7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87c2e:$s1: HawkEye Keylogger
- 0x87c97:$s1: HawkEye Keylogger
- 0x81071:$s2: _ScreenshotLogger
- 0x8103e:$s3: _PasswordStealer
|
7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x87601:$name: ConfuserEx
- 0x8630e:$compile: AssemblyTitle
|
7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.DHL_AWB 65335643399___pdf.exe.400000.4.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
- 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x8103e:$str1: _PasswordStealer
- 0x8104f:$str2: _KeyStrokeLogger
- 0x81071:$str3: _ScreenshotLogger
- 0x81060:$str4: _ClipboardLogger
- 0x81083:$str5: _WebCamLogger
- 0x81198:$str6: _AntiVirusKiller
- 0x81186:$str7: _ProcessElevation
- 0x8114d:$str8: _DisableCommandPrompt
- 0x81253:$str9: _WebsiteBlocker
- 0x81263:$str9: _WebsiteBlocker
- 0x81139:$str10: _DisableTaskManager
- 0x811b4:$str11: _AntiDebugger
- 0x8123e:$str12: _WebsiteVisitorSites
- 0x81163:$str13: _DisableRegEdit
- 0x811c2:$str14: _ExecutionDelay
- 0x810e7:$str15: _InstallStartupPersistance
|
27.2.vbc.exe.400000.0.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x147b0:$a1: logins.json
- 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x14f34:$s4: \mozsqlite3.dll
- 0x137a4:$s5: SMTP Password
|
27.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x11bb0:$a1: logins.json
- 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x12334:$s4: \mozsqlite3.dll
- 0x115a4:$s5: SMTP Password
|
7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
17.0.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
27.0.vbc.exe.400000.1.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
27.0.vbc.exe.400000.1.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
27.0.vbc.exe.400000.5.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x147b0:$a1: logins.json
- 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x14f34:$s4: \mozsqlite3.dll
- 0x137a4:$s5: SMTP Password
|
27.0.vbc.exe.400000.5.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
27.2.vbc.exe.400000.0.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
27.2.vbc.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
27.0.vbc.exe.400000.5.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
27.0.vbc.exe.400000.5.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x11bb0:$a1: logins.json
- 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x12334:$s4: \mozsqlite3.dll
- 0x115a4:$s5: SMTP Password
|
7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87c2e:$s1: HawkEye Keylogger
- 0x87c97:$s1: HawkEye Keylogger
- 0x81071:$s2: _ScreenshotLogger
- 0x8103e:$s3: _PasswordStealer
|
0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x87601:$name: ConfuserEx
- 0x8630e:$compile: AssemblyTitle
|
0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
- 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x8103e:$str1: _PasswordStealer
- 0x8104f:$str2: _KeyStrokeLogger
- 0x81071:$str3: _ScreenshotLogger
- 0x81060:$str4: _ClipboardLogger
- 0x81083:$str5: _WebCamLogger
- 0x81198:$str6: _AntiVirusKiller
- 0x81186:$str7: _ProcessElevation
- 0x8114d:$str8: _DisableCommandPrompt
- 0x81253:$str9: _WebsiteBlocker
- 0x81263:$str9: _WebsiteBlocker
- 0x81139:$str10: _DisableTaskManager
- 0x811b4:$str11: _AntiDebugger
- 0x8123e:$str12: _WebsiteVisitorSites
- 0x81163:$str13: _DisableRegEdit
- 0x811c2:$str14: _ExecutionDelay
- 0x810e7:$str15: _InstallStartupPersistance
|
7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x696fa:$a1: logins.json
- 0x6965a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x69e7e:$s4: \mozsqlite3.dll
- 0x686ee:$s5: SMTP Password
|
7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.0.vbc.exe.400000.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
27.0.vbc.exe.400000.4.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x147b0:$a1: logins.json
- 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x14f34:$s4: \mozsqlite3.dll
- 0x137a4:$s5: SMTP Password
|
27.0.vbc.exe.400000.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87c2e:$s1: HawkEye Keylogger
- 0x87c97:$s1: HawkEye Keylogger
- 0x81071:$s2: _ScreenshotLogger
- 0x8103e:$s3: _PasswordStealer
|
7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x87601:$name: ConfuserEx
- 0x8630e:$compile: AssemblyTitle
|
7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.DHL_AWB 65335643399___pdf.exe.400000.12.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
- 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x8103e:$str1: _PasswordStealer
- 0x8104f:$str2: _KeyStrokeLogger
- 0x81071:$str3: _ScreenshotLogger
- 0x81060:$str4: _ClipboardLogger
- 0x81083:$str5: _WebCamLogger
- 0x81198:$str6: _AntiVirusKiller
- 0x81186:$str7: _ProcessElevation
- 0x8114d:$str8: _DisableCommandPrompt
- 0x81253:$str9: _WebsiteBlocker
- 0x81263:$str9: _WebsiteBlocker
- 0x81139:$str10: _DisableTaskManager
- 0x811b4:$str11: _AntiDebugger
- 0x8123e:$str12: _WebsiteVisitorSites
- 0x81163:$str13: _DisableRegEdit
- 0x811c2:$str14: _ExecutionDelay
- 0x810e7:$str15: _InstallStartupPersistance
|
7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b4fa:$a1: logins.json
- 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6bc7e:$s4: \mozsqlite3.dll
- 0x6a4ee:$s5: SMTP Password
|
7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.4fc0000.6.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.0.vbc.exe.400000.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.0.vbc.exe.400000.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.vbc.exe.400000.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x696fa:$a1: logins.json
- 0x6965a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x69e7e:$s4: \mozsqlite3.dll
- 0x686ee:$s5: SMTP Password
|
7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.2.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
7.2.DHL_AWB 65335643399___pdf.exe.501834a.7.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.0.vbc.exe.400000.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b4fa:$a1: logins.json
- 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6bc7e:$s4: \mozsqlite3.dll
- 0x6a4ee:$s5: SMTP Password
|
7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.3.DHL_AWB 65335643399___pdf.exe.4355890.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
12.0.vbc.exe.400000.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
12.0.vbc.exe.400000.5.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
12.0.vbc.exe.400000.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.0.vbc.exe.400000.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.0.vbc.exe.400000.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
27.0.vbc.exe.400000.2.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x147b0:$a1: logins.json
- 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x14f34:$s4: \mozsqlite3.dll
- 0x137a4:$s5: SMTP Password
|
27.0.vbc.exe.400000.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.vbc.exe.400000.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.0.vbc.exe.400000.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87c2e:$s1: HawkEye Keylogger
- 0x87c97:$s1: HawkEye Keylogger
- 0x81071:$s2: _ScreenshotLogger
- 0x8103e:$s3: _PasswordStealer
|
7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x87601:$name: ConfuserEx
- 0x8630e:$compile: AssemblyTitle
|
7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.400000.0.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
- 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x8103e:$str1: _PasswordStealer
- 0x8104f:$str2: _KeyStrokeLogger
- 0x81071:$str3: _ScreenshotLogger
- 0x81060:$str4: _ClipboardLogger
- 0x81083:$str5: _WebCamLogger
- 0x81198:$str6: _AntiVirusKiller
- 0x81186:$str7: _ProcessElevation
- 0x8114d:$str8: _DisableCommandPrompt
- 0x81253:$str9: _WebsiteBlocker
- 0x81263:$str9: _WebsiteBlocker
- 0x81139:$str10: _DisableTaskManager
- 0x811b4:$str11: _AntiDebugger
- 0x8123e:$str12: _WebsiteVisitorSites
- 0x81163:$str13: _DisableRegEdit
- 0x811c2:$str14: _ExecutionDelay
- 0x810e7:$str15: _InstallStartupPersistance
|
12.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.0.vbc.exe.400000.5.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b1b5:$a1: logins.json
- 0x6b115:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6b939:$s4: \mozsqlite3.dll
- 0x6a1a9:$s5: SMTP Password
|
7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.3.DHL_AWB 65335643399___pdf.exe.4355bd5.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
12.2.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.vbc.exe.400000.5.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x1bf67e:$s1: HawkEye Keylogger
- 0x1bf6e7:$s1: HawkEye Keylogger
- 0x1b8ac1:$s2: _ScreenshotLogger
- 0x1b8a8e:$s3: _PasswordStealer
|
0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x1bf051:$name: ConfuserEx
- 0x18099:$compile: AssemblyTitle
- 0x1bdd5e:$compile: AssemblyTitle
|
0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
0.2.DHL_AWB 65335643399___pdf.exe.40b7740.4.raw.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x1bf67e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
- 0x1bf6e7:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x1b8a8e:$str1: _PasswordStealer
- 0x1b8a9f:$str2: _KeyStrokeLogger
- 0x1b8ac1:$str3: _ScreenshotLogger
- 0x1b8ab0:$str4: _ClipboardLogger
- 0x1b8ad3:$str5: _WebCamLogger
- 0x1b8be8:$str6: _AntiVirusKiller
- 0x1b8bd6:$str7: _ProcessElevation
- 0x1b8b9d:$str8: _DisableCommandPrompt
- 0x1b8ca3:$str9: _WebsiteBlocker
- 0x1b8cb3:$str9: _WebsiteBlocker
- 0x1b8b89:$str10: _DisableTaskManager
- 0x1b8c04:$str11: _AntiDebugger
- 0x1b8c8e:$str12: _WebsiteVisitorSites
- 0x1b8bb3:$str13: _DisableRegEdit
- 0x1b8c12:$str14: _ExecutionDelay
- 0x1b8b37:$str15: _InstallStartupPersistance
|
17.0.vbc.exe.400000.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.0.vbc.exe.400000.5.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.vbc.exe.400000.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x14b230:$a1: logins.json
- 0x14b190:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x14b9b4:$s4: \mozsqlite3.dll
- 0x14a224:$s5: SMTP Password
|
7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
27.0.vbc.exe.400000.4.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
27.0.vbc.exe.400000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
12.0.vbc.exe.400000.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
27.0.vbc.exe.400000.3.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x147b0:$a1: logins.json
- 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x14f34:$s4: \mozsqlite3.dll
- 0x137a4:$s5: SMTP Password
|
27.0.vbc.exe.400000.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
17.0.vbc.exe.400000.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
12.0.vbc.exe.400000.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.0.vbc.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.0.vbc.exe.400000.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x85e2e:$s1: HawkEye Keylogger
- 0x85e97:$s1: HawkEye Keylogger
- 0x7f271:$s2: _ScreenshotLogger
- 0x7f23e:$s3: _PasswordStealer
|
0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x85801:$name: ConfuserEx
- 0x8450e:$compile: AssemblyTitle
|
0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
0.2.DHL_AWB 65335643399___pdf.exe.41ef190.3.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x85e2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
- 0x85e97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x7f23e:$str1: _PasswordStealer
- 0x7f24f:$str2: _KeyStrokeLogger
- 0x7f271:$str3: _ScreenshotLogger
- 0x7f260:$str4: _ClipboardLogger
- 0x7f283:$str5: _WebCamLogger
- 0x7f398:$str6: _AntiVirusKiller
- 0x7f386:$str7: _ProcessElevation
- 0x7f34d:$str8: _DisableCommandPrompt
- 0x7f453:$str9: _WebsiteBlocker
- 0x7f463:$str9: _WebsiteBlocker
- 0x7f339:$str10: _DisableTaskManager
- 0x7f3b4:$str11: _AntiDebugger
- 0x7f43e:$str12: _WebsiteVisitorSites
- 0x7f363:$str13: _DisableRegEdit
- 0x7f3c2:$str14: _ExecutionDelay
- 0x7f2e7:$str15: _InstallStartupPersistance
|
7.2.DHL_AWB 65335643399___pdf.exe.3c1d9d0.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87c2e:$s1: HawkEye Keylogger
- 0x87c97:$s1: HawkEye Keylogger
- 0x81071:$s2: _ScreenshotLogger
- 0x8103e:$s3: _PasswordStealer
|
7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x87601:$name: ConfuserEx
- 0x8630e:$compile: AssemblyTitle
|
7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.DHL_AWB 65335643399___pdf.exe.400000.6.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
- 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x8103e:$str1: _PasswordStealer
- 0x8104f:$str2: _KeyStrokeLogger
- 0x81071:$str3: _ScreenshotLogger
- 0x81060:$str4: _ClipboardLogger
- 0x81083:$str5: _WebCamLogger
- 0x81198:$str6: _AntiVirusKiller
- 0x81186:$str7: _ProcessElevation
- 0x8114d:$str8: _DisableCommandPrompt
- 0x81253:$str9: _WebsiteBlocker
- 0x81263:$str9: _WebsiteBlocker
- 0x81139:$str10: _DisableTaskManager
- 0x811b4:$str11: _AntiDebugger
- 0x8123e:$str12: _WebsiteVisitorSites
- 0x81163:$str13: _DisableRegEdit
- 0x811c2:$str14: _ExecutionDelay
- 0x810e7:$str15: _InstallStartupPersistance
|
13.0.vbc.exe.400000.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
27.0.vbc.exe.400000.0.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
27.0.vbc.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.vbc.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.3ae5950.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.vbc.exe.400000.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87c2e:$s1: HawkEye Keylogger
- 0x87c97:$s1: HawkEye Keylogger
- 0x81071:$s2: _ScreenshotLogger
- 0x8103e:$s3: _PasswordStealer
|
7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x87601:$name: ConfuserEx
- 0x8630e:$compile: AssemblyTitle
|
7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.DHL_AWB 65335643399___pdf.exe.400000.8.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
- 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x8103e:$str1: _PasswordStealer
- 0x8104f:$str2: _KeyStrokeLogger
- 0x81071:$str3: _ScreenshotLogger
- 0x81060:$str4: _ClipboardLogger
- 0x81083:$str5: _WebCamLogger
- 0x81198:$str6: _AntiVirusKiller
- 0x81186:$str7: _ProcessElevation
- 0x8114d:$str8: _DisableCommandPrompt
- 0x81253:$str9: _WebsiteBlocker
- 0x81263:$str9: _WebsiteBlocker
- 0x81139:$str10: _DisableTaskManager
- 0x811b4:$str11: _AntiDebugger
- 0x8123e:$str12: _WebsiteVisitorSites
- 0x81163:$str13: _DisableRegEdit
- 0x811c2:$str14: _ExecutionDelay
- 0x810e7:$str15: _InstallStartupPersistance
|
12.0.vbc.exe.400000.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
27.0.vbc.exe.400000.3.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
27.0.vbc.exe.400000.3.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x87c2e:$s1: HawkEye Keylogger
- 0x87c97:$s1: HawkEye Keylogger
- 0x81071:$s2: _ScreenshotLogger
- 0x8103e:$s3: _PasswordStealer
|
7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack | SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp | - 0x87601:$name: ConfuserEx
- 0x8630e:$compile: AssemblyTitle
|
7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
7.0.DHL_AWB 65335643399___pdf.exe.400000.10.unpack | HawkEyev9 | HawkEye v9 Payload | ditekshen | - 0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
- 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x8103e:$str1: _PasswordStealer
- 0x8104f:$str2: _KeyStrokeLogger
- 0x81071:$str3: _ScreenshotLogger
- 0x81060:$str4: _ClipboardLogger
- 0x81083:$str5: _WebCamLogger
- 0x81198:$str6: _AntiVirusKiller
- 0x81186:$str7: _ProcessElevation
- 0x8114d:$str8: _DisableCommandPrompt
- 0x81253:$str9: _WebsiteBlocker
- 0x81263:$str9: _WebsiteBlocker
- 0x81139:$str10: _DisableTaskManager
- 0x811b4:$str11: _AntiDebugger
- 0x8123e:$str12: _WebsiteVisitorSites
- 0x81163:$str13: _DisableRegEdit
- 0x811c2:$str14: _ExecutionDelay
- 0x810e7:$str15: _InstallStartupPersistance
|
12.0.vbc.exe.400000.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.0.vbc.exe.400000.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
27.0.vbc.exe.400000.2.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
27.0.vbc.exe.400000.2.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.0.vbc.exe.400000.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.0.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
12.0.vbc.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.vbc.exe.400000.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.vbc.exe.400000.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x6b1b5:$a1: logins.json
- 0x6b115:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x6b939:$s4: \mozsqlite3.dll
- 0x6a1a9:$s5: SMTP Password
|
7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.4fc0345.5.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
12.0.vbc.exe.400000.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
17.0.vbc.exe.400000.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x131b0:$a1: logins.json
- 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x13934:$s4: \mozsqlite3.dll
- 0x121a4:$s5: SMTP Password
|
7.3.DHL_AWB 65335643399___pdf.exe.43adbda.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
17.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.vbc.exe.400000.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.DHL_AWB 65335643399___pdf.exe.2e32b8c.1.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
17.0.vbc.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
12.0.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x1e7270:$a1: logins.json
- 0x1e71d0:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x1e79f4:$s4: \mozsqlite3.dll
- 0x1e6264:$s5: SMTP Password
|
7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.3b81990.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.3ae5950.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.2.DHL_AWB 65335643399___pdf.exe.3ae5950.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
Click to see the 143 entries |