14.0.Windows Update.exe.76b0000.37.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
9.2.4.exe.47e0000.4.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.2.4.exe.47e0000.4.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.0.Windows Update.exe.4affa72.34.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
14.0.Windows Update.exe.4affa72.34.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4affa72.34.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4affa72.34.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
9.2.4.exe.47e0000.4.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.2.4.exe.47e0000.4.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.2.Windows Update.exe.2586c92.5.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
14.2.Windows Update.exe.2586c92.5.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.2586c92.5.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.2586c92.5.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
9.2.4.exe.4830000.5.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.2.4.exe.4830000.5.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
7.0.21.exe.400000.5.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
9.0.4.exe.400000.3.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.400000.3.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
18.0.vbc.exe.400000.3.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.2.5.exe.14801458.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
4.2.5.exe.14801458.1.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.2.5.exe.14801458.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.2.5.exe.14801458.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.2.5.exe.14801458.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.2.5.exe.14801458.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
9.2.4.exe.7349b8.2.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.2.4.exe.7349b8.2.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
8.2.5.exe.4970000.15.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
8.2.5.exe.4970000.15.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.4970000.15.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.4970000.15.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.4970000.15.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.4970000.15.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.415058.10.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
14.0.Windows Update.exe.415058.10.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.415058.10.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.415058.10.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.415058.10.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
9.1.4.exe.400000.0.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.1.4.exe.400000.0.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.0.Windows Update.exe.415058.10.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4a17e0d.29.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4a10000.53.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
14.0.Windows Update.exe.4a10000.53.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.4a10000.53.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4a10000.53.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4a10000.53.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4a10000.53.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
4.2.5.exe.14807860.4.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
4.2.5.exe.14807860.4.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.2.5.exe.14807860.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.2.5.exe.14807860.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.2.5.exe.14807860.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.2.5.exe.14807860.4.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.2530e2d.6.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.2.Windows Update.exe.2530e2d.6.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.2530e2d.6.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.2530e2d.6.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.2530e2d.6.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
9.0.4.exe.415058.12.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.415058.12.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
24.2.WindowsUpdate.exe.400000.1.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.400000.1.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.400000.1.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.400000.1.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.400000.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.400000.1.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
22.2.WindowsUpdate.exe.147b1458.3.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
22.2.WindowsUpdate.exe.147b1458.3.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
22.2.WindowsUpdate.exe.147b1458.3.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
22.2.WindowsUpdate.exe.147b1458.3.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
22.2.WindowsUpdate.exe.147b1458.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
22.2.WindowsUpdate.exe.147b1458.3.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.391b065.10.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.2.Windows Update.exe.391b065.10.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.391b065.10.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.391b065.10.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.391b065.10.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
13.2.Windows Update.exe.14681458.2.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
13.2.Windows Update.exe.14681458.2.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
13.2.Windows Update.exe.14681458.2.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.Windows Update.exe.14681458.2.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.Windows Update.exe.14681458.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.Windows Update.exe.14681458.2.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
8.0.5.exe.41ce65.11.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.41ce65.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
9.0.4.exe.415058.10.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.415058.10.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
24.0.WindowsUpdate.exe.400000.6.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.400000.6.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.400000.6.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.400000.6.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.400000.6.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.400000.6.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.4aa9c0d.18.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.48d7e0d.11.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
8.2.5.exe.48d7e0d.11.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.48d7e0d.11.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.48d7e0d.11.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.48d7e0d.11.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.4979c0d.16.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
8.2.5.exe.4979c0d.16.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.4979c0d.16.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.4979c0d.16.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.4979c0d.16.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
24.0.WindowsUpdate.exe.41ce65.16.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.415058.12.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
8.0.5.exe.415058.12.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.415058.12.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.415058.12.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.415058.12.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.415058.12.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.252f428.4.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.2.Windows Update.exe.252f428.4.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.252f428.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.252f428.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.252f428.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.252f428.4.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.4aa0000.16.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.2.Windows Update.exe.4aa0000.16.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.4aa0000.16.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.4aa0000.16.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.4aa0000.16.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.4aa0000.16.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.492dc72.13.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
8.2.5.exe.492dc72.13.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.492dc72.13.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.492dc72.13.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
9.2.4.exe.415058.0.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.2.4.exe.415058.0.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
8.0.5.exe.41ce65.15.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.36f9660.4.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.36f9660.4.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.36f9660.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.36f9660.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.36f9660.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.36f9660.4.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
8.0.5.exe.400000.13.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
8.0.5.exe.400000.13.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.400000.13.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.400000.13.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.400000.13.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.400000.13.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.489ac92.9.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.400000.13.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
14.0.Windows Update.exe.400000.13.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.400000.13.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.400000.13.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.400000.13.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.400000.13.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.48c0000.10.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.48c0000.10.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.48c0000.10.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.48c0000.10.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.48c0000.10.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.48c0000.10.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
14.1.Windows Update.exe.41ce65.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.1.Windows Update.exe.41ce65.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.1.Windows Update.exe.41ce65.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.1.Windows Update.exe.41ce65.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.1.Windows Update.exe.41ce65.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.4844e2d.8.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
8.2.5.exe.4844e2d.8.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.4844e2d.8.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.4844e2d.8.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.4844e2d.8.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.4aa8208.17.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.2.Windows Update.exe.4aa8208.17.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.4aa8208.17.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.4aa8208.17.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.4aa8208.17.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.4aa8208.17.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.48d6408.12.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
8.2.5.exe.48d6408.12.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.48d6408.12.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.48d6408.12.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.48d6408.12.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.48d6408.12.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.400000.41.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x908ca:$key: HawkEyeKeylogger
- 0x92b2c:$salt: 099u787978786
- 0x90f0b:$string1: HawkEye_Keylogger
- 0x91d5e:$string1: HawkEye_Keylogger
- 0x92a8c:$string1: HawkEye_Keylogger
- 0x912f4:$string2: holdermail.txt
- 0x91314:$string2: holdermail.txt
- 0x91236:$string3: wallet.dat
- 0x9124e:$string3: wallet.dat
- 0x91264:$string3: wallet.dat
- 0x92650:$string4: Keylog Records
- 0x92968:$string4: Keylog Records
- 0x92b84:$string5: do not script -->
- 0x908b2:$string6: \pidloc.txt
- 0x90940:$string7: BSPLIT
- 0x90950:$string7: BSPLIT
|
14.0.Windows Update.exe.400000.41.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1c47b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.400000.41.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.400000.41.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.400000.41.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.400000.41.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x90f63:$hawkstr1: HawkEye Keylogger
- 0x91da4:$hawkstr1: HawkEye Keylogger
- 0x920d3:$hawkstr1: HawkEye Keylogger
- 0x9222e:$hawkstr1: HawkEye Keylogger
- 0x92391:$hawkstr1: HawkEye Keylogger
- 0x92628:$hawkstr1: HawkEye Keylogger
- 0x90af1:$hawkstr2: Dear HawkEye Customers!
- 0x92126:$hawkstr2: Dear HawkEye Customers!
- 0x9227d:$hawkstr2: Dear HawkEye Customers!
- 0x923e4:$hawkstr2: Dear HawkEye Customers!
- 0x90c12:$hawkstr3: HawkEye Logger Details:
|
18.0.vbc.exe.400000.2.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.2.5.exe.147f0000.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
4.2.5.exe.147f0000.2.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.2.5.exe.147f0000.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.2.5.exe.147f0000.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.2.5.exe.147f0000.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.2.5.exe.147f0000.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.3913258.28.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
14.0.Windows Update.exe.3913258.28.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.3913258.28.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.3913258.28.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.3913258.28.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.3913258.28.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.400000.20.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x908ca:$key: HawkEyeKeylogger
- 0x92b2c:$salt: 099u787978786
- 0x90f0b:$string1: HawkEye_Keylogger
- 0x91d5e:$string1: HawkEye_Keylogger
- 0x92a8c:$string1: HawkEye_Keylogger
- 0x912f4:$string2: holdermail.txt
- 0x91314:$string2: holdermail.txt
- 0x91236:$string3: wallet.dat
- 0x9124e:$string3: wallet.dat
- 0x91264:$string3: wallet.dat
- 0x92650:$string4: Keylog Records
- 0x92968:$string4: Keylog Records
- 0x92b84:$string5: do not script -->
- 0x908b2:$string6: \pidloc.txt
- 0x90940:$string7: BSPLIT
- 0x90950:$string7: BSPLIT
|
14.0.Windows Update.exe.400000.20.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1c47b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.400000.20.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.400000.20.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.400000.20.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.400000.20.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x90f63:$hawkstr1: HawkEye Keylogger
- 0x91da4:$hawkstr1: HawkEye Keylogger
- 0x920d3:$hawkstr1: HawkEye Keylogger
- 0x9222e:$hawkstr1: HawkEye Keylogger
- 0x92391:$hawkstr1: HawkEye Keylogger
- 0x92628:$hawkstr1: HawkEye Keylogger
- 0x90af1:$hawkstr2: Dear HawkEye Customers!
- 0x92126:$hawkstr2: Dear HawkEye Customers!
- 0x9227d:$hawkstr2: Dear HawkEye Customers!
- 0x923e4:$hawkstr2: Dear HawkEye Customers!
- 0x90c12:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.41ce65.18.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
9.0.4.exe.400000.7.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.400000.7.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.0.Windows Update.exe.41ce65.16.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
9.0.4.exe.400000.9.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.400000.9.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.0.Windows Update.exe.400000.4.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
14.0.Windows Update.exe.400000.4.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.400000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.400000.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.400000.4.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
22.2.WindowsUpdate.exe.147b9265.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.3643258.7.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
8.2.5.exe.3643258.7.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.3643258.7.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.3643258.7.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.3643258.7.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.3643258.7.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
24.0.WindowsUpdate.exe.400000.4.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.400000.4.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.400000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.400000.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.400000.4.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.415058.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.2.Windows Update.exe.415058.1.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.415058.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.415058.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.415058.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.415058.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
4.2.5.exe.14801458.1.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
4.2.5.exe.14801458.1.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.2.5.exe.14801458.1.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.2.5.exe.14801458.1.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.2.5.exe.14801458.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.2.5.exe.14801458.1.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
6.2.4.exe.147b1458.2.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
6.2.4.exe.147b1458.2.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
18.0.vbc.exe.400000.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.2530e2d.22.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.41b460.39.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.0.Windows Update.exe.41b460.39.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.41b460.39.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.41b460.39.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.41b460.39.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.41b460.39.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.48c7e0d.7.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.41b460.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
8.2.5.exe.41b460.1.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.41b460.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.41b460.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.41b460.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.41b460.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
9.2.4.exe.415058.0.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.2.4.exe.415058.0.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.0.Windows Update.exe.4aa0000.33.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.0.Windows Update.exe.4aa0000.33.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.4aa0000.33.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4aa0000.33.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4aa0000.33.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4aa0000.33.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
8.0.5.exe.400000.7.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
8.0.5.exe.400000.7.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.400000.7.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.400000.7.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.400000.7.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.400000.7.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
9.0.4.exe.400000.5.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.400000.5.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
19.0.vbc.exe.400000.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.Windows Update.exe.14681458.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
13.2.Windows Update.exe.14681458.2.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
13.2.Windows Update.exe.14681458.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.Windows Update.exe.14681458.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.Windows Update.exe.14681458.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.Windows Update.exe.14681458.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
24.0.WindowsUpdate.exe.41ce65.16.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.41ce65.16.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.41ce65.16.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.41ce65.16.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.41ce65.16.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.489ac92.9.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
8.2.5.exe.489ac92.9.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.489ac92.9.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.489ac92.9.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
8.0.5.exe.400000.6.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
8.0.5.exe.400000.6.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.400000.6.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.400000.6.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.400000.6.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.400000.6.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.415058.3.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
8.2.5.exe.415058.3.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.415058.3.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.415058.3.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.415058.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.415058.3.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
6.2.4.exe.147a0000.1.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
6.2.4.exe.147a0000.1.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.0.Windows Update.exe.4aa9c0d.36.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.400000.3.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
14.2.Windows Update.exe.400000.3.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.400000.3.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.400000.3.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.400000.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.400000.3.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.400000.5.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
14.0.Windows Update.exe.400000.5.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.400000.5.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.400000.5.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.400000.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.400000.5.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
7.0.21.exe.400000.8.raw.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
14.2.Windows Update.exe.4a10000.15.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.2.Windows Update.exe.4a10000.15.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.4a10000.15.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.4a10000.15.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.4a10000.15.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.4a10000.15.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.4a10000.15.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
14.2.Windows Update.exe.4a10000.15.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.4a10000.15.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.4a10000.15.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.4a10000.15.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.4a10000.15.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4aa9c0d.36.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.0.Windows Update.exe.4aa9c0d.36.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4aa9c0d.36.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4aa9c0d.36.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4aa9c0d.36.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
19.0.vbc.exe.400000.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.415058.15.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
14.0.Windows Update.exe.415058.15.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.415058.15.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.415058.15.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.415058.15.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.415058.15.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
18.0.vbc.exe.400000.1.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4a10000.30.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
14.0.Windows Update.exe.4a10000.30.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.4a10000.30.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4a10000.30.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4a10000.30.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4a10000.30.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.49cfa72.18.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
3.2.21.exe.147a0000.1.raw.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
18.0.vbc.exe.400000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4aa0000.55.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.0.Windows Update.exe.4aa0000.55.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.4aa0000.55.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4aa0000.55.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4aa0000.55.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4aa0000.55.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
7.1.21.exe.400000.0.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
7.2.21.exe.400000.0.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
7.0.21.exe.400000.7.raw.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
19.0.vbc.exe.400000.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.415058.17.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.0.Windows Update.exe.415058.17.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.415058.17.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.415058.17.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.415058.17.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.415058.17.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
9.0.4.exe.400000.0.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.400000.0.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
8.0.5.exe.41ce65.15.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
8.0.5.exe.41ce65.15.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.41ce65.15.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.41ce65.15.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.41ce65.15.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.3649660.6.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
8.2.5.exe.3649660.6.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.3649660.6.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.3649660.6.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.3649660.6.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.3649660.6.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
9.0.4.exe.400000.8.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.400000.8.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
8.0.5.exe.400000.5.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
8.0.5.exe.400000.5.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.400000.5.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.400000.5.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.400000.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.400000.5.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.26ab278.4.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.4950000.11.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.4950000.11.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.4950000.11.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.4950000.11.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.4950000.11.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.4950000.11.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.2939110.46.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x53a4:$key: HawkEyeKeylogger
- 0x5ca0:$salt: 099u787978786
- 0x1a150:$string1: HawkEye_Keylogger
- 0x20c4c:$string1: HawkEye_Keylogger
- 0x1e638:$string2: holdermail.txt
- 0x1e668:$string2: holdermail.txt
- 0x1b57e:$string3: wallet.dat
- 0x1b5a6:$string3: wallet.dat
- 0x1b5cc:$string3: wallet.dat
- 0x1c9c4:$string4: Keylog Records
- 0x1ccfa:$string4: Keylog Records
- 0xa304:$string5: do not script -->
- 0x537c:$string6: \pidloc.txt
- 0x5484:$string7: BSPLIT
- 0x54a4:$string7: BSPLIT
|
14.0.Windows Update.exe.2939110.46.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x21f63:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.2939110.46.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.2939110.46.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1a1e0:$hawkstr1: HawkEye Keylogger
- 0x1b7e4:$hawkstr1: HawkEye Keylogger
- 0x1bb7c:$hawkstr1: HawkEye Keylogger
- 0x1c99c:$hawkstr1: HawkEye Keylogger
- 0x20ca4:$hawkstr1: HawkEye Keylogger
- 0x23144:$hawkstr1: HawkEye Keylogger
- 0x19c58:$hawkstr2: Dear HawkEye Customers!
- 0x1b848:$hawkstr2: Dear HawkEye Customers!
- 0x1bbe0:$hawkstr2: Dear HawkEye Customers!
- 0x231a4:$hawkstr2: Dear HawkEye Customers!
- 0x19d8a:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.41ce65.16.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.0.Windows Update.exe.41ce65.16.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.41ce65.16.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.41ce65.16.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.41ce65.16.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
7.0.21.exe.400000.6.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
4.2.5.exe.14809265.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.492dc72.13.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.415058.15.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.415058.15.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.415058.15.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.415058.15.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.415058.15.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.415058.15.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.4844e2d.8.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.1.Windows Update.exe.415058.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.1.Windows Update.exe.415058.2.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.1.Windows Update.exe.415058.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.1.Windows Update.exe.415058.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.1.Windows Update.exe.415058.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.1.Windows Update.exe.415058.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.415058.10.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.0.Windows Update.exe.415058.10.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.415058.10.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.415058.10.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.415058.10.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.415058.10.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4a6dc72.32.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.2586c92.45.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
14.0.Windows Update.exe.2586c92.45.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.2586c92.45.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.2586c92.45.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.4a17e0d.12.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.2.Windows Update.exe.4a17e0d.12.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.4a17e0d.12.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.4a17e0d.12.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.4a17e0d.12.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.391b065.10.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
22.2.WindowsUpdate.exe.147b1458.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
22.2.WindowsUpdate.exe.147b1458.3.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
22.2.WindowsUpdate.exe.147b1458.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
22.2.WindowsUpdate.exe.147b1458.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
22.2.WindowsUpdate.exe.147b1458.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
22.2.WindowsUpdate.exe.147b1458.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.415058.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
8.2.5.exe.415058.3.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.415058.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.415058.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.415058.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.415058.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
22.2.WindowsUpdate.exe.147b7860.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
22.2.WindowsUpdate.exe.147b7860.1.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
22.2.WindowsUpdate.exe.147b7860.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
22.2.WindowsUpdate.exe.147b7860.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
22.2.WindowsUpdate.exe.147b7860.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
22.2.WindowsUpdate.exe.147b7860.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
9.0.4.exe.400000.4.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.400000.4.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
24.0.WindowsUpdate.exe.415058.10.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.415058.10.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.415058.10.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.415058.10.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.415058.10.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.415058.10.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.4a6dc72.14.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
14.2.Windows Update.exe.4a6dc72.14.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.4a6dc72.14.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.4a6dc72.14.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.2530e2d.43.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4aa9c0d.58.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.4a17e0d.12.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.415058.16.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
8.0.5.exe.415058.16.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.415058.16.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.415058.16.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.415058.16.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.415058.16.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
24.0.WindowsUpdate.exe.400000.7.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.400000.7.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.400000.7.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.400000.7.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.400000.7.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.400000.7.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
18.0.vbc.exe.400000.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.41ce65.42.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.0.Windows Update.exe.41ce65.42.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.41ce65.42.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.41ce65.42.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.41ce65.42.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
24.0.WindowsUpdate.exe.400000.5.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.400000.5.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.400000.5.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.400000.5.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.400000.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.400000.5.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.41b460.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.41b460.2.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.41b460.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.41b460.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.41b460.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.41b460.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.3919660.27.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.0.Windows Update.exe.3919660.27.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.3919660.27.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.3919660.27.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.3919660.27.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.3919660.27.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.3919660.50.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.0.Windows Update.exe.3919660.50.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.3919660.50.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.3919660.50.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.3919660.50.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.3919660.50.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.391b065.49.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.0.Windows Update.exe.391b065.49.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.391b065.49.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.391b065.49.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.391b065.49.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.2586c92.5.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.36fb065.6.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.36fb065.6.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.36fb065.6.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.36fb065.6.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.36fb065.6.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.36f3258.5.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.36f3258.5.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.36f3258.5.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.36f3258.5.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.36f3258.5.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.36f3258.5.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.3913258.48.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.0.Windows Update.exe.3913258.48.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.3913258.48.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.3913258.48.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.3913258.48.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.3913258.48.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.41ce65.11.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.0.Windows Update.exe.41ce65.11.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.41ce65.11.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.41ce65.11.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.41ce65.11.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
7.0.21.exe.400000.5.raw.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
14.0.Windows Update.exe.4aa8208.35.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.0.Windows Update.exe.4aa8208.35.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.4aa8208.35.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4aa8208.35.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4aa8208.35.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4aa8208.35.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.400000.0.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
8.2.5.exe.400000.0.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.400000.0.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.400000.0.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4aa9c0d.58.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.0.Windows Update.exe.4aa9c0d.58.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4aa9c0d.58.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4aa9c0d.58.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4aa9c0d.58.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.2530e2d.6.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.48c7e0d.7.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.48c7e0d.7.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.48c7e0d.7.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.48c7e0d.7.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.48c7e0d.7.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.415058.0.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.415058.0.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.415058.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.415058.0.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.415058.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.415058.0.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
7.0.21.exe.400000.7.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
24.2.WindowsUpdate.exe.4959c0d.12.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.4959c0d.12.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.4959c0d.12.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.4959c0d.12.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.4959c0d.12.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.295a058.47.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.2586c92.21.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.41ce65.11.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
22.2.WindowsUpdate.exe.147a0000.4.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
22.2.WindowsUpdate.exe.147a0000.4.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
22.2.WindowsUpdate.exe.147a0000.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
22.2.WindowsUpdate.exe.147a0000.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
22.2.WindowsUpdate.exe.147a0000.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
22.2.WindowsUpdate.exe.147a0000.4.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
8.0.5.exe.400000.8.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
8.0.5.exe.400000.8.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.400000.8.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.400000.8.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.400000.8.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.400000.8.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4a16408.52.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.0.Windows Update.exe.4a16408.52.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.4a16408.52.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4a16408.52.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4a16408.52.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4a16408.52.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
7.0.21.exe.400000.6.raw.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
14.1.Windows Update.exe.41ce65.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
9.2.4.exe.400000.1.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.2.4.exe.400000.1.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.2.Windows Update.exe.3919660.9.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.2.Windows Update.exe.3919660.9.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.3919660.9.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.3919660.9.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.3919660.9.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.3919660.9.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
7.1.21.exe.400000.0.raw.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
24.2.WindowsUpdate.exe.48c0000.10.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.48c0000.10.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.48c0000.10.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.48c0000.10.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.48c0000.10.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.48c0000.10.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.4958208.14.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.4958208.14.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.4958208.14.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.4958208.14.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.4958208.14.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.4958208.14.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.41b460.14.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.0.Windows Update.exe.41b460.14.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.41b460.14.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.41b460.14.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.41b460.14.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.41b460.14.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4affa72.56.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.415058.15.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.415058.15.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.415058.15.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.415058.15.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.415058.15.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.415058.15.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.3913258.11.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
14.2.Windows Update.exe.3913258.11.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.3913258.11.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.3913258.11.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.3913258.11.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.3913258.11.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
4.2.5.exe.147f0000.2.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x890ca:$key: HawkEyeKeylogger
- 0x8b32c:$salt: 099u787978786
- 0x8970b:$string1: HawkEye_Keylogger
- 0x8a55e:$string1: HawkEye_Keylogger
- 0x8b28c:$string1: HawkEye_Keylogger
- 0x89af4:$string2: holdermail.txt
- 0x89b14:$string2: holdermail.txt
- 0x89a36:$string3: wallet.dat
- 0x89a4e:$string3: wallet.dat
- 0x89a64:$string3: wallet.dat
- 0x8ae50:$string4: Keylog Records
- 0x8b168:$string4: Keylog Records
- 0x8b384:$string5: do not script -->
- 0x890b2:$string6: \pidloc.txt
- 0x89140:$string7: BSPLIT
- 0x89150:$string7: BSPLIT
|
4.2.5.exe.147f0000.2.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x14c7b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.2.5.exe.147f0000.2.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.2.5.exe.147f0000.2.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.2.5.exe.147f0000.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.2.5.exe.147f0000.2.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x89763:$hawkstr1: HawkEye Keylogger
- 0x8a5a4:$hawkstr1: HawkEye Keylogger
- 0x8a8d3:$hawkstr1: HawkEye Keylogger
- 0x8aa2e:$hawkstr1: HawkEye Keylogger
- 0x8ab91:$hawkstr1: HawkEye Keylogger
- 0x8ae28:$hawkstr1: HawkEye Keylogger
- 0x892f1:$hawkstr2: Dear HawkEye Customers!
- 0x8a926:$hawkstr2: Dear HawkEye Customers!
- 0x8aa7d:$hawkstr2: Dear HawkEye Customers!
- 0x8abe4:$hawkstr2: Dear HawkEye Customers!
- 0x89412:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.41ce65.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.2.Windows Update.exe.41ce65.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.41ce65.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.41ce65.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.41ce65.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4aa8208.57.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.0.Windows Update.exe.4aa8208.57.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.4aa8208.57.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4aa8208.57.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4aa8208.57.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4aa8208.57.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4a10000.30.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.0.Windows Update.exe.4a10000.30.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.4a10000.30.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4a10000.30.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4a10000.30.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4a10000.30.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
9.2.4.exe.400000.1.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.2.4.exe.400000.1.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.2.Windows Update.exe.295a058.8.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.41b460.10.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
8.0.5.exe.41b460.10.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.41b460.10.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.41b460.10.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.41b460.10.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.41b460.10.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.2530e2d.22.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.0.Windows Update.exe.2530e2d.22.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.2530e2d.22.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.2530e2d.22.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.2530e2d.22.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
19.0.vbc.exe.400000.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.1.Windows Update.exe.400000.0.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
14.1.Windows Update.exe.400000.0.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.1.Windows Update.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.1.Windows Update.exe.400000.0.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.1.Windows Update.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.1.Windows Update.exe.400000.0.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4affa72.34.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.400000.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x908ca:$key: HawkEyeKeylogger
- 0x92b2c:$salt: 099u787978786
- 0x90f0b:$string1: HawkEye_Keylogger
- 0x91d5e:$string1: HawkEye_Keylogger
- 0x92a8c:$string1: HawkEye_Keylogger
- 0x912f4:$string2: holdermail.txt
- 0x91314:$string2: holdermail.txt
- 0x91236:$string3: wallet.dat
- 0x9124e:$string3: wallet.dat
- 0x91264:$string3: wallet.dat
- 0x92650:$string4: Keylog Records
- 0x92968:$string4: Keylog Records
- 0x92b84:$string5: do not script -->
- 0x908b2:$string6: \pidloc.txt
- 0x90940:$string7: BSPLIT
- 0x90950:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.400000.1.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1c47b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.400000.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.400000.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.400000.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.400000.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x90f63:$hawkstr1: HawkEye Keylogger
- 0x91da4:$hawkstr1: HawkEye Keylogger
- 0x920d3:$hawkstr1: HawkEye Keylogger
- 0x9222e:$hawkstr1: HawkEye Keylogger
- 0x92391:$hawkstr1: HawkEye Keylogger
- 0x92628:$hawkstr1: HawkEye Keylogger
- 0x90af1:$hawkstr2: Dear HawkEye Customers!
- 0x92126:$hawkstr2: Dear HawkEye Customers!
- 0x9227d:$hawkstr2: Dear HawkEye Customers!
- 0x923e4:$hawkstr2: Dear HawkEye Customers!
- 0x90c12:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.4a6dc72.14.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
9.0.4.exe.400000.6.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.400000.6.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
8.0.5.exe.41b460.14.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
8.0.5.exe.41b460.14.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.41b460.14.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.41b460.14.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.41b460.14.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.41b460.14.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4a6dc72.54.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.Windows Update.exe.14670000.4.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x890ca:$key: HawkEyeKeylogger
- 0x8b32c:$salt: 099u787978786
- 0x8970b:$string1: HawkEye_Keylogger
- 0x8a55e:$string1: HawkEye_Keylogger
- 0x8b28c:$string1: HawkEye_Keylogger
- 0x89af4:$string2: holdermail.txt
- 0x89b14:$string2: holdermail.txt
- 0x89a36:$string3: wallet.dat
- 0x89a4e:$string3: wallet.dat
- 0x89a64:$string3: wallet.dat
- 0x8ae50:$string4: Keylog Records
- 0x8b168:$string4: Keylog Records
- 0x8b384:$string5: do not script -->
- 0x890b2:$string6: \pidloc.txt
- 0x89140:$string7: BSPLIT
- 0x89150:$string7: BSPLIT
|
13.2.Windows Update.exe.14670000.4.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x14c7b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
13.2.Windows Update.exe.14670000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.Windows Update.exe.14670000.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.Windows Update.exe.14670000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.Windows Update.exe.14670000.4.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x89763:$hawkstr1: HawkEye Keylogger
- 0x8a5a4:$hawkstr1: HawkEye Keylogger
- 0x8a8d3:$hawkstr1: HawkEye Keylogger
- 0x8aa2e:$hawkstr1: HawkEye Keylogger
- 0x8ab91:$hawkstr1: HawkEye Keylogger
- 0x8ae28:$hawkstr1: HawkEye Keylogger
- 0x892f1:$hawkstr2: Dear HawkEye Customers!
- 0x8a926:$hawkstr2: Dear HawkEye Customers!
- 0x8aa7d:$hawkstr2: Dear HawkEye Customers!
- 0x8abe4:$hawkstr2: Dear HawkEye Customers!
- 0x89412:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.49afa72.13.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
9.1.4.exe.415058.1.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.1.4.exe.415058.1.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.0.Windows Update.exe.4a6dc72.54.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
14.0.Windows Update.exe.4a6dc72.54.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4a6dc72.54.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4a6dc72.54.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.391b065.26.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.0.Windows Update.exe.391b065.26.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.391b065.26.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.391b065.26.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.391b065.26.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.415058.0.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.415058.0.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.415058.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.415058.0.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.415058.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.415058.0.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.41ce65.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.400000.6.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
14.0.Windows Update.exe.400000.6.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.400000.6.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.400000.6.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.400000.6.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.400000.6.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.252f428.23.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.0.Windows Update.exe.252f428.23.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.252f428.23.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.252f428.23.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.252f428.23.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.252f428.23.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
9.1.4.exe.415058.1.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.1.4.exe.415058.1.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
24.0.WindowsUpdate.exe.41ce65.11.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.vbc.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.4affa72.19.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
14.2.Windows Update.exe.4affa72.19.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.4affa72.19.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.4affa72.19.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4a6dc72.32.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
14.0.Windows Update.exe.4a6dc72.32.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4a6dc72.32.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4a6dc72.32.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4affa72.56.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
14.0.Windows Update.exe.4affa72.56.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4affa72.56.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4affa72.56.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
8.0.5.exe.41ce65.11.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
8.0.5.exe.41ce65.11.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.41ce65.11.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.41ce65.11.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.41ce65.11.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
14.1.Windows Update.exe.41b460.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.1.Windows Update.exe.41b460.1.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.1.Windows Update.exe.41b460.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.1.Windows Update.exe.41b460.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.1.Windows Update.exe.41b460.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.1.Windows Update.exe.41b460.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
3.2.21.exe.147a0000.1.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
14.2.Windows Update.exe.400000.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x908ca:$key: HawkEyeKeylogger
- 0x92b2c:$salt: 099u787978786
- 0x90f0b:$string1: HawkEye_Keylogger
- 0x91d5e:$string1: HawkEye_Keylogger
- 0x92a8c:$string1: HawkEye_Keylogger
- 0x912f4:$string2: holdermail.txt
- 0x91314:$string2: holdermail.txt
- 0x91236:$string3: wallet.dat
- 0x9124e:$string3: wallet.dat
- 0x91264:$string3: wallet.dat
- 0x92650:$string4: Keylog Records
- 0x92968:$string4: Keylog Records
- 0x92b84:$string5: do not script -->
- 0x908b2:$string6: \pidloc.txt
- 0x90940:$string7: BSPLIT
- 0x90950:$string7: BSPLIT
|
14.2.Windows Update.exe.400000.3.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1c47b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.400000.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.400000.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.400000.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.400000.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x90f63:$hawkstr1: HawkEye Keylogger
- 0x91da4:$hawkstr1: HawkEye Keylogger
- 0x920d3:$hawkstr1: HawkEye Keylogger
- 0x9222e:$hawkstr1: HawkEye Keylogger
- 0x92391:$hawkstr1: HawkEye Keylogger
- 0x92628:$hawkstr1: HawkEye Keylogger
- 0x90af1:$hawkstr2: Dear HawkEye Customers!
- 0x92126:$hawkstr2: Dear HawkEye Customers!
- 0x9227d:$hawkstr2: Dear HawkEye Customers!
- 0x923e4:$hawkstr2: Dear HawkEye Customers!
- 0x90c12:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.7700000.38.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.400000.9.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
8.0.5.exe.400000.9.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.400000.9.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.400000.9.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.400000.9.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.400000.9.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.41b460.19.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.0.Windows Update.exe.41b460.19.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.41b460.19.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.41b460.19.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.41b460.19.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.41b460.19.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
13.2.Windows Update.exe.14687860.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
13.2.Windows Update.exe.14687860.3.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
13.2.Windows Update.exe.14687860.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.Windows Update.exe.14687860.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.Windows Update.exe.14687860.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.Windows Update.exe.14687860.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.415058.40.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.0.Windows Update.exe.415058.40.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.415058.40.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.415058.40.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.415058.40.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.415058.40.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.48c6408.8.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.48c6408.8.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.48c6408.8.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.48c6408.8.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.48c6408.8.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.48c6408.8.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.491dc72.9.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.491dc72.9.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.491dc72.9.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.491dc72.9.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
19.2.vbc.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
9.0.4.exe.400000.1.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.400000.1.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.0.Windows Update.exe.3913258.48.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
14.0.Windows Update.exe.3913258.48.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.3913258.48.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.3913258.48.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.3913258.48.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.3913258.48.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
13.2.Windows Update.exe.14670000.4.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
13.2.Windows Update.exe.14670000.4.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
13.2.Windows Update.exe.14670000.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.Windows Update.exe.14670000.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.Windows Update.exe.14670000.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.Windows Update.exe.14670000.4.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.41ce65.18.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.0.Windows Update.exe.41ce65.18.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.41ce65.18.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.41ce65.18.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.41ce65.18.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.400000.8.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
14.0.Windows Update.exe.400000.8.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.400000.8.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.400000.8.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.400000.8.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.400000.8.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
13.2.Windows Update.exe.14689265.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
13.2.Windows Update.exe.14689265.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
13.2.Windows Update.exe.14689265.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
13.2.Windows Update.exe.14689265.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
13.2.Windows Update.exe.14689265.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
8.0.5.exe.415058.16.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
8.0.5.exe.415058.16.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.415058.16.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.415058.16.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.415058.16.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.415058.16.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
9.2.4.exe.37e3258.3.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.2.4.exe.37e3258.3.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.2.Windows Update.exe.7700000.21.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.48d0000.14.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
8.2.5.exe.48d0000.14.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.48d0000.14.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.48d0000.14.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.48d0000.14.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.48d0000.14.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.49cfa72.18.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
8.2.5.exe.49cfa72.18.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.49cfa72.18.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.49cfa72.18.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.41b460.0.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.2.Windows Update.exe.41b460.0.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.41b460.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.41b460.0.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.41b460.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.41b460.0.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4a17e0d.51.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.41b460.12.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.0.Windows Update.exe.41b460.12.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.41b460.12.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.41b460.12.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.41b460.12.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.41b460.12.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.41ce65.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.49afa72.13.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.49afa72.13.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.49afa72.13.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.49afa72.13.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
24.0.WindowsUpdate.exe.400000.8.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.400000.8.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.400000.8.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.400000.8.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.400000.8.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.400000.8.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.400000.20.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
14.0.Windows Update.exe.400000.20.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.400000.20.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.400000.20.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.400000.20.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.400000.20.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.4aa9c0d.18.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.2.Windows Update.exe.4aa9c0d.18.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.4aa9c0d.18.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.4aa9c0d.18.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.4aa9c0d.18.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.415058.17.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
14.0.Windows Update.exe.415058.17.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.415058.17.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.415058.17.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.415058.17.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.415058.17.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.415058.40.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
14.0.Windows Update.exe.415058.40.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.415058.40.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.415058.40.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.415058.40.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.415058.40.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.7700000.60.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
9.2.4.exe.37e3258.3.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.2.4.exe.37e3258.3.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.2.Windows Update.exe.76b0000.20.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.41b460.12.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.41b460.12.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.41b460.12.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.41b460.12.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.41b460.12.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.41b460.12.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.400000.0.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x908ca:$key: HawkEyeKeylogger
- 0x92b2c:$salt: 099u787978786
- 0x90f0b:$string1: HawkEye_Keylogger
- 0x91d5e:$string1: HawkEye_Keylogger
- 0x92a8c:$string1: HawkEye_Keylogger
- 0x912f4:$string2: holdermail.txt
- 0x91314:$string2: holdermail.txt
- 0x91236:$string3: wallet.dat
- 0x9124e:$string3: wallet.dat
- 0x91264:$string3: wallet.dat
- 0x92650:$string4: Keylog Records
- 0x92968:$string4: Keylog Records
- 0x92b84:$string5: do not script -->
- 0x908b2:$string6: \pidloc.txt
- 0x90940:$string7: BSPLIT
- 0x90950:$string7: BSPLIT
|
8.2.5.exe.400000.0.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1c47b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.400000.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.400000.0.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.400000.0.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.400000.0.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x90f63:$hawkstr1: HawkEye Keylogger
- 0x91da4:$hawkstr1: HawkEye Keylogger
- 0x920d3:$hawkstr1: HawkEye Keylogger
- 0x9222e:$hawkstr1: HawkEye Keylogger
- 0x92391:$hawkstr1: HawkEye Keylogger
- 0x92628:$hawkstr1: HawkEye Keylogger
- 0x90af1:$hawkstr2: Dear HawkEye Customers!
- 0x92126:$hawkstr2: Dear HawkEye Customers!
- 0x9227d:$hawkstr2: Dear HawkEye Customers!
- 0x923e4:$hawkstr2: Dear HawkEye Customers!
- 0x90c12:$hawkstr3: HawkEye Logger Details:
|
6.2.4.exe.147b1458.2.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
6.2.4.exe.147b1458.2.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
13.2.Windows Update.exe.14689265.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.41ce65.11.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.41ce65.11.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.41ce65.11.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.41ce65.11.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.41ce65.11.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.400000.7.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
14.0.Windows Update.exe.400000.7.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.400000.7.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.400000.7.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.400000.7.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.400000.7.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
18.0.vbc.exe.400000.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
7.0.21.exe.400000.8.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
7.0.21.exe.400000.4.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
9.0.4.exe.415058.12.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.415058.12.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.2.Windows Update.exe.415058.1.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
14.2.Windows Update.exe.415058.1.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.415058.1.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.415058.1.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.415058.1.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.415058.1.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.2586c92.21.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
14.0.Windows Update.exe.2586c92.21.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.2586c92.21.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.2586c92.21.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
9.0.4.exe.415058.10.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.415058.10.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
8.2.5.exe.4843428.10.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
8.2.5.exe.4843428.10.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.4843428.10.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.4843428.10.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.4843428.10.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.4843428.10.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.4a16408.13.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.2.Windows Update.exe.4a16408.13.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.4a16408.13.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.4a16408.13.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.4a16408.13.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.4a16408.13.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.4a17e0d.29.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.0.Windows Update.exe.4a17e0d.29.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4a17e0d.29.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4a17e0d.29.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4a17e0d.29.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
8.0.5.exe.415058.12.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
8.0.5.exe.415058.12.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.415058.12.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.415058.12.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.415058.12.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.415058.12.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.41ce65.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
8.2.5.exe.41ce65.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.41ce65.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.41ce65.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.41ce65.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.391b065.26.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.415058.15.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.0.Windows Update.exe.415058.15.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.415058.15.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.415058.15.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.415058.15.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.415058.15.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.4978208.17.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
8.2.5.exe.4978208.17.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.4978208.17.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.4978208.17.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.4978208.17.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.4978208.17.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.491dc72.9.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
18.0.vbc.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.36fb065.6.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.3913258.11.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.2.Windows Update.exe.3913258.11.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.3913258.11.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.3913258.11.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.3913258.11.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.2.Windows Update.exe.3913258.11.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
8.0.5.exe.400000.4.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
8.0.5.exe.400000.4.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.0.5.exe.400000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.0.5.exe.400000.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.0.5.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.0.5.exe.400000.4.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
19.0.vbc.exe.400000.3.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.400000.13.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.400000.13.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.400000.13.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.400000.13.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.400000.13.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.400000.13.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.400000.9.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
14.0.Windows Update.exe.400000.9.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.400000.9.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.400000.9.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.400000.9.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.400000.9.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.4979c0d.16.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
9.0.4.exe.400000.11.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.400000.11.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.0.Windows Update.exe.4a17e0d.51.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.0.Windows Update.exe.4a17e0d.51.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4a17e0d.51.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4a17e0d.51.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4a17e0d.51.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.36f3258.5.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.36f3258.5.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.2.WindowsUpdate.exe.36f3258.5.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.36f3258.5.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.36f3258.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.36f3258.5.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
6.2.4.exe.147a0000.1.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
6.2.4.exe.147a0000.1.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
8.2.5.exe.364b065.5.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
8.2.5.exe.364b065.5.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.364b065.5.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.364b065.5.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.364b065.5.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
18.2.vbc.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.1.Windows Update.exe.415058.2.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
14.1.Windows Update.exe.415058.2.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.1.Windows Update.exe.415058.2.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.1.Windows Update.exe.415058.2.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.1.Windows Update.exe.415058.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.1.Windows Update.exe.415058.2.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.76b0000.59.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
9.0.4.exe.400000.2.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.0.4.exe.400000.2.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
14.0.Windows Update.exe.41ce65.42.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.2.5.exe.14809265.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
4.2.5.exe.14809265.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.2.5.exe.14809265.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.2.5.exe.14809265.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.2.5.exe.14809265.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.3643258.7.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
8.2.5.exe.3643258.7.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.3643258.7.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.3643258.7.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.3643258.7.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.3643258.7.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.3913258.28.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.0.Windows Update.exe.3913258.28.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.3913258.28.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.3913258.28.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.3913258.28.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.3913258.28.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.252f428.44.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.0.Windows Update.exe.252f428.44.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.252f428.44.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.252f428.44.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.252f428.44.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.252f428.44.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.41ce65.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
24.2.WindowsUpdate.exe.41ce65.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.2.WindowsUpdate.exe.41ce65.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.2.WindowsUpdate.exe.41ce65.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.2.WindowsUpdate.exe.41ce65.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.2586c92.45.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.400000.41.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
14.0.Windows Update.exe.400000.41.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.400000.41.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.400000.41.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.400000.41.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.400000.41.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
22.2.WindowsUpdate.exe.147a0000.4.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x890ca:$key: HawkEyeKeylogger
- 0x8b32c:$salt: 099u787978786
- 0x8970b:$string1: HawkEye_Keylogger
- 0x8a55e:$string1: HawkEye_Keylogger
- 0x8b28c:$string1: HawkEye_Keylogger
- 0x89af4:$string2: holdermail.txt
- 0x89b14:$string2: holdermail.txt
- 0x89a36:$string3: wallet.dat
- 0x89a4e:$string3: wallet.dat
- 0x89a64:$string3: wallet.dat
- 0x8ae50:$string4: Keylog Records
- 0x8b168:$string4: Keylog Records
- 0x8b384:$string5: do not script -->
- 0x890b2:$string6: \pidloc.txt
- 0x89140:$string7: BSPLIT
- 0x89150:$string7: BSPLIT
|
22.2.WindowsUpdate.exe.147a0000.4.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x14c7b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
22.2.WindowsUpdate.exe.147a0000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
22.2.WindowsUpdate.exe.147a0000.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
22.2.WindowsUpdate.exe.147a0000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
22.2.WindowsUpdate.exe.147a0000.4.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x89763:$hawkstr1: HawkEye Keylogger
- 0x8a5a4:$hawkstr1: HawkEye Keylogger
- 0x8a8d3:$hawkstr1: HawkEye Keylogger
- 0x8aa2e:$hawkstr1: HawkEye Keylogger
- 0x8ab91:$hawkstr1: HawkEye Keylogger
- 0x8ae28:$hawkstr1: HawkEye Keylogger
- 0x892f1:$hawkstr2: Dear HawkEye Customers!
- 0x8a926:$hawkstr2: Dear HawkEye Customers!
- 0x8aa7d:$hawkstr2: Dear HawkEye Customers!
- 0x8abe4:$hawkstr2: Dear HawkEye Customers!
- 0x89412:$hawkstr3: HawkEye Logger Details:
|
7.2.21.exe.400000.0.raw.unpack | JoeSecurity_SpyEx_1 | Yara detected SpyEx stealer | Joe Security | |
18.2.vbc.exe.400000.0.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.2.Windows Update.exe.4affa72.19.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.415058.10.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x79a72:$key: HawkEyeKeylogger
- 0x7bcd4:$salt: 099u787978786
- 0x7a0b3:$string1: HawkEye_Keylogger
- 0x7af06:$string1: HawkEye_Keylogger
- 0x7bc34:$string1: HawkEye_Keylogger
- 0x7a49c:$string2: holdermail.txt
- 0x7a4bc:$string2: holdermail.txt
- 0x7a3de:$string3: wallet.dat
- 0x7a3f6:$string3: wallet.dat
- 0x7a40c:$string3: wallet.dat
- 0x7b7f8:$string4: Keylog Records
- 0x7bb10:$string4: Keylog Records
- 0x7bd2c:$string5: do not script -->
- 0x79a5a:$string6: \pidloc.txt
- 0x79ae8:$string7: BSPLIT
- 0x79af8:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.415058.10.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.415058.10.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.415058.10.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.415058.10.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.415058.10.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7a10b:$hawkstr1: HawkEye Keylogger
- 0x7af4c:$hawkstr1: HawkEye Keylogger
- 0x7b27b:$hawkstr1: HawkEye Keylogger
- 0x7b3d6:$hawkstr1: HawkEye Keylogger
- 0x7b539:$hawkstr1: HawkEye Keylogger
- 0x7b7d0:$hawkstr1: HawkEye Keylogger
- 0x79c99:$hawkstr2: Dear HawkEye Customers!
- 0x7b2ce:$hawkstr2: Dear HawkEye Customers!
- 0x7b425:$hawkstr2: Dear HawkEye Customers!
- 0x7b58c:$hawkstr2: Dear HawkEye Customers!
- 0x79dba:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.364b065.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.391b065.49.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
9.2.4.exe.7349b8.2.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
9.2.4.exe.7349b8.2.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
19.0.vbc.exe.400000.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4a10000.53.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
14.0.Windows Update.exe.4a10000.53.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.4a10000.53.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4a10000.53.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4a10000.53.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4a10000.53.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.48d7e0d.11.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4a16408.31.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
14.0.Windows Update.exe.4a16408.31.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.4a16408.31.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.4a16408.31.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.4a16408.31.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.4a16408.31.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
24.2.WindowsUpdate.exe.4959c0d.12.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.2530e2d.43.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
14.0.Windows Update.exe.2530e2d.43.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
14.0.Windows Update.exe.2530e2d.43.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.2530e2d.43.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
14.0.Windows Update.exe.2530e2d.43.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
24.0.WindowsUpdate.exe.400000.9.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x8ccca:$key: HawkEyeKeylogger
- 0x8ef2c:$salt: 099u787978786
- 0x8d30b:$string1: HawkEye_Keylogger
- 0x8e15e:$string1: HawkEye_Keylogger
- 0x8ee8c:$string1: HawkEye_Keylogger
- 0x8d6f4:$string2: holdermail.txt
- 0x8d714:$string2: holdermail.txt
- 0x8d636:$string3: wallet.dat
- 0x8d64e:$string3: wallet.dat
- 0x8d664:$string3: wallet.dat
- 0x8ea50:$string4: Keylog Records
- 0x8ed68:$string4: Keylog Records
- 0x8ef84:$string5: do not script -->
- 0x8ccb2:$string6: \pidloc.txt
- 0x8cd40:$string7: BSPLIT
- 0x8cd50:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.400000.9.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x1887b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.400000.9.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.400000.9.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.400000.9.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.400000.9.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x8d363:$hawkstr1: HawkEye Keylogger
- 0x8e1a4:$hawkstr1: HawkEye Keylogger
- 0x8e4d3:$hawkstr1: HawkEye Keylogger
- 0x8e62e:$hawkstr1: HawkEye Keylogger
- 0x8e791:$hawkstr1: HawkEye Keylogger
- 0x8ea28:$hawkstr1: HawkEye Keylogger
- 0x8cef1:$hawkstr2: Dear HawkEye Customers!
- 0x8e526:$hawkstr2: Dear HawkEye Customers!
- 0x8e67d:$hawkstr2: Dear HawkEye Customers!
- 0x8e7e4:$hawkstr2: Dear HawkEye Customers!
- 0x8d012:$hawkstr3: HawkEye Logger Details:
|
22.2.WindowsUpdate.exe.147b9265.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
22.2.WindowsUpdate.exe.147b9265.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
22.2.WindowsUpdate.exe.147b9265.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
22.2.WindowsUpdate.exe.147b9265.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
22.2.WindowsUpdate.exe.147b9265.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
24.0.WindowsUpdate.exe.41b460.14.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
24.0.WindowsUpdate.exe.41b460.14.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
24.0.WindowsUpdate.exe.41b460.14.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
24.0.WindowsUpdate.exe.41b460.14.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
24.0.WindowsUpdate.exe.41b460.14.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
24.0.WindowsUpdate.exe.41b460.14.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
8.2.5.exe.48d0000.14.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
8.2.5.exe.48d0000.14.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
8.2.5.exe.48d0000.14.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
8.2.5.exe.48d0000.14.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
8.2.5.exe.48d0000.14.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
8.2.5.exe.48d0000.14.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
14.0.Windows Update.exe.295a584.24.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.2939110.25.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x53a4:$key: HawkEyeKeylogger
- 0x5ca0:$salt: 099u787978786
- 0x1a4b0:$string1: HawkEye_Keylogger
- 0x21178:$string1: HawkEye_Keylogger
- 0x1eab0:$string2: holdermail.txt
- 0x1eae0:$string2: holdermail.txt
- 0x1b96a:$string3: wallet.dat
- 0x1b992:$string3: wallet.dat
- 0x1b9b8:$string3: wallet.dat
- 0x1cde8:$string4: Keylog Records
- 0x1d11e:$string4: Keylog Records
- 0xa304:$string5: do not script -->
- 0x537c:$string6: \pidloc.txt
- 0x5484:$string7: BSPLIT
- 0x54a4:$string7: BSPLIT
|
14.0.Windows Update.exe.2939110.25.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x2248f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.0.Windows Update.exe.2939110.25.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.0.Windows Update.exe.2939110.25.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1a540:$hawkstr1: HawkEye Keylogger
- 0x1bc08:$hawkstr1: HawkEye Keylogger
- 0x1bfa0:$hawkstr1: HawkEye Keylogger
- 0x1cdc0:$hawkstr1: HawkEye Keylogger
- 0x211d0:$hawkstr1: HawkEye Keylogger
- 0x23984:$hawkstr1: HawkEye Keylogger
- 0x19fb8:$hawkstr2: Dear HawkEye Customers!
- 0x1bc6c:$hawkstr2: Dear HawkEye Customers!
- 0x1c004:$hawkstr2: Dear HawkEye Customers!
- 0x239e4:$hawkstr2: Dear HawkEye Customers!
- 0x1a0ea:$hawkstr3: HawkEye Logger Details:
|
14.2.Windows Update.exe.2939110.7.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x53a4:$key: HawkEyeKeylogger
- 0x5ca0:$salt: 099u787978786
- 0x1a150:$string1: HawkEye_Keylogger
- 0x20c4c:$string1: HawkEye_Keylogger
- 0x1e638:$string2: holdermail.txt
- 0x1e668:$string2: holdermail.txt
- 0x1b57e:$string3: wallet.dat
- 0x1b5a6:$string3: wallet.dat
- 0x1b5cc:$string3: wallet.dat
- 0x1c9c4:$string4: Keylog Records
- 0x1ccfa:$string4: Keylog Records
- 0xa304:$string5: do not script -->
- 0x537c:$string6: \pidloc.txt
- 0x5484:$string7: BSPLIT
- 0x54a4:$string7: BSPLIT
|
14.2.Windows Update.exe.2939110.7.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x21f63:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
14.2.Windows Update.exe.2939110.7.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
14.2.Windows Update.exe.2939110.7.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1a1e0:$hawkstr1: HawkEye Keylogger
- 0x1b7e4:$hawkstr1: HawkEye Keylogger
- 0x1bb7c:$hawkstr1: HawkEye Keylogger
- 0x1c99c:$hawkstr1: HawkEye Keylogger
- 0x20ca4:$hawkstr1: HawkEye Keylogger
- 0x23144:$hawkstr1: HawkEye Keylogger
- 0x19c58:$hawkstr2: Dear HawkEye Customers!
- 0x1b848:$hawkstr2: Dear HawkEye Customers!
- 0x1bbe0:$hawkstr2: Dear HawkEye Customers!
- 0x231a4:$hawkstr2: Dear HawkEye Customers!
- 0x19d8a:$hawkstr3: HawkEye Logger Details:
|
Click to see the 1154 entries |