22.3.images.exe.14b3768.4.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.3.images.exe.14b3768.4.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xb18:$c1: Elevation:Administrator!new:
|
22.3.images.exe.14b3768.4.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
22.3.images.exe.14b4d00.6.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.3.images.exe.14b4d00.6.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
12.2.warz.exe.2fef490.3.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
12.2.warz.exe.2fef490.3.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
22.3.images.exe.14b4d00.6.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
12.2.warz.exe.2fef490.3.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
12.3.warz.exe.da4e20.6.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
12.3.warz.exe.da4e20.6.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
12.3.warz.exe.da4e20.6.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
19.2.hawkstartup.exe.52fa72.1.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.52fa72.11.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
26.0.ori2.0dec23sta.exe.d0000.2.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
26.0.ori2.0dec23sta.exe.d0000.2.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x17ff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x17ff0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x17ff0:$c1: Elevation:Administrator!new:
|
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x138e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x13c10:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x13558:$a3: \Google\Chrome\User Data\Default\Login Data
|
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack | AveMaria_WarZone | unknown | unknown | - 0x15a30:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1580c:$str2: MsgBox.exe
- 0x15a9c:$str4: \System32\cmd.exe
- 0x156e0:$str6: Ave_Maria
- 0x14f78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14278:$str8: SMTP Password
- 0x13558:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x14f44:$str12: \sqlmap.dll
- 0x17ff0:$str16: Elevation:Administrator!new
- 0x18110:$str17: /n:%temp%
|
15.2.cmd.exe.32a8470.0.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
15.2.cmd.exe.32a8470.0.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
12.0.warz.exe.1020000.6.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
15.2.cmd.exe.32a8470.0.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
12.0.warz.exe.1020000.6.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
12.0.warz.exe.1020000.6.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
12.0.warz.exe.1020000.6.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
12.0.warz.exe.1020000.6.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
12.0.warz.exe.1020000.6.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
12.0.warz.exe.1020000.6.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
12.2.warz.exe.1020000.0.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
12.2.warz.exe.1020000.0.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
12.2.warz.exe.1020000.0.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
12.2.warz.exe.1020000.0.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
12.2.warz.exe.1020000.0.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
12.2.warz.exe.1020000.0.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
12.2.warz.exe.1020000.0.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
19.0.hawkstartup.exe.52fa72.14.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
19.0.hawkstartup.exe.52fa72.14.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.52fa72.14.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.52fa72.14.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
19.0.hawkstartup.exe.4d9c0d.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
12.3.warz.exe.da2018.3.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x3b88:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
12.3.warz.exe.da2018.3.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x3b88:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
- 0x3b88:$c1: Elevation:Administrator!new:
|
12.3.warz.exe.da2018.3.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
22.0.images.exe.330000.0.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.0.images.exe.330000.0.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
22.0.images.exe.330000.0.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
22.0.images.exe.330000.0.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
22.0.images.exe.330000.0.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
22.0.images.exe.330000.0.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
22.0.images.exe.330000.0.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
15.2.cmd.exe.3290000.2.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
15.2.cmd.exe.3290000.2.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
15.2.cmd.exe.3290000.2.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
15.2.cmd.exe.3290000.2.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
15.2.cmd.exe.3290000.2.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
15.2.cmd.exe.3290000.2.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
15.2.cmd.exe.3290000.2.raw.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
26.0.ori2.0dec23sta.exe.d0000.0.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
26.0.ori2.0dec23sta.exe.d0000.0.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x17ff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x17ff0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x17ff0:$c1: Elevation:Administrator!new:
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x138e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x13c10:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x13558:$a3: \Google\Chrome\User Data\Default\Login Data
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack | AveMaria_WarZone | unknown | unknown | - 0x15a30:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1580c:$str2: MsgBox.exe
- 0x15a9c:$str4: \System32\cmd.exe
- 0x156e0:$str6: Ave_Maria
- 0x14f78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14278:$str8: SMTP Password
- 0x13558:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x14f44:$str12: \sqlmap.dll
- 0x17ff0:$str16: Elevation:Administrator!new
- 0x18110:$str17: /n:%temp%
|
11.0.bin.exe.880000.2.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.0.bin.exe.880000.2.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
11.0.bin.exe.880000.2.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
11.0.bin.exe.880000.2.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
11.0.bin.exe.880000.2.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
11.0.bin.exe.880000.2.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
11.0.bin.exe.880000.2.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
19.0.hawkstartup.exe.52fa72.6.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.3.SW0P9o9ksjpBsnr.exe.45ab3f8.1.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
4.3.SW0P9o9ksjpBsnr.exe.45ab3f8.1.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
4.3.SW0P9o9ksjpBsnr.exe.45ab3f8.1.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
22.3.images.exe.14ab2f0.0.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x6d88:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x9b90:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.3.images.exe.14ab2f0.0.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x6d88:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x9b90:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x6d88:$c1: Elevation:Administrator!new:
- 0x9b90:$c1: Elevation:Administrator!new:
|
22.3.images.exe.14ab2f0.0.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
19.2.hawkstartup.exe.52fa72.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
19.2.hawkstartup.exe.52fa72.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.2.hawkstartup.exe.52fa72.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.2.hawkstartup.exe.52fa72.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
11.0.bin.exe.880000.6.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.0.bin.exe.880000.6.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
11.0.bin.exe.880000.6.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
11.0.bin.exe.880000.6.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
11.0.bin.exe.880000.6.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
11.0.bin.exe.880000.6.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
11.0.bin.exe.880000.6.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
11.3.bin.exe.10e5118.8.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.3.bin.exe.10e5118.8.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2318:$c1: Elevation:Administrator!new:
|
11.3.bin.exe.10e5118.8.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
22.3.images.exe.14b4d00.8.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.3.images.exe.14b4d00.8.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
22.3.images.exe.14b4d00.8.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
11.3.bin.exe.10e5118.8.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.3.bin.exe.10e5118.8.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xb18:$c1: Elevation:Administrator!new:
|
11.3.bin.exe.10e5118.8.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
19.0.hawkstartup.exe.52fa72.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
19.0.hawkstartup.exe.52fa72.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.52fa72.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.52fa72.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x17ff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x17ff0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x17ff0:$c1: Elevation:Administrator!new:
|
11.2.bin.exe.309d490.3.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.0.bin.exe.880000.4.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.0.bin.exe.880000.4.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
11.0.bin.exe.880000.4.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
11.2.bin.exe.309d490.3.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x138e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x13c10:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x13558:$a3: \Google\Chrome\User Data\Default\Login Data
|
11.0.bin.exe.880000.4.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
11.0.bin.exe.880000.4.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
11.0.bin.exe.880000.4.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack | AveMaria_WarZone | unknown | unknown | - 0x15a30:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1580c:$str2: MsgBox.exe
- 0x15a9c:$str4: \System32\cmd.exe
- 0x156e0:$str6: Ave_Maria
- 0x14f78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14278:$str8: SMTP Password
- 0x13558:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x14f44:$str12: \sqlmap.dll
- 0x17ff0:$str16: Elevation:Administrator!new
- 0x18110:$str17: /n:%temp%
|
11.2.bin.exe.309d490.3.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
11.0.bin.exe.880000.4.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
22.3.images.exe.14b3768.1.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.3.images.exe.14b3768.1.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2318:$c1: Elevation:Administrator!new:
|
22.3.images.exe.14b3768.1.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
22.3.images.exe.14b1ef8.2.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x3b88:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.3.images.exe.14b1ef8.2.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x3b88:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
- 0x3b88:$c1: Elevation:Administrator!new:
|
22.3.images.exe.14b1ef8.2.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
19.0.hawkstartup.exe.4d8208.7.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
19.0.hawkstartup.exe.4d8208.7.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
19.0.hawkstartup.exe.4d8208.7.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.4d8208.7.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.4d8208.7.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.hawkstartup.exe.4d8208.7.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
22.3.images.exe.14b3768.4.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.3.images.exe.14b3768.4.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2318:$c1: Elevation:Administrator!new:
|
22.3.images.exe.14b3768.4.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
13.0.rem.exe.400000.2.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
13.0.rem.exe.400000.2.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x60744:$str_a1: C:\Windows\System32\cmd.exe
- 0x606c0:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x606c0:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x5fca8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x60300:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x5f8ec:$str_b2: Executing file:
- 0x60888:$str_b3: GetDirectListeningPort
- 0x600c0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x602e8:$str_b7: \update.vbs
- 0x5f93c:$str_b9: Downloaded file:
- 0x5f928:$str_b10: Downloading file:
- 0x5f910:$str_b12: Failed to upload file:
- 0x60850:$str_b13: StartForward
- 0x60870:$str_b14: StopForward
- 0x60290:$str_b15: fso.DeleteFile "
- 0x60224:$str_b16: On Error Resume Next
- 0x602c0:$str_b17: fso.DeleteFolder "
- 0x5f900:$str_b18: Uploaded file:
- 0x5f97c:$str_b19: Unable to delete:
- 0x60258:$str_b20: while fso.FileExists("
- 0x5fde1:$str_c0: [Firefox StoredLogins not found]
|
12.3.warz.exe.da3888.4.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
12.3.warz.exe.da3888.4.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2318:$c1: Elevation:Administrator!new:
|
12.3.warz.exe.da3888.4.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
11.3.bin.exe.10e38a8.2.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x3b88:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.3.bin.exe.10e38a8.2.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x3b88:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
- 0x3b88:$c1: Elevation:Administrator!new:
|
11.3.bin.exe.10e38a8.2.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
19.2.hawkstartup.exe.2b9c090.4.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
11.0.bin.exe.880000.0.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.0.bin.exe.880000.0.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
11.0.bin.exe.880000.0.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
11.0.bin.exe.880000.0.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
11.0.bin.exe.880000.0.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
11.0.bin.exe.880000.0.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
11.0.bin.exe.880000.0.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
22.2.images.exe.330000.0.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.2.images.exe.330000.0.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
22.2.images.exe.330000.0.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
22.2.images.exe.330000.0.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
22.2.images.exe.330000.0.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
22.2.images.exe.330000.0.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
22.2.images.exe.330000.0.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x17ff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x17ff0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x17ff0:$c1: Elevation:Administrator!new:
|
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x138e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x13c10:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x13558:$a3: \Google\Chrome\User Data\Default\Login Data
|
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack | AveMaria_WarZone | unknown | unknown | - 0x15a30:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1580c:$str2: MsgBox.exe
- 0x15a9c:$str4: \System32\cmd.exe
- 0x156e0:$str6: Ave_Maria
- 0x14f78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14278:$str8: SMTP Password
- 0x13558:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x14f44:$str12: \sqlmap.dll
- 0x17ff0:$str16: Elevation:Administrator!new
- 0x18110:$str17: /n:%temp%
|
11.3.bin.exe.10e66b0.7.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.3.bin.exe.10e66b0.7.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
11.3.bin.exe.10e66b0.7.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
26.0.ori2.0dec23sta.exe.d0000.1.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
26.0.ori2.0dec23sta.exe.d0000.1.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
11.3.bin.exe.10e5118.0.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.3.bin.exe.10e5118.0.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2318:$c1: Elevation:Administrator!new:
|
11.3.bin.exe.10e5118.0.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
12.3.warz.exe.da3888.9.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
12.3.warz.exe.da3888.9.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2318:$c1: Elevation:Administrator!new:
|
12.3.warz.exe.da3888.9.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
22.3.images.exe.14b3768.1.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.3.images.exe.14b3768.1.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xb18:$c1: Elevation:Administrator!new:
|
22.3.images.exe.14b3768.1.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
11.3.bin.exe.10e5118.4.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.3.bin.exe.10e5118.4.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xb18:$c1: Elevation:Administrator!new:
|
11.3.bin.exe.10e5118.4.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
19.2.hawkstartup.exe.4d9c0d.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
19.2.hawkstartup.exe.4d9c0d.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.2.hawkstartup.exe.4d9c0d.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.2.hawkstartup.exe.4d9c0d.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.2.hawkstartup.exe.4d9c0d.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
22.3.images.exe.14b3768.9.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.3.images.exe.14b3768.9.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2318:$c1: Elevation:Administrator!new:
|
22.3.images.exe.14b3768.9.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
12.3.warz.exe.dba418.13.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
12.3.warz.exe.dba418.13.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
12.3.warz.exe.dba418.13.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
19.0.hawkstartup.exe.4d0000.4.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
19.0.hawkstartup.exe.4d0000.4.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
19.0.hawkstartup.exe.4d0000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.4d0000.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.4d0000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.hawkstartup.exe.4d0000.4.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
19.0.hawkstartup.exe.4d8208.15.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
19.0.hawkstartup.exe.4d8208.15.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
19.0.hawkstartup.exe.4d8208.15.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.4d8208.15.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.4d8208.15.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.hawkstartup.exe.4d8208.15.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
19.2.hawkstartup.exe.4d9c0d.2.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.hawkstartup.exe.4d0000.0.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
19.0.hawkstartup.exe.4d0000.0.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
19.0.hawkstartup.exe.4d0000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.4d0000.0.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.4d0000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.hawkstartup.exe.4d0000.0.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
22.3.images.exe.14ab2f0.10.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x6d88:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x9b90:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.3.images.exe.14ab2f0.10.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x6d88:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x9b90:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x6d88:$c1: Elevation:Administrator!new:
- 0x9b90:$c1: Elevation:Administrator!new:
|
22.3.images.exe.14ab2f0.10.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.13.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
12.3.warz.exe.da3888.1.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
12.3.warz.exe.da3888.1.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2318:$c1: Elevation:Administrator!new:
|
12.3.warz.exe.da3888.1.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
23.0.ori4.0dec23sta.exe.8c0000.1.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
23.0.ori4.0dec23sta.exe.8c0000.1.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
13.0.rem.exe.400000.1.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
13.0.rem.exe.400000.1.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x60744:$str_a1: C:\Windows\System32\cmd.exe
- 0x606c0:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x606c0:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x5fca8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x60300:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x5f8ec:$str_b2: Executing file:
- 0x60888:$str_b3: GetDirectListeningPort
- 0x600c0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x602e8:$str_b7: \update.vbs
- 0x5f93c:$str_b9: Downloaded file:
- 0x5f928:$str_b10: Downloading file:
- 0x5f910:$str_b12: Failed to upload file:
- 0x60850:$str_b13: StartForward
- 0x60870:$str_b14: StopForward
- 0x60290:$str_b15: fso.DeleteFile "
- 0x60224:$str_b16: On Error Resume Next
- 0x602c0:$str_b17: fso.DeleteFolder "
- 0x5f900:$str_b18: Uploaded file:
- 0x5f97c:$str_b19: Unable to delete:
- 0x60258:$str_b20: while fso.FileExists("
- 0x5fde1:$str_c0: [Firefox StoredLogins not found]
|
19.0.hawkstartup.exe.4d0000.12.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
19.0.hawkstartup.exe.4d0000.12.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
19.0.hawkstartup.exe.4d0000.12.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.4d0000.12.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.4d0000.12.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.hawkstartup.exe.4d0000.12.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
19.0.hawkstartup.exe.4d8208.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
19.0.hawkstartup.exe.4d8208.1.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
19.0.hawkstartup.exe.4d8208.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.4d8208.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.4d8208.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.hawkstartup.exe.4d8208.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
19.0.hawkstartup.exe.52fa72.11.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
19.0.hawkstartup.exe.52fa72.11.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.52fa72.11.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.52fa72.11.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
13.0.rem.exe.400000.3.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
13.0.rem.exe.400000.3.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x60744:$str_a1: C:\Windows\System32\cmd.exe
- 0x606c0:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x606c0:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x5fca8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x60300:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x5f8ec:$str_b2: Executing file:
- 0x60888:$str_b3: GetDirectListeningPort
- 0x600c0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x602e8:$str_b7: \update.vbs
- 0x5f93c:$str_b9: Downloaded file:
- 0x5f928:$str_b10: Downloading file:
- 0x5f910:$str_b12: Failed to upload file:
- 0x60850:$str_b13: StartForward
- 0x60870:$str_b14: StopForward
- 0x60290:$str_b15: fso.DeleteFile "
- 0x60224:$str_b16: On Error Resume Next
- 0x602c0:$str_b17: fso.DeleteFolder "
- 0x5f900:$str_b18: Uploaded file:
- 0x5f97c:$str_b19: Unable to delete:
- 0x60258:$str_b20: while fso.FileExists("
- 0x5fde1:$str_c0: [Firefox StoredLogins not found]
|
19.0.hawkstartup.exe.4d9c0d.9.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
19.0.hawkstartup.exe.4d9c0d.9.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.9.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.9.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.9.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
11.3.bin.exe.10e3430.9.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x5f8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x3400:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.3.bin.exe.10e3430.9.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x5f8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x3400:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x5f8:$c1: Elevation:Administrator!new:
- 0x3400:$c1: Elevation:Administrator!new:
|
11.3.bin.exe.10e3430.9.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
11.2.bin.exe.880000.0.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.2.bin.exe.880000.0.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
11.2.bin.exe.880000.0.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
11.2.bin.exe.880000.0.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
11.2.bin.exe.880000.0.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
11.2.bin.exe.880000.0.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
11.2.bin.exe.880000.0.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
11.3.bin.exe.10e5118.0.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.3.bin.exe.10e5118.0.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xb18:$c1: Elevation:Administrator!new:
|
11.3.bin.exe.10e5118.0.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.5.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
19.0.hawkstartup.exe.4d9c0d.5.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.5.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.5.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.5.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
19.0.hawkstartup.exe.4d9c0d.5.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
11.3.bin.exe.10e66b0.3.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.3.bin.exe.10e66b0.3.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
11.3.bin.exe.10e66b0.3.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
19.0.hawkstartup.exe.4d0000.8.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
19.0.hawkstartup.exe.4d0000.8.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
19.0.hawkstartup.exe.4d0000.8.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.4d0000.8.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.4d0000.8.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.hawkstartup.exe.4d0000.8.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
19.2.hawkstartup.exe.4d8208.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
19.2.hawkstartup.exe.4d8208.3.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
19.2.hawkstartup.exe.4d8208.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.2.hawkstartup.exe.4d8208.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.2.hawkstartup.exe.4d8208.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.2.hawkstartup.exe.4d8208.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
11.3.bin.exe.10e3430.1.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x11f8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x4000:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.3.bin.exe.10e3430.1.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x11f8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x4000:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x11f8:$c1: Elevation:Administrator!new:
- 0x4000:$c1: Elevation:Administrator!new:
|
11.3.bin.exe.10e3430.1.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.13.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
19.0.hawkstartup.exe.4d9c0d.13.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.13.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.13.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.13.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
23.0.ori4.0dec23sta.exe.8c0000.3.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
23.0.ori4.0dec23sta.exe.8c0000.3.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
23.2.ori4.0dec23sta.exe.8c0000.0.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
23.2.ori4.0dec23sta.exe.8c0000.0.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x73a65:$key: HawkEyeKeylogger
- 0x75cc7:$salt: 099u787978786
- 0x740a6:$string1: HawkEye_Keylogger
- 0x74ef9:$string1: HawkEye_Keylogger
- 0x75c27:$string1: HawkEye_Keylogger
- 0x7448f:$string2: holdermail.txt
- 0x744af:$string2: holdermail.txt
- 0x743d1:$string3: wallet.dat
- 0x743e9:$string3: wallet.dat
- 0x743ff:$string3: wallet.dat
- 0x757eb:$string4: Keylog Records
- 0x75b03:$string4: Keylog Records
- 0x75d1f:$string5: do not script -->
- 0x73a4d:$string6: \pidloc.txt
- 0x73adb:$string7: BSPLIT
- 0x73aeb:$string7: BSPLIT
|
19.0.hawkstartup.exe.4d9c0d.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x740fe:$hawkstr1: HawkEye Keylogger
- 0x74f3f:$hawkstr1: HawkEye Keylogger
- 0x7526e:$hawkstr1: HawkEye Keylogger
- 0x753c9:$hawkstr1: HawkEye Keylogger
- 0x7552c:$hawkstr1: HawkEye Keylogger
- 0x757c3:$hawkstr1: HawkEye Keylogger
- 0x73c8c:$hawkstr2: Dear HawkEye Customers!
- 0x752c1:$hawkstr2: Dear HawkEye Customers!
- 0x75418:$hawkstr2: Dear HawkEye Customers!
- 0x7557f:$hawkstr2: Dear HawkEye Customers!
- 0x73dad:$hawkstr3: HawkEye Logger Details:
|
12.3.warz.exe.da4e20.2.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
12.3.warz.exe.da4e20.2.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
12.3.warz.exe.da4e20.2.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
23.0.ori4.0dec23sta.exe.8c0000.2.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
23.0.ori4.0dec23sta.exe.8c0000.2.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
22.3.images.exe.14b3768.9.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.3.images.exe.14b3768.9.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xb18:$c1: Elevation:Administrator!new:
|
22.3.images.exe.14b3768.9.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
19.0.hawkstartup.exe.52fa72.6.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x1dc00:$key: HawkEyeKeylogger
- 0x1fe62:$salt: 099u787978786
- 0x1e241:$string1: HawkEye_Keylogger
- 0x1f094:$string1: HawkEye_Keylogger
- 0x1fdc2:$string1: HawkEye_Keylogger
- 0x1e62a:$string2: holdermail.txt
- 0x1e64a:$string2: holdermail.txt
- 0x1e56c:$string3: wallet.dat
- 0x1e584:$string3: wallet.dat
- 0x1e59a:$string3: wallet.dat
- 0x1f986:$string4: Keylog Records
- 0x1fc9e:$string4: Keylog Records
- 0x1feba:$string5: do not script -->
- 0x1dbe8:$string6: \pidloc.txt
- 0x1dc76:$string7: BSPLIT
- 0x1dc86:$string7: BSPLIT
|
19.0.hawkstartup.exe.52fa72.6.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.52fa72.6.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.52fa72.6.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1e299:$hawkstr1: HawkEye Keylogger
- 0x1f0da:$hawkstr1: HawkEye Keylogger
- 0x1f409:$hawkstr1: HawkEye Keylogger
- 0x1f564:$hawkstr1: HawkEye Keylogger
- 0x1f6c7:$hawkstr1: HawkEye Keylogger
- 0x1f95e:$hawkstr1: HawkEye Keylogger
- 0x1de27:$hawkstr2: Dear HawkEye Customers!
- 0x1f45c:$hawkstr2: Dear HawkEye Customers!
- 0x1f5b3:$hawkstr2: Dear HawkEye Customers!
- 0x1f71a:$hawkstr2: Dear HawkEye Customers!
- 0x1df48:$hawkstr3: HawkEye Logger Details:
|
11.3.bin.exe.10e5118.4.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.3.bin.exe.10e5118.4.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2318:$c1: Elevation:Administrator!new:
|
11.3.bin.exe.10e5118.4.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
26.2.ori2.0dec23sta.exe.d0000.0.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
26.2.ori2.0dec23sta.exe.d0000.0.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
19.0.hawkstartup.exe.52fa72.14.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
12.0.warz.exe.1020000.2.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
12.0.warz.exe.1020000.2.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
12.0.warz.exe.1020000.2.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
12.0.warz.exe.1020000.2.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
12.0.warz.exe.1020000.2.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
12.0.warz.exe.1020000.2.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
12.0.warz.exe.1020000.2.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
19.0.hawkstartup.exe.52fa72.3.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x35639:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
- 0x35639:$c1: Elevation:Administrator!new:
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x9869c:$a1: logins.json
- 0xfb689:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11c5ce:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11ce02:$s4: \mozsqlite3.dll
- 0x11b6f2:$s5: SMTP Password
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x127d4e:$key: HawkEyeKeylogger
- 0x129fb0:$salt: 099u787978786
- 0x12838f:$string1: HawkEye_Keylogger
- 0x1291e2:$string1: HawkEye_Keylogger
- 0x129f10:$string1: HawkEye_Keylogger
- 0x128778:$string2: holdermail.txt
- 0x128798:$string2: holdermail.txt
- 0x1286ba:$string3: wallet.dat
- 0x1286d2:$string3: wallet.dat
- 0x1286e8:$string3: wallet.dat
- 0x129ad4:$string4: Keylog Records
- 0x129dec:$string4: Keylog Records
- 0x12a008:$string5: do not script -->
- 0x127d36:$string6: \pidloc.txt
- 0x127dc4:$string7: BSPLIT
- 0x127dd4:$string7: BSPLIT
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0xb38ff:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1283e7:$hawkstr1: HawkEye Keylogger
- 0x129228:$hawkstr1: HawkEye Keylogger
- 0x129557:$hawkstr1: HawkEye Keylogger
- 0x1296b2:$hawkstr1: HawkEye Keylogger
- 0x129815:$hawkstr1: HawkEye Keylogger
- 0x129aac:$hawkstr1: HawkEye Keylogger
- 0x127f75:$hawkstr2: Dear HawkEye Customers!
- 0x1295aa:$hawkstr2: Dear HawkEye Customers!
- 0x129701:$hawkstr2: Dear HawkEye Customers!
- 0x129868:$hawkstr2: Dear HawkEye Customers!
- 0x128096:$hawkstr3: HawkEye Logger Details:
|
23.0.ori4.0dec23sta.exe.8c0000.0.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
23.0.ori4.0dec23sta.exe.8c0000.0.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
22.3.images.exe.14b4d00.3.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.3.images.exe.14b4d00.3.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
22.3.images.exe.14b4d00.3.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
26.0.ori2.0dec23sta.exe.d0000.3.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
26.0.ori2.0dec23sta.exe.d0000.3.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
12.3.warz.exe.da4e20.8.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
12.3.warz.exe.da4e20.8.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
12.3.warz.exe.da4e20.8.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
22.2.images.exe.36f8490.2.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
22.2.images.exe.36f8490.2.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
22.2.images.exe.36f8490.2.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
13.0.rem.exe.400000.0.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
13.0.rem.exe.400000.0.unpack | REMCOS_RAT_variants | unknown | unknown | - 0x60744:$str_a1: C:\Windows\System32\cmd.exe
- 0x606c0:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x606c0:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
- 0x5fca8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
- 0x60300:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
- 0x5f8ec:$str_b2: Executing file:
- 0x60888:$str_b3: GetDirectListeningPort
- 0x600c0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
- 0x602e8:$str_b7: \update.vbs
- 0x5f93c:$str_b9: Downloaded file:
- 0x5f928:$str_b10: Downloading file:
- 0x5f910:$str_b12: Failed to upload file:
- 0x60850:$str_b13: StartForward
- 0x60870:$str_b14: StopForward
- 0x60290:$str_b15: fso.DeleteFile "
- 0x60224:$str_b16: On Error Resume Next
- 0x602c0:$str_b17: fso.DeleteFolder "
- 0x5f900:$str_b18: Uploaded file:
- 0x5f97c:$str_b19: Unable to delete:
- 0x60258:$str_b20: while fso.FileExists("
- 0x5fde1:$str_c0: [Firefox StoredLogins not found]
|
19.2.hawkstartup.exe.4d0000.0.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7b872:$key: HawkEyeKeylogger
- 0x7dad4:$salt: 099u787978786
- 0x7beb3:$string1: HawkEye_Keylogger
- 0x7cd06:$string1: HawkEye_Keylogger
- 0x7da34:$string1: HawkEye_Keylogger
- 0x7c29c:$string2: holdermail.txt
- 0x7c2bc:$string2: holdermail.txt
- 0x7c1de:$string3: wallet.dat
- 0x7c1f6:$string3: wallet.dat
- 0x7c20c:$string3: wallet.dat
- 0x7d5f8:$string4: Keylog Records
- 0x7d910:$string4: Keylog Records
- 0x7db2c:$string5: do not script -->
- 0x7b85a:$string6: \pidloc.txt
- 0x7b8e8:$string7: BSPLIT
- 0x7b8f8:$string7: BSPLIT
|
19.2.hawkstartup.exe.4d0000.0.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
19.2.hawkstartup.exe.4d0000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.2.hawkstartup.exe.4d0000.0.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.2.hawkstartup.exe.4d0000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.2.hawkstartup.exe.4d0000.0.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x7bf0b:$hawkstr1: HawkEye Keylogger
- 0x7cd4c:$hawkstr1: HawkEye Keylogger
- 0x7d07b:$hawkstr1: HawkEye Keylogger
- 0x7d1d6:$hawkstr1: HawkEye Keylogger
- 0x7d339:$hawkstr1: HawkEye Keylogger
- 0x7d5d0:$hawkstr1: HawkEye Keylogger
- 0x7ba99:$hawkstr2: Dear HawkEye Customers!
- 0x7d0ce:$hawkstr2: Dear HawkEye Customers!
- 0x7d225:$hawkstr2: Dear HawkEye Customers!
- 0x7d38c:$hawkstr2: Dear HawkEye Customers!
- 0x7bbba:$hawkstr3: HawkEye Logger Details:
|
12.0.warz.exe.1020000.4.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
12.0.warz.exe.1020000.4.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
12.0.warz.exe.1020000.4.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
12.0.warz.exe.1020000.4.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
12.0.warz.exe.1020000.4.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
12.0.warz.exe.1020000.4.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
12.0.warz.exe.1020000.4.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
11.3.bin.exe.10e3430.1.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x5f8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x3400:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
11.3.bin.exe.10e3430.1.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x5f8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x3400:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x5f8:$c1: Elevation:Administrator!new:
- 0x3400:$c1: Elevation:Administrator!new:
|
11.3.bin.exe.10e3430.1.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
19.0.hawkstartup.exe.4d9c0d.9.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1d1c9:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
- 0x1d1c9:$c1: Elevation:Administrator!new:
|
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x8022c:$a1: logins.json
- 0xe3219:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x10415e:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x104992:$s4: \mozsqlite3.dll
- 0x103282:$s5: SMTP Password
|
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1d1c9:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
- 0x1d1c9:$c1: Elevation:Administrator!new:
|
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x8022c:$a1: logins.json
- 0xe3219:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x10415e:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x104992:$s4: \mozsqlite3.dll
- 0x103282:$s5: SMTP Password
|
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x10f8de:$key: HawkEyeKeylogger
- 0x111b40:$salt: 099u787978786
- 0x10ff1f:$string1: HawkEye_Keylogger
- 0x110d72:$string1: HawkEye_Keylogger
- 0x111aa0:$string1: HawkEye_Keylogger
- 0x110308:$string2: holdermail.txt
- 0x110328:$string2: holdermail.txt
- 0x11024a:$string3: wallet.dat
- 0x110262:$string3: wallet.dat
- 0x110278:$string3: wallet.dat
- 0x111664:$string4: Keylog Records
- 0x11197c:$string4: Keylog Records
- 0x111b98:$string5: do not script -->
- 0x10f8c6:$string6: \pidloc.txt
- 0x10f954:$string7: BSPLIT
- 0x10f964:$string7: BSPLIT
|
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x10f8de:$key: HawkEyeKeylogger
- 0x111b40:$salt: 099u787978786
- 0x10ff1f:$string1: HawkEye_Keylogger
- 0x110d72:$string1: HawkEye_Keylogger
- 0x111aa0:$string1: HawkEye_Keylogger
- 0x110308:$string2: holdermail.txt
- 0x110328:$string2: holdermail.txt
- 0x11024a:$string3: wallet.dat
- 0x110262:$string3: wallet.dat
- 0x110278:$string3: wallet.dat
- 0x111664:$string4: Keylog Records
- 0x11197c:$string4: Keylog Records
- 0x111b98:$string5: do not script -->
- 0x10f8c6:$string6: \pidloc.txt
- 0x10f954:$string7: BSPLIT
- 0x10f964:$string7: BSPLIT
|
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x9b48f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x9b48f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x10ff77:$hawkstr1: HawkEye Keylogger
- 0x110db8:$hawkstr1: HawkEye Keylogger
- 0x1110e7:$hawkstr1: HawkEye Keylogger
- 0x111242:$hawkstr1: HawkEye Keylogger
- 0x1113a5:$hawkstr1: HawkEye Keylogger
- 0x11163c:$hawkstr1: HawkEye Keylogger
- 0x10fb05:$hawkstr2: Dear HawkEye Customers!
- 0x11113a:$hawkstr2: Dear HawkEye Customers!
- 0x111291:$hawkstr2: Dear HawkEye Customers!
- 0x1113f8:$hawkstr2: Dear HawkEye Customers!
- 0x10fc26:$hawkstr3: HawkEye Logger Details:
|
4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x10ff77:$hawkstr1: HawkEye Keylogger
- 0x110db8:$hawkstr1: HawkEye Keylogger
- 0x1110e7:$hawkstr1: HawkEye Keylogger
- 0x111242:$hawkstr1: HawkEye Keylogger
- 0x1113a5:$hawkstr1: HawkEye Keylogger
- 0x11163c:$hawkstr1: HawkEye Keylogger
- 0x10fb05:$hawkstr2: Dear HawkEye Customers!
- 0x11113a:$hawkstr2: Dear HawkEye Customers!
- 0x111291:$hawkstr2: Dear HawkEye Customers!
- 0x1113f8:$hawkstr2: Dear HawkEye Customers!
- 0x10fc26:$hawkstr3: HawkEye Logger Details:
|
12.0.warz.exe.1020000.0.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
12.0.warz.exe.1020000.0.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
|
12.0.warz.exe.1020000.0.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
|
12.0.warz.exe.1020000.0.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
12.0.warz.exe.1020000.0.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
12.0.warz.exe.1020000.0.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
12.0.warz.exe.1020000.0.unpack | AveMaria_WarZone | unknown | unknown | - 0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1640c:$str2: MsgBox.exe
- 0x1669c:$str4: \System32\cmd.exe
- 0x162e0:$str6: Ave_Maria
- 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14e78:$str8: SMTP Password
- 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x15b44:$str12: \sqlmap.dll
- 0x191f0:$str16: Elevation:Administrator!new
- 0x19310:$str17: /n:%temp%
|
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x35639:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
- 0x35639:$c1: Elevation:Administrator!new:
|
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x9869c:$a1: logins.json
- 0xfb689:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11c5ce:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11ce02:$s4: \mozsqlite3.dll
- 0x11b6f2:$s5: SMTP Password
|
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x127d4e:$key: HawkEyeKeylogger
- 0x129fb0:$salt: 099u787978786
- 0x12838f:$string1: HawkEye_Keylogger
- 0x1291e2:$string1: HawkEye_Keylogger
- 0x129f10:$string1: HawkEye_Keylogger
- 0x128778:$string2: holdermail.txt
- 0x128798:$string2: holdermail.txt
- 0x1286ba:$string3: wallet.dat
- 0x1286d2:$string3: wallet.dat
- 0x1286e8:$string3: wallet.dat
- 0x129ad4:$string4: Keylog Records
- 0x129dec:$string4: Keylog Records
- 0x12a008:$string5: do not script -->
- 0x127d36:$string6: \pidloc.txt
- 0x127dc4:$string7: BSPLIT
- 0x127dd4:$string7: BSPLIT
|
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0xb38ff:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1283e7:$hawkstr1: HawkEye Keylogger
- 0x129228:$hawkstr1: HawkEye Keylogger
- 0x129557:$hawkstr1: HawkEye Keylogger
- 0x1296b2:$hawkstr1: HawkEye Keylogger
- 0x129815:$hawkstr1: HawkEye Keylogger
- 0x129aac:$hawkstr1: HawkEye Keylogger
- 0x127f75:$hawkstr2: Dear HawkEye Customers!
- 0x1295aa:$hawkstr2: Dear HawkEye Customers!
- 0x129701:$hawkstr2: Dear HawkEye Customers!
- 0x129868:$hawkstr2: Dear HawkEye Customers!
- 0x128096:$hawkstr3: HawkEye Logger Details:
|
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x1b6db:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x37b24:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1b6db:$c1: Elevation:Administrator!new:
- 0x37b24:$c1: Elevation:Administrator!new:
|
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x9ab87:$a1: logins.json
- 0xfdb74:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11eab9:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11f2ed:$s4: \mozsqlite3.dll
- 0x11dbdd:$s5: SMTP Password
|
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x12a239:$key: HawkEyeKeylogger
- 0x12c49b:$salt: 099u787978786
- 0x12a87a:$string1: HawkEye_Keylogger
- 0x12b6cd:$string1: HawkEye_Keylogger
- 0x12c3fb:$string1: HawkEye_Keylogger
- 0x12ac63:$string2: holdermail.txt
- 0x12ac83:$string2: holdermail.txt
- 0x12aba5:$string3: wallet.dat
- 0x12abbd:$string3: wallet.dat
- 0x12abd3:$string3: wallet.dat
- 0x12bfbf:$string4: Keylog Records
- 0x12c2d7:$string4: Keylog Records
- 0x12c4f3:$string5: do not script -->
- 0x12a221:$string6: \pidloc.txt
- 0x12a2af:$string7: BSPLIT
- 0x12a2bf:$string7: BSPLIT
|
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0xb5dea:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
15.2.cmd.exe.3290000.2.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x17ff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
15.2.cmd.exe.3290000.2.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x17ff0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x17ff0:$c1: Elevation:Administrator!new:
|
15.2.cmd.exe.3290000.2.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x138e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x13c10:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x13558:$a3: \Google\Chrome\User Data\Default\Login Data
|
15.2.cmd.exe.3290000.2.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
15.2.cmd.exe.3290000.2.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
15.2.cmd.exe.3290000.2.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
15.2.cmd.exe.3290000.2.unpack | AveMaria_WarZone | unknown | unknown | - 0x15a30:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1580c:$str2: MsgBox.exe
- 0x15a9c:$str4: \System32\cmd.exe
- 0x156e0:$str6: Ave_Maria
- 0x14f78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x14278:$str8: SMTP Password
- 0x13558:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x14f44:$str12: \sqlmap.dll
- 0x17ff0:$str16: Elevation:Administrator!new
- 0x18110:$str17: /n:%temp%
|
4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x12a8d2:$hawkstr1: HawkEye Keylogger
- 0x12b713:$hawkstr1: HawkEye Keylogger
- 0x12ba42:$hawkstr1: HawkEye Keylogger
- 0x12bb9d:$hawkstr1: HawkEye Keylogger
- 0x12bd00:$hawkstr1: HawkEye Keylogger
- 0x12bf97:$hawkstr1: HawkEye Keylogger
- 0x12a460:$hawkstr2: Dear HawkEye Customers!
- 0x12ba95:$hawkstr2: Dear HawkEye Customers!
- 0x12bbec:$hawkstr2: Dear HawkEye Customers!
- 0x12bd53:$hawkstr2: Dear HawkEye Customers!
- 0x12a581:$hawkstr3: HawkEye Logger Details:
|
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x1a6db:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x36b24:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1a6db:$c1: Elevation:Administrator!new:
- 0x36b24:$c1: Elevation:Administrator!new:
|
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x99b87:$a1: logins.json
- 0xfcb74:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11dab9:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11e2ed:$s4: \mozsqlite3.dll
- 0x11cbdd:$s5: SMTP Password
|
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x129239:$key: HawkEyeKeylogger
- 0x12b49b:$salt: 099u787978786
- 0x12987a:$string1: HawkEye_Keylogger
- 0x12a6cd:$string1: HawkEye_Keylogger
- 0x12b3fb:$string1: HawkEye_Keylogger
- 0x129c63:$string2: holdermail.txt
- 0x129c83:$string2: holdermail.txt
- 0x129ba5:$string3: wallet.dat
- 0x129bbd:$string3: wallet.dat
- 0x129bd3:$string3: wallet.dat
- 0x12afbf:$string4: Keylog Records
- 0x12b2d7:$string4: Keylog Records
- 0x12b4f3:$string5: do not script -->
- 0x129221:$string6: \pidloc.txt
- 0x1292af:$string7: BSPLIT
- 0x1292bf:$string7: BSPLIT
|
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0xb4dea:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1298d2:$hawkstr1: HawkEye Keylogger
- 0x12a713:$hawkstr1: HawkEye Keylogger
- 0x12aa42:$hawkstr1: HawkEye Keylogger
- 0x12ab9d:$hawkstr1: HawkEye Keylogger
- 0x12ad00:$hawkstr1: HawkEye Keylogger
- 0x12af97:$hawkstr1: HawkEye Keylogger
- 0x129460:$hawkstr2: Dear HawkEye Customers!
- 0x12aa95:$hawkstr2: Dear HawkEye Customers!
- 0x12abec:$hawkstr2: Dear HawkEye Customers!
- 0x12ad53:$hawkstr2: Dear HawkEye Customers!
- 0x129581:$hawkstr3: HawkEye Logger Details:
|
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x1b6db:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x37b24:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1b6db:$c1: Elevation:Administrator!new:
- 0x37b24:$c1: Elevation:Administrator!new:
|
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x9ab87:$a1: logins.json
- 0xfdb74:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11eab9:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11f2ed:$s4: \mozsqlite3.dll
- 0x11dbdd:$s5: SMTP Password
|
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x12a239:$key: HawkEyeKeylogger
- 0x12c49b:$salt: 099u787978786
- 0x12a87a:$string1: HawkEye_Keylogger
- 0x12b6cd:$string1: HawkEye_Keylogger
- 0x12c3fb:$string1: HawkEye_Keylogger
- 0x12ac63:$string2: holdermail.txt
- 0x12ac83:$string2: holdermail.txt
- 0x12aba5:$string3: wallet.dat
- 0x12abbd:$string3: wallet.dat
- 0x12abd3:$string3: wallet.dat
- 0x12bfbf:$string4: Keylog Records
- 0x12c2d7:$string4: Keylog Records
- 0x12c4f3:$string5: do not script -->
- 0x12a221:$string6: \pidloc.txt
- 0x12a2af:$string7: BSPLIT
- 0x12a2bf:$string7: BSPLIT
|
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0xb5dea:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x12a8d2:$hawkstr1: HawkEye Keylogger
- 0x12b713:$hawkstr1: HawkEye Keylogger
- 0x12ba42:$hawkstr1: HawkEye Keylogger
- 0x12bb9d:$hawkstr1: HawkEye Keylogger
- 0x12bd00:$hawkstr1: HawkEye Keylogger
- 0x12bf97:$hawkstr1: HawkEye Keylogger
- 0x12a460:$hawkstr2: Dear HawkEye Customers!
- 0x12ba95:$hawkstr2: Dear HawkEye Customers!
- 0x12bbec:$hawkstr2: Dear HawkEye Customers!
- 0x12bd53:$hawkstr2: Dear HawkEye Customers!
- 0x12a581:$hawkstr3: HawkEye Logger Details:
|
19.0.hawkstartup.exe.4d8208.10.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x7546a:$key: HawkEyeKeylogger
- 0x776cc:$salt: 099u787978786
- 0x75aab:$string1: HawkEye_Keylogger
- 0x768fe:$string1: HawkEye_Keylogger
- 0x7762c:$string1: HawkEye_Keylogger
- 0x75e94:$string2: holdermail.txt
- 0x75eb4:$string2: holdermail.txt
- 0x75dd6:$string3: wallet.dat
- 0x75dee:$string3: wallet.dat
- 0x75e04:$string3: wallet.dat
- 0x771f0:$string4: Keylog Records
- 0x77508:$string4: Keylog Records
- 0x77724:$string5: do not script -->
- 0x75452:$string6: \pidloc.txt
- 0x754e0:$string7: BSPLIT
- 0x754f0:$string7: BSPLIT
|
19.0.hawkstartup.exe.4d8208.10.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
19.0.hawkstartup.exe.4d8208.10.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
19.0.hawkstartup.exe.4d8208.10.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
19.0.hawkstartup.exe.4d8208.10.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
19.0.hawkstartup.exe.4d8208.10.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x75b03:$hawkstr1: HawkEye Keylogger
- 0x76944:$hawkstr1: HawkEye Keylogger
- 0x76c73:$hawkstr1: HawkEye Keylogger
- 0x76dce:$hawkstr1: HawkEye Keylogger
- 0x76f31:$hawkstr1: HawkEye Keylogger
- 0x771c8:$hawkstr1: HawkEye Keylogger
- 0x75691:$hawkstr2: Dear HawkEye Customers!
- 0x76cc6:$hawkstr2: Dear HawkEye Customers!
- 0x76e1d:$hawkstr2: Dear HawkEye Customers!
- 0x76f84:$hawkstr2: Dear HawkEye Customers!
- 0x757b2:$hawkstr3: HawkEye Logger Details:
|
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1d1c9:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
- 0x1d1c9:$c1: Elevation:Administrator!new:
|
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x8022c:$a1: logins.json
- 0xe3219:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x10415e:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x104992:$s4: \mozsqlite3.dll
- 0x103282:$s5: SMTP Password
|
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x10f8de:$key: HawkEyeKeylogger
- 0x111b40:$salt: 099u787978786
- 0x10ff1f:$string1: HawkEye_Keylogger
- 0x110d72:$string1: HawkEye_Keylogger
- 0x111aa0:$string1: HawkEye_Keylogger
- 0x110308:$string2: holdermail.txt
- 0x110328:$string2: holdermail.txt
- 0x11024a:$string3: wallet.dat
- 0x110262:$string3: wallet.dat
- 0x110278:$string3: wallet.dat
- 0x111664:$string4: Keylog Records
- 0x11197c:$string4: Keylog Records
- 0x111b98:$string5: do not script -->
- 0x10f8c6:$string6: \pidloc.txt
- 0x10f954:$string7: BSPLIT
- 0x10f964:$string7: BSPLIT
|
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0x9b48f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x10ff77:$hawkstr1: HawkEye Keylogger
- 0x110db8:$hawkstr1: HawkEye Keylogger
- 0x1110e7:$hawkstr1: HawkEye Keylogger
- 0x111242:$hawkstr1: HawkEye Keylogger
- 0x1113a5:$hawkstr1: HawkEye Keylogger
- 0x11163c:$hawkstr1: HawkEye Keylogger
- 0x10fb05:$hawkstr2: Dear HawkEye Customers!
- 0x11113a:$hawkstr2: Dear HawkEye Customers!
- 0x111291:$hawkstr2: Dear HawkEye Customers!
- 0x1113f8:$hawkstr2: Dear HawkEye Customers!
- 0x10fc26:$hawkstr3: HawkEye Logger Details:
|
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x1b6db:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x37b24:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1b6db:$c1: Elevation:Administrator!new:
- 0x37b24:$c1: Elevation:Administrator!new:
|
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x9ab87:$a1: logins.json
- 0xfdb74:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11eab9:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11f2ed:$s4: \mozsqlite3.dll
- 0x11dbdd:$s5: SMTP Password
|
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x12a239:$key: HawkEyeKeylogger
- 0x12c49b:$salt: 099u787978786
- 0x12a87a:$string1: HawkEye_Keylogger
- 0x12b6cd:$string1: HawkEye_Keylogger
- 0x12c3fb:$string1: HawkEye_Keylogger
- 0x12ac63:$string2: holdermail.txt
- 0x12ac83:$string2: holdermail.txt
- 0x12aba5:$string3: wallet.dat
- 0x12abbd:$string3: wallet.dat
- 0x12abd3:$string3: wallet.dat
- 0x12bfbf:$string4: Keylog Records
- 0x12c2d7:$string4: Keylog Records
- 0x12c4f3:$string5: do not script -->
- 0x12a221:$string6: \pidloc.txt
- 0x12a2af:$string7: BSPLIT
- 0x12a2bf:$string7: BSPLIT
|
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0xb5dea:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x12a8d2:$hawkstr1: HawkEye Keylogger
- 0x12b713:$hawkstr1: HawkEye Keylogger
- 0x12ba42:$hawkstr1: HawkEye Keylogger
- 0x12bb9d:$hawkstr1: HawkEye Keylogger
- 0x12bd00:$hawkstr1: HawkEye Keylogger
- 0x12bf97:$hawkstr1: HawkEye Keylogger
- 0x12a460:$hawkstr2: Dear HawkEye Customers!
- 0x12ba95:$hawkstr2: Dear HawkEye Customers!
- 0x12bbec:$hawkstr2: Dear HawkEye Customers!
- 0x12bd53:$hawkstr2: Dear HawkEye Customers!
- 0x12a581:$hawkstr3: HawkEye Logger Details:
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x35639:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
- 0x35639:$c1: Elevation:Administrator!new:
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x9869c:$a1: logins.json
- 0xfb689:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11c5ce:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11ce02:$s4: \mozsqlite3.dll
- 0x11b6f2:$s5: SMTP Password
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x127d4e:$key: HawkEyeKeylogger
- 0x129fb0:$salt: 099u787978786
- 0x12838f:$string1: HawkEye_Keylogger
- 0x1291e2:$string1: HawkEye_Keylogger
- 0x129f10:$string1: HawkEye_Keylogger
- 0x128778:$string2: holdermail.txt
- 0x128798:$string2: holdermail.txt
- 0x1286ba:$string3: wallet.dat
- 0x1286d2:$string3: wallet.dat
- 0x1286e8:$string3: wallet.dat
- 0x129ad4:$string4: Keylog Records
- 0x129dec:$string4: Keylog Records
- 0x12a008:$string5: do not script -->
- 0x127d36:$string6: \pidloc.txt
- 0x127dc4:$string7: BSPLIT
- 0x127dd4:$string7: BSPLIT
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0xb38ff:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1283e7:$hawkstr1: HawkEye Keylogger
- 0x129228:$hawkstr1: HawkEye Keylogger
- 0x129557:$hawkstr1: HawkEye Keylogger
- 0x1296b2:$hawkstr1: HawkEye Keylogger
- 0x129815:$hawkstr1: HawkEye Keylogger
- 0x129aac:$hawkstr1: HawkEye Keylogger
- 0x127f75:$hawkstr2: Dear HawkEye Customers!
- 0x1295aa:$hawkstr2: Dear HawkEye Customers!
- 0x129701:$hawkstr2: Dear HawkEye Customers!
- 0x129868:$hawkstr2: Dear HawkEye Customers!
- 0x128096:$hawkstr3: HawkEye Logger Details:
|
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x1b6db:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x37b24:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1b6db:$c1: Elevation:Administrator!new:
- 0x37b24:$c1: Elevation:Administrator!new:
|
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x9ab87:$a1: logins.json
- 0xfdb74:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11eab9:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11f2ed:$s4: \mozsqlite3.dll
- 0x11dbdd:$s5: SMTP Password
|
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x12a239:$key: HawkEyeKeylogger
- 0x12c49b:$salt: 099u787978786
- 0x12a87a:$string1: HawkEye_Keylogger
- 0x12b6cd:$string1: HawkEye_Keylogger
- 0x12c3fb:$string1: HawkEye_Keylogger
- 0x12ac63:$string2: holdermail.txt
- 0x12ac83:$string2: holdermail.txt
- 0x12aba5:$string3: wallet.dat
- 0x12abbd:$string3: wallet.dat
- 0x12abd3:$string3: wallet.dat
- 0x12bfbf:$string4: Keylog Records
- 0x12c2d7:$string4: Keylog Records
- 0x12c4f3:$string5: do not script -->
- 0x12a221:$string6: \pidloc.txt
- 0x12a2af:$string7: BSPLIT
- 0x12a2bf:$string7: BSPLIT
|
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0xb5dea:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x12a8d2:$hawkstr1: HawkEye Keylogger
- 0x12b713:$hawkstr1: HawkEye Keylogger
- 0x12ba42:$hawkstr1: HawkEye Keylogger
- 0x12bb9d:$hawkstr1: HawkEye Keylogger
- 0x12bd00:$hawkstr1: HawkEye Keylogger
- 0x12bf97:$hawkstr1: HawkEye Keylogger
- 0x12a460:$hawkstr2: Dear HawkEye Customers!
- 0x12ba95:$hawkstr2: Dear HawkEye Customers!
- 0x12bbec:$hawkstr2: Dear HawkEye Customers!
- 0x12bd53:$hawkstr2: Dear HawkEye Customers!
- 0x12a581:$hawkstr3: HawkEye Logger Details:
|
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x1b6db:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x37b24:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1b6db:$c1: Elevation:Administrator!new:
- 0x37b24:$c1: Elevation:Administrator!new:
|
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | APT_NK_BabyShark_KimJoingRAT_Apr19_1 | Detects BabyShark KimJongRAT | Florian Roth | - 0x9ab87:$a1: logins.json
- 0xfdb74:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11eab9:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
- 0x11f2ed:$s4: \mozsqlite3.dll
- 0x11dbdd:$s5: SMTP Password
|
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x12a239:$key: HawkEyeKeylogger
- 0x12c49b:$salt: 099u787978786
- 0x12a87a:$string1: HawkEye_Keylogger
- 0x12b6cd:$string1: HawkEye_Keylogger
- 0x12c3fb:$string1: HawkEye_Keylogger
- 0x12ac63:$string2: holdermail.txt
- 0x12ac83:$string2: holdermail.txt
- 0x12aba5:$string3: wallet.dat
- 0x12abbd:$string3: wallet.dat
- 0x12abd3:$string3: wallet.dat
- 0x12bfbf:$string4: Keylog Records
- 0x12c2d7:$string4: Keylog Records
- 0x12c4f3:$string5: do not script -->
- 0x12a221:$string6: \pidloc.txt
- 0x12a2af:$string7: BSPLIT
- 0x12a2bf:$string7: BSPLIT
|
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0xb5dea:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x12a8d2:$hawkstr1: HawkEye Keylogger
- 0x12b713:$hawkstr1: HawkEye Keylogger
- 0x12ba42:$hawkstr1: HawkEye Keylogger
- 0x12bb9d:$hawkstr1: HawkEye Keylogger
- 0x12bd00:$hawkstr1: HawkEye Keylogger
- 0x12bf97:$hawkstr1: HawkEye Keylogger
- 0x12a460:$hawkstr2: Dear HawkEye Customers!
- 0x12ba95:$hawkstr2: Dear HawkEye Customers!
- 0x12bbec:$hawkstr2: Dear HawkEye Customers!
- 0x12bd53:$hawkstr2: Dear HawkEye Customers!
- 0x12a581:$hawkstr3: HawkEye Logger Details:
|
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x1b3af:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x377f8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1b83cf:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1d4818:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x3533ef:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x36f838:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1b3af:$c1: Elevation:Administrator!new:
- 0x377f8:$c1: Elevation:Administrator!new:
- 0x1b83cf:$c1: Elevation:Administrator!new:
- 0x1d4818:$c1: Elevation:Administrator!new:
- 0x3533ef:$c1: Elevation:Administrator!new:
- 0x36f838:$c1: Elevation:Administrator!new:
|
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x129f0d:$key: HawkEyeKeylogger
- 0x2c6f2d:$key: HawkEyeKeylogger
- 0x461f4d:$key: HawkEyeKeylogger
- 0x12c16f:$salt: 099u787978786
- 0x2c918f:$salt: 099u787978786
- 0x4641af:$salt: 099u787978786
- 0x12a54e:$string1: HawkEye_Keylogger
- 0x12b3a1:$string1: HawkEye_Keylogger
- 0x12c0cf:$string1: HawkEye_Keylogger
- 0x2c756e:$string1: HawkEye_Keylogger
- 0x2c83c1:$string1: HawkEye_Keylogger
- 0x2c90ef:$string1: HawkEye_Keylogger
- 0x46258e:$string1: HawkEye_Keylogger
- 0x4633e1:$string1: HawkEye_Keylogger
- 0x46410f:$string1: HawkEye_Keylogger
- 0x12a937:$string2: holdermail.txt
- 0x12a957:$string2: holdermail.txt
- 0x2c7957:$string2: holdermail.txt
- 0x2c7977:$string2: holdermail.txt
- 0x462977:$string2: holdermail.txt
- 0x462997:$string2: holdermail.txt
|
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0xb5abe:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x252ade:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x3edafe:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x12a5a6:$hawkstr1: HawkEye Keylogger
- 0x12b3e7:$hawkstr1: HawkEye Keylogger
- 0x12b716:$hawkstr1: HawkEye Keylogger
- 0x12b871:$hawkstr1: HawkEye Keylogger
- 0x12b9d4:$hawkstr1: HawkEye Keylogger
- 0x12bc6b:$hawkstr1: HawkEye Keylogger
- 0x2c75c6:$hawkstr1: HawkEye Keylogger
- 0x2c8407:$hawkstr1: HawkEye Keylogger
- 0x2c8736:$hawkstr1: HawkEye Keylogger
- 0x2c8891:$hawkstr1: HawkEye Keylogger
- 0x2c89f4:$hawkstr1: HawkEye Keylogger
- 0x2c8c8b:$hawkstr1: HawkEye Keylogger
- 0x4625e6:$hawkstr1: HawkEye Keylogger
- 0x463427:$hawkstr1: HawkEye Keylogger
- 0x463756:$hawkstr1: HawkEye Keylogger
- 0x4638b1:$hawkstr1: HawkEye Keylogger
- 0x463a14:$hawkstr1: HawkEye Keylogger
- 0x463cab:$hawkstr1: HawkEye Keylogger
- 0x12a134:$hawkstr2: Dear HawkEye Customers!
- 0x12b769:$hawkstr2: Dear HawkEye Customers!
- 0x12b8c0:$hawkstr2: Dear HawkEye Customers!
|
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x35639:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1b6210:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1d2659:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x351230:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x36d679:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x191f0:$c1: Elevation:Administrator!new:
- 0x35639:$c1: Elevation:Administrator!new:
- 0x1b6210:$c1: Elevation:Administrator!new:
- 0x1d2659:$c1: Elevation:Administrator!new:
- 0x351230:$c1: Elevation:Administrator!new:
- 0x36d679:$c1: Elevation:Administrator!new:
|
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | RAT_HawkEye | Detects HawkEye RAT | Kevin Breen <kevin@techanarchy.net> | - 0x127d4e:$key: HawkEyeKeylogger
- 0x2c4d6e:$key: HawkEyeKeylogger
- 0x45fd8e:$key: HawkEyeKeylogger
- 0x129fb0:$salt: 099u787978786
- 0x2c6fd0:$salt: 099u787978786
- 0x461ff0:$salt: 099u787978786
- 0x12838f:$string1: HawkEye_Keylogger
- 0x1291e2:$string1: HawkEye_Keylogger
- 0x129f10:$string1: HawkEye_Keylogger
- 0x2c53af:$string1: HawkEye_Keylogger
- 0x2c6202:$string1: HawkEye_Keylogger
- 0x2c6f30:$string1: HawkEye_Keylogger
- 0x4603cf:$string1: HawkEye_Keylogger
- 0x461222:$string1: HawkEye_Keylogger
- 0x461f50:$string1: HawkEye_Keylogger
- 0x128778:$string2: holdermail.txt
- 0x128798:$string2: holdermail.txt
- 0x2c5798:$string2: holdermail.txt
- 0x2c57b8:$string2: holdermail.txt
- 0x4607b8:$string2: holdermail.txt
- 0x4607d8:$string2: holdermail.txt
|
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | HKTL_NET_GUID_Stealer | Detects c# red/black-team tools via typelibguid | Arnim Rupp | - 0xb38ff:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x25091f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
- 0x3eb93f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
|
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | JoeSecurity_HawkEye | Yara detected HawkEye Keylogger | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | |
0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack | Hawkeye | detect HawkEye in memory | JPCERT/CC Incident Response Group | - 0x1283e7:$hawkstr1: HawkEye Keylogger
- 0x129228:$hawkstr1: HawkEye Keylogger
- 0x129557:$hawkstr1: HawkEye Keylogger
- 0x1296b2:$hawkstr1: HawkEye Keylogger
- 0x129815:$hawkstr1: HawkEye Keylogger
- 0x129aac:$hawkstr1: HawkEye Keylogger
- 0x2c5407:$hawkstr1: HawkEye Keylogger
- 0x2c6248:$hawkstr1: HawkEye Keylogger
- 0x2c6577:$hawkstr1: HawkEye Keylogger
- 0x2c66d2:$hawkstr1: HawkEye Keylogger
- 0x2c6835:$hawkstr1: HawkEye Keylogger
- 0x2c6acc:$hawkstr1: HawkEye Keylogger
- 0x460427:$hawkstr1: HawkEye Keylogger
- 0x461268:$hawkstr1: HawkEye Keylogger
- 0x461597:$hawkstr1: HawkEye Keylogger
- 0x4616f2:$hawkstr1: HawkEye Keylogger
- 0x461855:$hawkstr1: HawkEye Keylogger
- 0x461aec:$hawkstr1: HawkEye Keylogger
- 0x127f75:$hawkstr2: Dear HawkEye Customers!
- 0x1295aa:$hawkstr2: Dear HawkEye Customers!
- 0x129701:$hawkstr2: Dear HawkEye Customers!
|
Click to see the 584 entries |