$hawkstr1: HawkEye Keylogger
- 0x489596:$hawkstr1: HawkEye Keylogger
- 0x4896f1:$hawkstr1: HawkEye Keylogger
- 0x489854:$hawkstr1: HawkEye Keylogger
- 0x489aeb:$hawkstr1: HawkEye Keylogger
- 0x405f78:$hawkstr2: Dear HawkEye Customers!
- 0x4075c9:$hawkstr2: Dear HawkEye Customers!
- 0x407720:$hawkstr2: Dear HawkEye Customers!
- 0x407887:$hawkstr2: Dear HawkEye Customers!
- 0x487f98:$hawkstr2: Dear HawkEye Customers!
- 0x4895e9:$hawkstr2: Dear HawkEye Customers!
- 0x489740:$hawkstr2: Dear HawkEye Customers!
- 0x4898a7:$hawkstr2: Dear HawkEye Customers!
- 0x406099:$hawkstr3: HawkEye Logger Details:
|
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x222cd9:$key: HawkEyeKeylogger
- 0x2a4cf9:$key: HawkEyeKeylogger
- 0x224f57:$salt: 099u787978786
- 0x2a6f77:$salt: 099u787978786
- 0x223336:$string1: HawkEye_Keylogger
- 0x224189:$string1: HawkEye_Keylogger
- 0x224eb7:$string1: HawkEye_Keylogger
- 0x2a5356:$string1: HawkEye_Keylogger
- 0x2a61a9:$string1: HawkEye_Keylogger
- 0x2a6ed7:$string1: HawkEye_Keylogger
- 0x22371f:$string2: holdermail.txt
- 0x22373f:$string2: holdermail.txt
- 0x2a573f:$string2: holdermail.txt
- 0x2a575f:$string2: holdermail.txt
- 0x223661:$string3: wallet.dat
- 0x223679:$string3: wallet.dat
- 0x22368f:$string3: wallet.dat
- 0x2a5681:$string3: wallet.dat
- 0x2a5699:$string3: wallet.dat
- 0x2a56af:$string3: wallet.dat
- 0x224a7b:$string4: Keylog Records
|
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1ae8a3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x2308c3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
15.2.WindowsUpdate.exe.3e88750.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x22338e:$hawkstr1: HawkEye Keylogger
- 0x2241cf:$hawkstr1: HawkEye Keylogger
- 0x2244fe:$hawkstr1: HawkEye Keylogger
- 0x224659:$hawkstr1: HawkEye Keylogger
- 0x2247bc:$hawkstr1: HawkEye Keylogger
- 0x224a53:$hawkstr1: HawkEye Keylogger
- 0x2a53ae:$hawkstr1: HawkEye Keylogger
- 0x2a61ef:$hawkstr1: HawkEye Keylogger
- 0x2a651e:$hawkstr1: HawkEye Keylogger
- 0x2a6679:$hawkstr1: HawkEye Keylogger
- 0x2a67dc:$hawkstr1: HawkEye Keylogger
- 0x2a6a73:$hawkstr1: HawkEye Keylogger
- 0x222f00:$hawkstr2: Dear HawkEye Customers!
- 0x224551:$hawkstr2: Dear HawkEye Customers!
- 0x2246a8:$hawkstr2: Dear HawkEye Customers!
- 0x22480f:$hawkstr2: Dear HawkEye Customers!
- 0x2a4f20:$hawkstr2: Dear HawkEye Customers!
- 0x2a6571:$hawkstr2: Dear HawkEye Customers!
- 0x2a66c8:$hawkstr2: Dear HawkEye Customers!
- 0x2a682f:$hawkstr2: Dear HawkEye Customers!
- 0x223021:$hawkstr3: HawkEye Logger Details:
|
0.2.NEW PO.exe.45a8750.4.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x222cd9:$key: HawkEyeKeylogger
- 0x2a4cf9:$key: HawkEyeKeylogger
- 0x224f57:$salt: 099u787978786
- 0x2a6f77:$salt: 099u787978786
- 0x223336:$string1: HawkEye_Keylogger
- 0x224189:$string1: HawkEye_Keylogger
- 0x224eb7:$string1: HawkEye_Keylogger
- 0x2a5356:$string1: HawkEye_Keylogger
- 0x2a61a9:$string1: HawkEye_Keylogger
- 0x2a6ed7:$string1: HawkEye_Keylogger
- 0x22371f:$string2: holdermail.txt
- 0x22373f:$string2: holdermail.txt
- 0x2a573f:$string2: holdermail.txt
- 0x2a575f:$string2: holdermail.txt
- 0x223661:$string3: wallet.dat
- 0x223679:$string3: wallet.dat
- 0x22368f:$string3: wallet.dat
- 0x2a5681:$string3: wallet.dat
- 0x2a5699:$string3: wallet.dat
- 0x2a56af:$string3: wallet.dat
- 0x224a7b:$string4: Keylog Records
|
0.2.NEW PO.exe.45a8750.4.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1ae8a3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x2308c3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
0.2.NEW PO.exe.45a8750.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
0.2.NEW PO.exe.45a8750.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
0.2.NEW PO.exe.45a8750.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.NEW PO.exe.45a8750.4.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x22338e:$hawkstr1: HawkEye Keylogger
- 0x2241cf:$hawkstr1: HawkEye Keylogger
- 0x2244fe:$hawkstr1: HawkEye Keylogger
- 0x224659:$hawkstr1: HawkEye Keylogger
- 0x2247bc:$hawkstr1: HawkEye Keylogger
- 0x224a53:$hawkstr1: HawkEye Keylogger
- 0x2a53ae:$hawkstr1: HawkEye Keylogger
- 0x2a61ef:$hawkstr1: HawkEye Keylogger
- 0x2a651e:$hawkstr1: HawkEye Keylogger
- 0x2a6679:$hawkstr1: HawkEye Keylogger
- 0x2a67dc:$hawkstr1: HawkEye Keylogger
- 0x2a6a73:$hawkstr1: HawkEye Keylogger
- 0x222f00:$hawkstr2: Dear HawkEye Customers!
- 0x224551:$hawkstr2: Dear HawkEye Customers!
- 0x2246a8:$hawkstr2: Dear HawkEye Customers!
- 0x22480f:$hawkstr2: Dear HawkEye Customers!
- 0x2a4f20:$hawkstr2: Dear HawkEye Customers!
- 0x2a6571:$hawkstr2: Dear HawkEye Customers!
- 0x2a66c8:$hawkstr2: Dear HawkEye Customers!
- 0x2a682f:$hawkstr2: Dear HawkEye Customers!
- 0x223021:$hawkstr3: HawkEye Logger Details:
|
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x222cd9:$key: HawkEyeKeylogger
- 0x2a4cf9:$key: HawkEyeKeylogger
- 0x224f57:$salt: 099u787978786
- 0x2a6f77:$salt: 099u787978786
- 0x223336:$string1: HawkEye_Keylogger
- 0x224189:$string1: HawkEye_Keylogger
- 0x224eb7:$string1: HawkEye_Keylogger
- 0x2a5356:$string1: HawkEye_Keylogger
- 0x2a61a9:$string1: HawkEye_Keylogger
- 0x2a6ed7:$string1: HawkEye_Keylogger
- 0x22371f:$string2: holdermail.txt
- 0x22373f:$string2: holdermail.txt
- 0x2a573f:$string2: holdermail.txt
- 0x2a575f:$string2: holdermail.txt
- 0x223661:$string3: wallet.dat
- 0x223679:$string3: wallet.dat
- 0x22368f:$string3: wallet.dat
- 0x2a5681:$string3: wallet.dat
- 0x2a5699:$string3: wallet.dat
- 0x2a56af:$string3: wallet.dat
- 0x224a7b:$string4: Keylog Records
|
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1ae8a3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x2308c3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.2.WindowsUpdate.exe.43f8750.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x22338e:$hawkstr1: HawkEye Keylogger
- 0x2241cf:$hawkstr1: HawkEye Keylogger
- 0x2244fe:$hawkstr1: HawkEye Keylogger
- 0x224659:$hawkstr1: HawkEye Keylogger
- 0x2247bc:$hawkstr1: HawkEye Keylogger
- 0x224a53:$hawkstr1: HawkEye Keylogger
- 0x2a53ae:$hawkstr1: HawkEye Keylogger
- 0x2a61ef:$hawkstr1: HawkEye Keylogger
- 0x2a651e:$hawkstr1: HawkEye Keylogger
- 0x2a6679:$hawkstr1: HawkEye Keylogger
- 0x2a67dc:$hawkstr1: HawkEye Keylogger
- 0x2a6a73:$hawkstr1: HawkEye Keylogger
- 0x222f00:$hawkstr2: Dear HawkEye Customers!
- 0x224551:$hawkstr2: Dear HawkEye Customers!
- 0x2246a8:$hawkstr2: Dear HawkEye Customers!
- 0x22480f:$hawkstr2: Dear HawkEye Customers!
- 0x2a4f20:$hawkstr2: Dear HawkEye Customers!
- 0x2a6571:$hawkstr2: Dear HawkEye Customers!
- 0x2a66c8:$hawkstr2: Dear HawkEye Customers!
- 0x2a682f:$hawkstr2: Dear HawkEye Customers!
- 0x223021:$hawkstr3: HawkEye Logger Details:
|
18.2.WindowsUpdate.exe.333ba6c.6.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x405d51:$key: HawkEyeKeylogger
- 0x487d71:$key: HawkEyeKeylogger
- 0x407fcf:$salt: 099u787978786
- 0x489fef:$salt: 099u787978786
- 0x4063ae:$string1: HawkEye_Keylogger
- 0x407201:$string1: HawkEye_Keylogger
- 0x407f2f:$string1: HawkEye_Keylogger
- 0x4883ce:$string1: HawkEye_Keylogger
- 0x489221:$string1: HawkEye_Keylogger
- 0x489f4f:$string1: HawkEye_Keylogger
- 0x406797:$string2: holdermail.txt
- 0x4067b7:$string2: holdermail.txt
- 0x4887b7:$string2: holdermail.txt
- 0x4887d7:$string2: holdermail.txt
- 0x4066d9:$string3: wallet.dat
- 0x4066f1:$string3: wallet.dat
- 0x406707:$string3: wallet.dat
- 0x4886f9:$string3: wallet.dat
- 0x488711:$string3: wallet.dat
- 0x488727:$string3: wallet.dat
- 0x407af3:$string4: Keylog Records
|
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x39191b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x41393b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
15.2.WindowsUpdate.exe.3ca56d8.4.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x406406:$hawkstr1: HawkEye Keylogger
- 0x407247:$hawkstr1: HawkEye Keylogger
- 0x407576:$hawkstr1: HawkEye Keylogger
- 0x4076d1:$hawkstr1: HawkEye Keylogger
- 0x407834:$hawkstr1: HawkEye Keylogger
- 0x407acb:$hawkstr1: HawkEye Keylogger
- 0x488426:$hawkstr1: HawkEye Keylogger
- 0x489267:$hawkstr1: HawkEye Keylogger
- 0x489596:$hawkstr1: HawkEye Keylogger
- 0x4896f1:$hawkstr1: HawkEye Keylogger
- 0x489854:$hawkstr1: HawkEye Keylogger
- 0x489aeb:$hawkstr1: HawkEye Keylogger
- 0x405f78:$hawkstr2: Dear HawkEye Customers!
- 0x4075c9:$hawkstr2: Dear HawkEye Customers!
- 0x407720:$hawkstr2: Dear HawkEye Customers!
- 0x407887:$hawkstr2: Dear HawkEye Customers!
- 0x487f98:$hawkstr2: Dear HawkEye Customers!
- 0x4895e9:$hawkstr2: Dear HawkEye Customers!
- 0x489740:$hawkstr2: Dear HawkEye Customers!
- 0x4898a7:$hawkstr2: Dear HawkEye Customers!
- 0x406099:$hawkstr3: HawkEye Logger Details:
|
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x405d51:$key: HawkEyeKeylogger
- 0x487d71:$key: HawkEyeKeylogger
- 0x407fcf:$salt: 099u787978786
- 0x489fef:$salt: 099u787978786
- 0x4063ae:$string1: HawkEye_Keylogger
- 0x407201:$string1: HawkEye_Keylogger
- 0x407f2f:$string1: HawkEye_Keylogger
- 0x4883ce:$string1: HawkEye_Keylogger
- 0x489221:$string1: HawkEye_Keylogger
- 0x489f4f:$string1: HawkEye_Keylogger
- 0x406797:$string2: holdermail.txt
- 0x4067b7:$string2: holdermail.txt
- 0x4887b7:$string2: holdermail.txt
- 0x4887d7:$string2: holdermail.txt
- 0x4066d9:$string3: wallet.dat
- 0x4066f1:$string3: wallet.dat
- 0x406707:$string3: wallet.dat
- 0x4886f9:$string3: wallet.dat
- 0x488711:$string3: wallet.dat
- 0x488727:$string3: wallet.dat
- 0x407af3:$string4: Keylog Records
|
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x39191b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x41393b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.2.WindowsUpdate.exe.42156d8.5.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x406406:$hawkstr1: HawkEye Keylogger
- 0x407247:$hawkstr1: HawkEye Keylogger
- 0x407576:$hawkstr1: HawkEye Keylogger
- 0x4076d1:$hawkstr1: HawkEye Keylogger
- 0x407834:$hawkstr1: HawkEye Keylogger
- 0x407acb:$hawkstr1: HawkEye Keylogger
- 0x488426:$hawkstr1: HawkEye Keylogger
- 0x489267:$hawkstr1: HawkEye Keylogger
- 0x489596:$hawkstr1: HawkEye Keylogger
- 0x4896f1:$hawkstr1: HawkEye Keylogger
- 0x489854:$hawkstr1: HawkEye Keylogger
- 0x489aeb:$hawkstr1: HawkEye Keylogger
- 0x405f78:$hawkstr2: Dear HawkEye Customers!
- 0x4075c9:$hawkstr2: Dear HawkEye Customers!
- 0x407720:$hawkstr2: Dear HawkEye Customers!
- 0x407887:$hawkstr2: Dear HawkEye Customers!
- 0x487f98:$hawkstr2: Dear HawkEye Customers!
- 0x4895e9:$hawkstr2: Dear HawkEye Customers!
- 0x489740:$hawkstr2: Dear HawkEye Customers!
- 0x4898a7:$hawkstr2: Dear HawkEye Customers!
- 0x406099:$hawkstr3: HawkEye Logger Details:
|
Click to see the 622 entries |