Play interactive tour

Edit tour

Windows Analysis Report xxTzyGLZx5.exe

Overview

General Information

Sample Name:	xxTzyGLZx5.exe
Analysis ID:	535501
MD5:	d5f570694f0847caea18ccac8837b052
SHA1:	b509737bb61ae0e9dee56ca2706456b3788ce553
SHA256:	ea209f6ba95920038ac83985be8bcffc1fda49631ed3142cfdd9f2acd52584b1
Tags:	exeRATRemcosRAT
Infos:
Most interesting Screenshot:

Detection

Remcos AgentTesla AveMaria HawkEye MailPassView SpyEx UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Yara detected HawkEye Keylogger

Yara detected AgentTesla

Detected unpacking (changes PE section rights)

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for submitted file

Yara detected SpyEx stealer

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Yara detected UACMe UAC Bypass tool

Yara detected AveMaria stealer

Detected Remcos RAT

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Creates multiple autostart registry keys

Sigma detected: Suspicious Script Execution From Temp Folder

Connects to many ports of the same IP (likely port scanning)

Uses cmd line tools excessively to alter registry or file data

Contains functionality to steal Firefox passwords or cookies

Writes or reads registry keys via WMI

Allocates memory in foreign processes

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Contains functionality to inject code into remote processes

Sigma detected: WScript or CScript Dropper

Creates a thread in another existing process (thread injection)

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Sample uses process hollowing technique

Installs a global keyboard hook

Writes to foreign memory regions

Tries to steal Crypto Currency Wallets

Increases the number of concurrent connection per server for Internet Explorer

.NET source code references suspicious native API functions

Delayed program exit found

Contains functionality to hide user accounts

Contains functionality to log keystrokes (.Net Source)

Hides user accounts

Changes the view of files in windows explorer (hidden files and folders)

Yara detected WebBrowserPassView password recovery tool

Contains functionality to steal Chrome passwords or cookies

Sigma detected: Powershell Defender Exclusion

Machine Learning detection for dropped file

Tries to steal Instant Messenger accounts or passwords

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Modifies existing windows services

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Uses reg.exe to modify the Windows registry

Spawns drivers

PE file contains more sections than normal

Yara detected Keylogger Generic

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

PE file contains sections with non-standard names

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to read the clipboard data

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to download and launch executables

Contains capabilities to detect virtual machines

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates or modifies windows services

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to simulate mouse events

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

xxTzyGLZx5.exe (PID: 6780 cmdline: "C:\Users\user\Desktop\xxTzyGLZx5.exe" MD5: D5F570694F0847CAEA18CCAC8837B052)

xxTzyGLZx5.exe (PID: 7008 cmdline: "C:\Users\user\Desktop\xxTzyGLZx5.exe" MD5: D5F570694F0847CAEA18CCAC8837B052)

bin.exe (PID: 7116 cmdline: "C:\Users\user\AppData\Local\Temp\bin.exe" 0 MD5: 805FBB84293E86F25B566A5B2C2815D2)

powershell.exe (PID: 6324 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 2524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5984 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rem9090sta.exe (PID: 7136 cmdline: "C:\Users\user\AppData\Local\Temp\rem9090sta.exe" 0 MD5: 083D4CDE33E6721F595A468BB7D17ADA)

cmd.exe (PID: 7156 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 6204 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)

wscript.exe (PID: 3740 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 6620 cmdline: C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Remcos\remcos.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

remcos.exe (PID: 3228 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe MD5: 083D4CDE33E6721F595A468BB7D17ADA)

remcos.exe (PID: 4200 cmdline: "C:\Users\user\AppData\Roaming\Remcos\remcos.exe" MD5: 083D4CDE33E6721F595A468BB7D17ADA)

cmd.exe (PID: 6076 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 7092 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)

remcos.exe (PID: 3228 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\jmtceghqeepjeivm" MD5: 083D4CDE33E6721F595A468BB7D17ADA)

remcos.exe (PID: 7100 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\moyvwyrrsmhoowrqsha" MD5: 083D4CDE33E6721F595A468BB7D17ADA)

remcos.exe (PID: 4720 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\wilgxqclgvztqcfubsndyj" MD5: 083D4CDE33E6721F595A468BB7D17ADA)

dwn.exe (PID: 6476 cmdline: "C:\Users\user\AppData\Roaming\Remcos\dwn.exe" MD5: 32EB10C12A29B38F13730CD1F5DCAD4D)

21.exe (PID: 3064 cmdline: "C:\Users\user\AppData\Local\Temp\21.exe" 0 MD5: 6C9447A6F1B04C75D95594338AE61E06)

21.exe (PID: 1900 cmdline: "C:\Users\user\AppData\Local\Temp\21.exe" 0 MD5: 6C9447A6F1B04C75D95594338AE61E06)

5.exe (PID: 5212 cmdline: "C:\Users\user\AppData\Local\Temp\5.exe" 0 MD5: 3F332B62EEE0970F3189C689D5BD042A)

5.exe (PID: 1020 cmdline: "C:\Users\user\AppData\Local\Temp\5.exe" 0 MD5: 3F332B62EEE0970F3189C689D5BD042A)

Windows Update.exe (PID: 3980 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)

Windows Update.exe (PID: 6084 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)

dw20.exe (PID: 5276 cmdline: dw20.exe -x -s 2132 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)

vbc.exe (PID: 980 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 2932 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)

4.exe (PID: 6140 cmdline: "C:\Users\user\AppData\Local\Temp\4.exe" 0 MD5: 78EDE0254C66FA9E667E4CEB88754E1C)

4.exe (PID: 1260 cmdline: "C:\Users\user\AppData\Local\Temp\4.exe" 0 MD5: 78EDE0254C66FA9E667E4CEB88754E1C)

rdpvideominiport.sys (PID: 4 cmdline: MD5: 0600DF60EF88FD10663EC84709E5E245)

rdpdr.sys (PID: 4 cmdline: MD5: 52A6CC99F5934CFAE88353C47B6193E7)

tsusbhub.sys (PID: 4 cmdline: MD5: 3A84A09CBC42148A0C7D00B3E82517F1)

bin.exe (PID: 6472 cmdline: "C:\Users\user\AppData\Local\Temp\bin.exe" MD5: 805FBB84293E86F25B566A5B2C2815D2)

remcos.exe (PID: 6416 cmdline: "C:\Users\user\AppData\Roaming\Remcos\remcos.exe" MD5: 083D4CDE33E6721F595A468BB7D17ADA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\bin.exe	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
C:\Users\user\AppData\Local\Temp\bin.exe	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\bin.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
C:\Users\user\AppData\Local\Temp\bin.exe	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
C:\Users\user\AppData\Local\Temp\bin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\bin.exe	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
C:\Users\user\AppData\Local\Temp\bin.exe	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
C:\Users\user\AppData\Local\Temp\rem9090sta.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\rem9090sta.exe	REMCOS_RAT_variants	unknown	unknown	0x60744:$str_a1: C:\Windows\System32\cmd.exe 0x606c0:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x606c0:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fca8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60300:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f8ec:$str_b2: Executing file: 0x60888:$str_b3: GetDirectListeningPort 0x600c0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x602e8:$str_b7: \update.vbs 0x5f93c:$str_b9: Downloaded file: 0x5f928:$str_b10: Downloading file: 0x5f910:$str_b12: Failed to upload file: 0x60850:$str_b13: StartForward 0x60870:$str_b14: StopForward 0x60290:$str_b15: fso.DeleteFile " 0x60224:$str_b16: On Error Resume Next 0x602c0:$str_b17: fso.DeleteFolder " 0x5f900:$str_b18: Uploaded file: 0x5f97c:$str_b19: Unable to delete: 0x60258:$str_b20: while fso.FileExists(" 0x5fde1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Roaming\Remcos\remcos.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Roaming\Remcos\remcos.exe	REMCOS_RAT_variants	unknown	unknown	0x60744:$str_a1: C:\Windows\System32\cmd.exe 0x606c0:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x606c0:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fca8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60300:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f8ec:$str_b2: Executing file: 0x60888:$str_b3: GetDirectListeningPort 0x600c0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x602e8:$str_b7: \update.vbs 0x5f93c:$str_b9: Downloaded file: 0x5f928:$str_b10: Downloading file: 0x5f910:$str_b12: Failed to upload file: 0x60850:$str_b13: StartForward 0x60870:$str_b14: StopForward 0x60290:$str_b15: fso.DeleteFile " 0x60224:$str_b16: On Error Resume Next 0x602c0:$str_b17: fso.DeleteFolder " 0x5f900:$str_b18: Uploaded file: 0x5f97c:$str_b19: Unable to delete: 0x60258:$str_b20: while fso.FileExists(" 0x5fde1:$str_c0: [Firefox StoredLogins not found]
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000030.00000000.890118500.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000029.00000002.937591060.0000000000616000.00000004.00000020.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000029.00000002.937591060.0000000000616000.00000004.00000020.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000001F.00000000.728375820.0000000000454000.00000002.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001D.00000002.730867358.00000000000E4000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000002.730867358.00000000000E4000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000028.00000002.836807956.0000000000400000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x908ca:$key: HawkEyeKeylogger 0x92b2c:$salt: 099u787978786 0x90f0b:$string1: HawkEye_Keylogger 0x91d5e:$string1: HawkEye_Keylogger 0x92a8c:$string1: HawkEye_Keylogger 0x912f4:$string2: holdermail.txt 0x91314:$string2: holdermail.txt 0x91236:$string3: wallet.dat 0x9124e:$string3: wallet.dat 0x91264:$string3: wallet.dat 0x92650:$string4: Keylog Records 0x92968:$string4: Keylog Records 0x92b84:$string5: do not script --> 0x908b2:$string6: \pidloc.txt 0x90940:$string7: BSPLIT 0x90950:$string7: BSPLIT
00000028.00000002.836807956.0000000000400000.00000040.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x1c47b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000028.00000002.836807956.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000028.00000002.836807956.0000000000400000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000028.00000002.836807956.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000028.00000002.836807956.0000000000400000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x90f63:$hawkstr1: HawkEye Keylogger 0x91da4:$hawkstr1: HawkEye Keylogger 0x920d3:$hawkstr1: HawkEye Keylogger 0x9222e:$hawkstr1: HawkEye Keylogger 0x92391:$hawkstr1: HawkEye Keylogger 0x92628:$hawkstr1: HawkEye Keylogger 0x90af1:$hawkstr2: Dear HawkEye Customers! 0x92126:$hawkstr2: Dear HawkEye Customers! 0x9227d:$hawkstr2: Dear HawkEye Customers! 0x923e4:$hawkstr2: Dear HawkEye Customers! 0x90c12:$hawkstr3: HawkEye Logger Details:
00000029.00000000.798585509.0000000000414000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000029.00000000.798585509.0000000000414000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000027.00000002.930302567.0000000000400000.00000040.00000001.sdmp	JoeSecurity_SpyEx_1	Yara detected SpyEx stealer	Joe Security
00000025.00000002.801377726.00000000148F0000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x8ccca:$key: HawkEyeKeylogger 0x8ef2c:$salt: 099u787978786 0x8d30b:$string1: HawkEye_Keylogger 0x8e15e:$string1: HawkEye_Keylogger 0x8ee8c:$string1: HawkEye_Keylogger 0x8d6f4:$string2: holdermail.txt 0x8d714:$string2: holdermail.txt 0x8d636:$string3: wallet.dat 0x8d64e:$string3: wallet.dat 0x8d664:$string3: wallet.dat 0x8ea50:$string4: Keylog Records 0x8ed68:$string4: Keylog Records 0x8ef84:$string5: do not script --> 0x8ccb2:$string6: \pidloc.txt 0x8cd40:$string7: BSPLIT 0x8cd50:$string7: BSPLIT
00000025.00000002.801377726.00000000148F0000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000025.00000002.801377726.00000000148F0000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000025.00000002.801377726.00000000148F0000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000025.00000002.801377726.00000000148F0000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000025.00000002.801377726.00000000148F0000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x8d363:$hawkstr1: HawkEye Keylogger 0x8e1a4:$hawkstr1: HawkEye Keylogger 0x8e4d3:$hawkstr1: HawkEye Keylogger 0x8e62e:$hawkstr1: HawkEye Keylogger 0x8e791:$hawkstr1: HawkEye Keylogger 0x8ea28:$hawkstr1: HawkEye Keylogger 0x8cef1:$hawkstr2: Dear HawkEye Customers! 0x8e526:$hawkstr2: Dear HawkEye Customers! 0x8e67d:$hawkstr2: Dear HawkEye Customers! 0x8e7e4:$hawkstr2: Dear HawkEye Customers! 0x8d012:$hawkstr3: HawkEye Logger Details:
00000003.00000003.684193866.0000000000D36000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x18108:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x18108:$c1: Elevation:Administrator!new:
00000003.00000003.684193866.0000000000D36000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000003.00000003.684193866.0000000000D36000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.684193866.0000000000D36000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000002C.00000002.921284802.0000000007700000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000022.00000000.745207581.0000000000454000.00000002.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000000.680253617.00000000000E4000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.680253617.00000000000E4000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000002.00000003.675040396.0000000002AD0000.00000004.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000003.675040396.0000000002AD0000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000028.00000000.797700139.0000000000414000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7c8ca:$key: HawkEyeKeylogger 0x7eb2c:$salt: 099u787978786 0x7cf0b:$string1: HawkEye_Keylogger 0x7dd5e:$string1: HawkEye_Keylogger 0x7ea8c:$string1: HawkEye_Keylogger 0x7d2f4:$string2: holdermail.txt 0x7d314:$string2: holdermail.txt 0x7d236:$string3: wallet.dat 0x7d24e:$string3: wallet.dat 0x7d264:$string3: wallet.dat 0x7e650:$string4: Keylog Records 0x7e968:$string4: Keylog Records 0x7eb84:$string5: do not script --> 0x7c8b2:$string6: \pidloc.txt 0x7c940:$string7: BSPLIT 0x7c950:$string7: BSPLIT
00000028.00000000.797700139.0000000000414000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000028.00000000.797700139.0000000000414000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000028.00000000.797700139.0000000000414000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000028.00000000.797700139.0000000000414000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7cf63:$hawkstr1: HawkEye Keylogger 0x7dda4:$hawkstr1: HawkEye Keylogger 0x7e0d3:$hawkstr1: HawkEye Keylogger 0x7e22e:$hawkstr1: HawkEye Keylogger 0x7e391:$hawkstr1: HawkEye Keylogger 0x7e628:$hawkstr1: HawkEye Keylogger 0x7caf1:$hawkstr2: Dear HawkEye Customers! 0x7e126:$hawkstr2: Dear HawkEye Customers! 0x7e27d:$hawkstr2: Dear HawkEye Customers! 0x7e3e4:$hawkstr2: Dear HawkEye Customers! 0x7cc12:$hawkstr3: HawkEye Logger Details:
00000030.00000000.890500670.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000029.00000002.939895279.00000000023C0000.00000004.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000029.00000002.939895279.00000000023C0000.00000004.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.701188305.000000000065A000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.929087269.00000000000E4000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000027.00000000.789916886.0000000000400000.00000040.00000001.sdmp	JoeSecurity_SpyEx_1	Yara detected SpyEx stealer	Joe Security
00000003.00000002.929087269.00000000000E4000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000029.00000000.797295676.0000000000414000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000029.00000000.797295676.0000000000414000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000031.00000000.893007539.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000029.00000002.940282871.00000000028D1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000029.00000002.940282871.00000000028D1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000027.00000000.785901828.0000000000400000.00000040.00000001.sdmp	JoeSecurity_SpyEx_1	Yara detected SpyEx stealer	Joe Security
00000003.00000002.929833680.000000000021F000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000003.00000002.929833680.000000000021F000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000028.00000000.794595068.0000000000414000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7c8ca:$key: HawkEyeKeylogger 0x7eb2c:$salt: 099u787978786 0x7cf0b:$string1: HawkEye_Keylogger 0x7dd5e:$string1: HawkEye_Keylogger 0x7ea8c:$string1: HawkEye_Keylogger 0x7d2f4:$string2: holdermail.txt 0x7d314:$string2: holdermail.txt 0x7d236:$string3: wallet.dat 0x7d24e:$string3: wallet.dat 0x7d264:$string3: wallet.dat 0x7e650:$string4: Keylog Records 0x7e968:$string4: Keylog Records 0x7eb84:$string5: do not script --> 0x7c8b2:$string6: \pidloc.txt 0x7c940:$string7: BSPLIT 0x7c950:$string7: BSPLIT
00000028.00000000.794595068.0000000000414000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000028.00000000.794595068.0000000000414000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000028.00000000.794595068.0000000000414000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000028.00000000.794595068.0000000000414000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7cf63:$hawkstr1: HawkEye Keylogger 0x7dda4:$hawkstr1: HawkEye Keylogger 0x7e0d3:$hawkstr1: HawkEye Keylogger 0x7e22e:$hawkstr1: HawkEye Keylogger 0x7e391:$hawkstr1: HawkEye Keylogger 0x7e628:$hawkstr1: HawkEye Keylogger 0x7caf1:$hawkstr2: Dear HawkEye Customers! 0x7e126:$hawkstr2: Dear HawkEye Customers! 0x7e27d:$hawkstr2: Dear HawkEye Customers! 0x7e3e4:$hawkstr2: Dear HawkEye Customers! 0x7cc12:$hawkstr3: HawkEye Logger Details:
0000002C.00000000.863600170.0000000000414000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7c8ca:$key: HawkEyeKeylogger 0x7eb2c:$salt: 099u787978786 0x7cf0b:$string1: HawkEye_Keylogger 0x7dd5e:$string1: HawkEye_Keylogger 0x7ea8c:$string1: HawkEye_Keylogger 0x7d2f4:$string2: holdermail.txt 0x7d314:$string2: holdermail.txt 0x7d236:$string3: wallet.dat 0x7d24e:$string3: wallet.dat 0x7d264:$string3: wallet.dat 0x7e650:$string4: Keylog Records 0x7e968:$string4: Keylog Records 0x7eb84:$string5: do not script --> 0x7c8b2:$string6: \pidloc.txt 0x7c940:$string7: BSPLIT 0x7c950:$string7: BSPLIT
0000002C.00000000.863600170.0000000000414000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000002C.00000000.863600170.0000000000414000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000002C.00000000.863600170.0000000000414000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002C.00000000.863600170.0000000000414000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7cf63:$hawkstr1: HawkEye Keylogger 0x7dda4:$hawkstr1: HawkEye Keylogger 0x7e0d3:$hawkstr1: HawkEye Keylogger 0x7e22e:$hawkstr1: HawkEye Keylogger 0x7e391:$hawkstr1: HawkEye Keylogger 0x7e628:$hawkstr1: HawkEye Keylogger 0x7caf1:$hawkstr2: Dear HawkEye Customers! 0x7e126:$hawkstr2: Dear HawkEye Customers! 0x7e27d:$hawkstr2: Dear HawkEye Customers! 0x7e3e4:$hawkstr2: Dear HawkEye Customers! 0x7cc12:$hawkstr3: HawkEye Logger Details:
00000012.00000000.713254568.0000000000454000.00000002.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000002C.00000001.865541542.0000000000414000.00000040.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7c8ca:$key: HawkEyeKeylogger 0x7eb2c:$salt: 099u787978786 0x7cf0b:$string1: HawkEye_Keylogger 0x7dd5e:$string1: HawkEye_Keylogger 0x7ea8c:$string1: HawkEye_Keylogger 0x7d2f4:$string2: holdermail.txt 0x7d314:$string2: holdermail.txt 0x7d236:$string3: wallet.dat 0x7d24e:$string3: wallet.dat 0x7d264:$string3: wallet.dat 0x7e650:$string4: Keylog Records 0x7e968:$string4: Keylog Records 0x7eb84:$string5: do not script --> 0x7c8b2:$string6: \pidloc.txt 0x7c940:$string7: BSPLIT 0x7c950:$string7: BSPLIT
0000002C.00000001.865541542.0000000000414000.00000040.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000002C.00000001.865541542.0000000000414000.00000040.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000002C.00000001.865541542.0000000000414000.00000040.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002C.00000001.865541542.0000000000414000.00000040.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7cf63:$hawkstr1: HawkEye Keylogger 0x7dda4:$hawkstr1: HawkEye Keylogger 0x7e0d3:$hawkstr1: HawkEye Keylogger 0x7e22e:$hawkstr1: HawkEye Keylogger 0x7e391:$hawkstr1: HawkEye Keylogger 0x7e628:$hawkstr1: HawkEye Keylogger 0x7caf1:$hawkstr2: Dear HawkEye Customers! 0x7e126:$hawkstr2: Dear HawkEye Customers! 0x7e27d:$hawkstr2: Dear HawkEye Customers! 0x7e3e4:$hawkstr2: Dear HawkEye Customers! 0x7cc12:$hawkstr3: HawkEye Logger Details:
0000002C.00000002.918744871.0000000004B42000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b672:$key: HawkEyeKeylogger 0x7d8d4:$salt: 099u787978786 0x7bcb3:$string1: HawkEye_Keylogger 0x7cb06:$string1: HawkEye_Keylogger 0x7d834:$string1: HawkEye_Keylogger 0x7c09c:$string2: holdermail.txt 0x7c0bc:$string2: holdermail.txt 0x7bfde:$string3: wallet.dat 0x7bff6:$string3: wallet.dat 0x7c00c:$string3: wallet.dat 0x7d3f8:$string4: Keylog Records 0x7d710:$string4: Keylog Records 0x7d92c:$string5: do not script --> 0x7b65a:$string6: \pidloc.txt 0x7b6e8:$string7: BSPLIT 0x7b6f8:$string7: BSPLIT
0000002C.00000002.918744871.0000000004B42000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000002C.00000002.918744871.0000000004B42000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000002C.00000002.918744871.0000000004B42000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002C.00000002.918744871.0000000004B42000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0b:$hawkstr1: HawkEye Keylogger 0x7cb4c:$hawkstr1: HawkEye Keylogger 0x7ce7b:$hawkstr1: HawkEye Keylogger 0x7cfd6:$hawkstr1: HawkEye Keylogger 0x7d139:$hawkstr1: HawkEye Keylogger 0x7d3d0:$hawkstr1: HawkEye Keylogger 0x7b899:$hawkstr2: Dear HawkEye Customers! 0x7cece:$hawkstr2: Dear HawkEye Customers! 0x7d025:$hawkstr2: Dear HawkEye Customers! 0x7d18c:$hawkstr2: Dear HawkEye Customers! 0x7b9ba:$hawkstr3: HawkEye Logger Details:
00000002.00000001.674846942.0000000000403000.00000040.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x193af:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x193af:$c1: Elevation:Administrator!new:
00000002.00000001.674846942.0000000000403000.00000040.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000001.674846942.0000000000403000.00000040.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000002.00000001.674846942.0000000000403000.00000040.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000001.674846942.0000000000403000.00000040.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000002.00000001.674846942.0000000000403000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000D.00000002.932016894.0000000000454000.00000002.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000012.00000002.715029583.0000000000757000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000002C.00000002.918414776.0000000004AB0000.00000004.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b872:$key: HawkEyeKeylogger 0x7dad4:$salt: 099u787978786 0x7beb3:$string1: HawkEye_Keylogger 0x7cd06:$string1: HawkEye_Keylogger 0x7da34:$string1: HawkEye_Keylogger 0x7c29c:$string2: holdermail.txt 0x7c2bc:$string2: holdermail.txt 0x7c1de:$string3: wallet.dat 0x7c1f6:$string3: wallet.dat 0x7c20c:$string3: wallet.dat 0x7d5f8:$string4: Keylog Records 0x7d910:$string4: Keylog Records 0x7db2c:$string5: do not script --> 0x7b85a:$string6: \pidloc.txt 0x7b8e8:$string7: BSPLIT 0x7b8f8:$string7: BSPLIT
0000002C.00000002.918414776.0000000004AB0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000002C.00000002.918414776.0000000004AB0000.00000004.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000002C.00000002.918414776.0000000004AB0000.00000004.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000002C.00000002.918414776.0000000004AB0000.00000004.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002C.00000002.918414776.0000000004AB0000.00000004.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0b:$hawkstr1: HawkEye Keylogger 0x7cd4c:$hawkstr1: HawkEye Keylogger 0x7d07b:$hawkstr1: HawkEye Keylogger 0x7d1d6:$hawkstr1: HawkEye Keylogger 0x7d339:$hawkstr1: HawkEye Keylogger 0x7d5d0:$hawkstr1: HawkEye Keylogger 0x7ba99:$hawkstr2: Dear HawkEye Customers! 0x7d0ce:$hawkstr2: Dear HawkEye Customers! 0x7d225:$hawkstr2: Dear HawkEye Customers! 0x7d38c:$hawkstr2: Dear HawkEye Customers! 0x7bbba:$hawkstr3: HawkEye Logger Details:
00000031.00000000.895292691.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000D.00000000.709586712.0000000000454000.00000002.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000002B.00000002.869118290.00000000147A0000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x8ccca:$key: HawkEyeKeylogger 0x8ef2c:$salt: 099u787978786 0x8d30b:$string1: HawkEye_Keylogger 0x8e15e:$string1: HawkEye_Keylogger 0x8ee8c:$string1: HawkEye_Keylogger 0x8d6f4:$string2: holdermail.txt 0x8d714:$string2: holdermail.txt 0x8d636:$string3: wallet.dat 0x8d64e:$string3: wallet.dat 0x8d664:$string3: wallet.dat 0x8ea50:$string4: Keylog Records 0x8ed68:$string4: Keylog Records 0x8ef84:$string5: do not script --> 0x8ccb2:$string6: \pidloc.txt 0x8cd40:$string7: BSPLIT 0x8cd50:$string7: BSPLIT
0000002B.00000002.869118290.00000000147A0000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000002B.00000002.869118290.00000000147A0000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000002B.00000002.869118290.00000000147A0000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000002B.00000002.869118290.00000000147A0000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002B.00000002.869118290.00000000147A0000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x8d363:$hawkstr1: HawkEye Keylogger 0x8e1a4:$hawkstr1: HawkEye Keylogger 0x8e4d3:$hawkstr1: HawkEye Keylogger 0x8e62e:$hawkstr1: HawkEye Keylogger 0x8e791:$hawkstr1: HawkEye Keylogger 0x8ea28:$hawkstr1: HawkEye Keylogger 0x8cef1:$hawkstr2: Dear HawkEye Customers! 0x8e526:$hawkstr2: Dear HawkEye Customers! 0x8e67d:$hawkstr2: Dear HawkEye Customers! 0x8e7e4:$hawkstr2: Dear HawkEye Customers! 0x8d012:$hawkstr3: HawkEye Logger Details:
00000022.00000002.746741703.0000000000454000.00000002.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001D.00000000.726336718.000000000021F000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
0000001D.00000000.726336718.000000000021F000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000027.00000000.791751960.0000000000400000.00000040.00000001.sdmp	JoeSecurity_SpyEx_1	Yara detected SpyEx stealer	Joe Security
0000001D.00000002.730907039.000000000021F000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
0000001D.00000002.730907039.000000000021F000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000028.00000002.838115183.0000000003751000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7daca:$key: HawkEyeKeylogger 0x7fd2c:$salt: 099u787978786 0x7e10b:$string1: HawkEye_Keylogger 0x7ef5e:$string1: HawkEye_Keylogger 0x7fc8c:$string1: HawkEye_Keylogger 0x7e4f4:$string2: holdermail.txt 0x7e514:$string2: holdermail.txt 0x7e436:$string3: wallet.dat 0x7e44e:$string3: wallet.dat 0x7e464:$string3: wallet.dat 0x7f850:$string4: Keylog Records 0x7fb68:$string4: Keylog Records 0x7fd84:$string5: do not script --> 0x7dab2:$string6: \pidloc.txt 0x7db40:$string7: BSPLIT 0x7db50:$string7: BSPLIT
00000028.00000002.838115183.0000000003751000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000028.00000002.838115183.0000000003751000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000028.00000002.838115183.0000000003751000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000028.00000002.838115183.0000000003751000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7e163:$hawkstr1: HawkEye Keylogger 0x7efa4:$hawkstr1: HawkEye Keylogger 0x7f2d3:$hawkstr1: HawkEye Keylogger 0x7f42e:$hawkstr1: HawkEye Keylogger 0x7f591:$hawkstr1: HawkEye Keylogger 0x7f828:$hawkstr1: HawkEye Keylogger 0x7dcf1:$hawkstr2: Dear HawkEye Customers! 0x7f326:$hawkstr2: Dear HawkEye Customers! 0x7f47d:$hawkstr2: Dear HawkEye Customers! 0x7f5e4:$hawkstr2: Dear HawkEye Customers! 0x7de12:$hawkstr3: HawkEye Logger Details:
00000003.00000003.684219433.0000000000D12000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.684219433.0000000000D12000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000028.00000002.838248522.0000000004851000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b892:$key: HawkEyeKeylogger 0x7daf4:$salt: 099u787978786 0x7bed3:$string1: HawkEye_Keylogger 0x7cd26:$string1: HawkEye_Keylogger 0x7da54:$string1: HawkEye_Keylogger 0x7c2bc:$string2: holdermail.txt 0x7c2dc:$string2: holdermail.txt 0x7c1fe:$string3: wallet.dat 0x7c216:$string3: wallet.dat 0x7c22c:$string3: wallet.dat 0x7d618:$string4: Keylog Records 0x7d930:$string4: Keylog Records 0x7db4c:$string5: do not script --> 0x7b87a:$string6: \pidloc.txt 0x7b908:$string7: BSPLIT 0x7b918:$string7: BSPLIT
00000028.00000002.838248522.0000000004851000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000028.00000002.838248522.0000000004851000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000028.00000002.838248522.0000000004851000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000028.00000002.838248522.0000000004851000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf2b:$hawkstr1: HawkEye Keylogger 0x7cd6c:$hawkstr1: HawkEye Keylogger 0x7d09b:$hawkstr1: HawkEye Keylogger 0x7d1f6:$hawkstr1: HawkEye Keylogger 0x7d359:$hawkstr1: HawkEye Keylogger 0x7d5f0:$hawkstr1: HawkEye Keylogger 0x7bab9:$hawkstr2: Dear HawkEye Customers! 0x7d0ee:$hawkstr2: Dear HawkEye Customers! 0x7d245:$hawkstr2: Dear HawkEye Customers! 0x7d3ac:$hawkstr2: Dear HawkEye Customers! 0x7bbda:$hawkstr3: HawkEye Logger Details:
0000002C.00000002.914779879.0000000000400000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x908ca:$key: HawkEyeKeylogger 0x92b2c:$salt: 099u787978786 0x90f0b:$string1: HawkEye_Keylogger 0x91d5e:$string1: HawkEye_Keylogger 0x92a8c:$string1: HawkEye_Keylogger 0x912f4:$string2: holdermail.txt 0x91314:$string2: holdermail.txt 0x91236:$string3: wallet.dat 0x9124e:$string3: wallet.dat 0x91264:$string3: wallet.dat 0x92650:$string4: Keylog Records 0x92968:$string4: Keylog Records 0x92b84:$string5: do not script --> 0x908b2:$string6: \pidloc.txt 0x90940:$string7: BSPLIT 0x90950:$string7: BSPLIT
0000002C.00000002.914779879.0000000000400000.00000040.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x1c47b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000002C.00000002.914779879.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000002C.00000002.914779879.0000000000400000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000002C.00000002.914779879.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002C.00000002.914779879.0000000000400000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x90f63:$hawkstr1: HawkEye Keylogger 0x91da4:$hawkstr1: HawkEye Keylogger 0x920d3:$hawkstr1: HawkEye Keylogger 0x9222e:$hawkstr1: HawkEye Keylogger 0x92391:$hawkstr1: HawkEye Keylogger 0x92628:$hawkstr1: HawkEye Keylogger 0x90af1:$hawkstr2: Dear HawkEye Customers! 0x92126:$hawkstr2: Dear HawkEye Customers! 0x9227d:$hawkstr2: Dear HawkEye Customers! 0x923e4:$hawkstr2: Dear HawkEye Customers! 0x90c12:$hawkstr3: HawkEye Logger Details:
0000002C.00000002.918156876.0000000004A21000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b892:$key: HawkEyeKeylogger 0x7daf4:$salt: 099u787978786 0x7bed3:$string1: HawkEye_Keylogger 0x7cd26:$string1: HawkEye_Keylogger 0x7da54:$string1: HawkEye_Keylogger 0x7c2bc:$string2: holdermail.txt 0x7c2dc:$string2: holdermail.txt 0x7c1fe:$string3: wallet.dat 0x7c216:$string3: wallet.dat 0x7c22c:$string3: wallet.dat 0x7d618:$string4: Keylog Records 0x7d930:$string4: Keylog Records 0x7db4c:$string5: do not script --> 0x7b87a:$string6: \pidloc.txt 0x7b908:$string7: BSPLIT 0x7b918:$string7: BSPLIT
0000002C.00000002.918156876.0000000004A21000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000002C.00000002.918156876.0000000004A21000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000002C.00000002.918156876.0000000004A21000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002C.00000002.918156876.0000000004A21000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf2b:$hawkstr1: HawkEye Keylogger 0x7cd6c:$hawkstr1: HawkEye Keylogger 0x7d09b:$hawkstr1: HawkEye Keylogger 0x7d1f6:$hawkstr1: HawkEye Keylogger 0x7d359:$hawkstr1: HawkEye Keylogger 0x7d5f0:$hawkstr1: HawkEye Keylogger 0x7bab9:$hawkstr2: Dear HawkEye Customers! 0x7d0ee:$hawkstr2: Dear HawkEye Customers! 0x7d245:$hawkstr2: Dear HawkEye Customers! 0x7d3ac:$hawkstr2: Dear HawkEye Customers! 0x7bbda:$hawkstr3: HawkEye Logger Details:
00000004.00000002.700865677.0000000000454000.00000002.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000029.00000002.943516760.00000000038D1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000029.00000002.943516760.00000000038D1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000003.684269184.0000000000D36000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x18108:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x18108:$c1: Elevation:Administrator!new:
00000003.00000003.684269184.0000000000D36000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000003.00000003.684269184.0000000000D36000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.684269184.0000000000D36000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000002.677784097.00000000147A0000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x1b3af:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1b3af:$c1: Elevation:Administrator!new:
00000001.00000002.677784097.00000000147A0000.00000004.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x166a7:$a1: \Opera Software\Opera Stable\Login Data 0x169cf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x16317:$a3: \Google\Chrome\User Data\Default\Login Data
00000001.00000002.677784097.00000000147A0000.00000004.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.677784097.00000000147A0000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000001.00000002.677784097.00000000147A0000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.677784097.00000000147A0000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000002.677784097.00000000147A0000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000002.677784097.00000000147A0000.00000004.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x7ed4c:$str_a1: C:\Windows\System32\cmd.exe 0x7ecc8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x7ecc8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x7e2b0:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x7e908:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x7def4:$str_b2: Executing file: 0x7ee90:$str_b3: GetDirectListeningPort 0x7e6c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x7e8f0:$str_b7: \update.vbs 0x7df44:$str_b9: Downloaded file: 0x7df30:$str_b10: Downloading file: 0x7df18:$str_b12: Failed to upload file: 0x7ee58:$str_b13: StartForward 0x7ee78:$str_b14: StopForward 0x7e898:$str_b15: fso.DeleteFile " 0x7e82c:$str_b16: On Error Resume Next 0x7e8c8:$str_b17: fso.DeleteFolder " 0x7df08:$str_b18: Uploaded file: 0x7df84:$str_b19: Unable to delete: 0x7e860:$str_b20: while fso.FileExists(" 0x7e3e9:$str_c0: [Firefox StoredLogins not found]
0000000D.00000002.935198741.000000000064A000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000000.672609321.0000000000403000.00000040.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x193af:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x193af:$c1: Elevation:Administrator!new:
00000002.00000000.672609321.0000000000403000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000000.672609321.0000000000403000.00000040.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000002.00000000.672609321.0000000000403000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000000.672609321.0000000000403000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000002.00000000.672609321.0000000000403000.00000040.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000028.00000002.838427138.0000000004972000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b672:$key: HawkEyeKeylogger 0x7d8d4:$salt: 099u787978786 0x7bcb3:$string1: HawkEye_Keylogger 0x7cb06:$string1: HawkEye_Keylogger 0x7d834:$string1: HawkEye_Keylogger 0x7c09c:$string2: holdermail.txt 0x7c0bc:$string2: holdermail.txt 0x7bfde:$string3: wallet.dat 0x7bff6:$string3: wallet.dat 0x7c00c:$string3: wallet.dat 0x7d3f8:$string4: Keylog Records 0x7d710:$string4: Keylog Records 0x7d92c:$string5: do not script --> 0x7b65a:$string6: \pidloc.txt 0x7b6e8:$string7: BSPLIT 0x7b6f8:$string7: BSPLIT
00000028.00000002.838427138.0000000004972000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000028.00000002.838427138.0000000004972000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000028.00000002.838427138.0000000004972000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000028.00000002.838427138.0000000004972000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0b:$hawkstr1: HawkEye Keylogger 0x7cb4c:$hawkstr1: HawkEye Keylogger 0x7ce7b:$hawkstr1: HawkEye Keylogger 0x7cfd6:$hawkstr1: HawkEye Keylogger 0x7d139:$hawkstr1: HawkEye Keylogger 0x7d3d0:$hawkstr1: HawkEye Keylogger 0x7b899:$hawkstr2: Dear HawkEye Customers! 0x7cece:$hawkstr2: Dear HawkEye Customers! 0x7d025:$hawkstr2: Dear HawkEye Customers! 0x7d18c:$hawkstr2: Dear HawkEye Customers! 0x7b9ba:$hawkstr3: HawkEye Logger Details:
0000002C.00000002.921256513.00000000076B0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000002C.00000002.917761840.0000000003881000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7daca:$key: HawkEyeKeylogger 0x7fd2c:$salt: 099u787978786 0x7e10b:$string1: HawkEye_Keylogger 0x7ef5e:$string1: HawkEye_Keylogger 0x7fc8c:$string1: HawkEye_Keylogger 0x7e4f4:$string2: holdermail.txt 0x7e514:$string2: holdermail.txt 0x7e436:$string3: wallet.dat 0x7e44e:$string3: wallet.dat 0x7e464:$string3: wallet.dat 0x7f850:$string4: Keylog Records 0x7fb68:$string4: Keylog Records 0x7fd84:$string5: do not script --> 0x7dab2:$string6: \pidloc.txt 0x7db40:$string7: BSPLIT 0x7db50:$string7: BSPLIT
0000002C.00000002.917761840.0000000003881000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000002C.00000002.917761840.0000000003881000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000002C.00000002.917761840.0000000003881000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002C.00000002.917761840.0000000003881000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7e163:$hawkstr1: HawkEye Keylogger 0x7efa4:$hawkstr1: HawkEye Keylogger 0x7f2d3:$hawkstr1: HawkEye Keylogger 0x7f42e:$hawkstr1: HawkEye Keylogger 0x7f591:$hawkstr1: HawkEye Keylogger 0x7f828:$hawkstr1: HawkEye Keylogger 0x7dcf1:$hawkstr2: Dear HawkEye Customers! 0x7f326:$hawkstr2: Dear HawkEye Customers! 0x7f47d:$hawkstr2: Dear HawkEye Customers! 0x7f5e4:$hawkstr2: Dear HawkEye Customers! 0x7de12:$hawkstr3: HawkEye Logger Details:
00000002.00000000.674013020.0000000000403000.00000040.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x193af:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x193af:$c1: Elevation:Administrator!new:
00000002.00000000.674013020.0000000000403000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000000.674013020.0000000000403000.00000040.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000002.00000000.674013020.0000000000403000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000000.674013020.0000000000403000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000002.00000000.674013020.0000000000403000.00000040.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000024.00000002.796886573.0000000014770000.00000004.00000001.sdmp	JoeSecurity_SpyEx_1	Yara detected SpyEx stealer	Joe Security
0000001D.00000000.726305427.00000000000E4000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000000.726305427.00000000000E4000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000029.00000001.801556734.0000000000414000.00000040.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000029.00000001.801556734.0000000000414000.00000040.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000012.00000002.714713917.0000000000454000.00000002.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
00000029.00000002.940107209.0000000002522000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000029.00000002.940107209.0000000002522000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000002.939479958.000000000362C000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x19210:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x19210:$c1: Elevation:Administrator!new:
00000003.00000002.939479958.000000000362C000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000003.00000002.939479958.000000000362C000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.939479958.000000000362C000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000002.00000002.682814093.0000000000403000.00000040.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x193af:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x193af:$c1: Elevation:Administrator!new:
00000002.00000002.682814093.0000000000403000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.682814093.0000000000403000.00000040.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000002.00000002.682814093.0000000000403000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.682814093.0000000000403000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000002.00000002.682814093.000000000040

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report xxTzyGLZx5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps