Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PasswordStealer.NET.bin

Overview

General Information

Sample Name:PasswordStealer.NET.bin (renamed file extension from bin to exe)
Analysis ID:576204
MD5:fb2ca93f987313108abdd4a6d687783a
SHA1:0783b8327a88aff87c627497d4333fd778da59be
SHA256:b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected HawkEye Rat
Multi AV Scanner detection for domain / URL
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Yara detected WebBrowserPassView password recovery tool
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • PasswordStealer.NET.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\PasswordStealer.NET.exe" MD5: FB2CA93F987313108ABDD4A6D687783A)
    • AppLaunch.exe (PID: 6788 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x878fa:$s1: HawkEye Keylogger
  • 0x87963:$s1: HawkEye Keylogger
  • 0x80d3d:$s2: _ScreenshotLogger
  • 0x80d0a:$s3: _PasswordStealer
0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x8881a:$s1: HawkEye Keylogger
    • 0x88883:$s1: HawkEye Keylogger
    • 0x81c5d:$s2: _ScreenshotLogger
    • 0x81c2a:$s3: _PasswordStealer
    00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x878fa:$s1: HawkEye Keylogger
      • 0x87963:$s1: HawkEye Keylogger
      • 0x80d3d:$s2: _ScreenshotLogger
      • 0x80d0a:$s3: _PasswordStealer
      Click to see the 23 entries
      SourceRuleDescriptionAuthorStrings
      12.3.AppLaunch.exe.8b2db5a.1.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x131b0:$a1: logins.json
      • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x13934:$s4: \mozsqlite3.dll
      • 0x121a4:$s5: SMTP Password
      12.3.AppLaunch.exe.8b2db5a.1.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        12.2.AppLaunch.exe.bc0834a.1.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
        • 0x11bb0:$a1: logins.json
        • 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
        • 0x12334:$s4: \mozsqlite3.dll
        • 0x115a4:$s5: SMTP Password
        12.2.AppLaunch.exe.bc0834a.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          12.2.AppLaunch.exe.bc0834a.1.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x131b0:$a1: logins.json
          • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x13934:$s4: \mozsqlite3.dll
          • 0x121a4:$s5: SMTP Password
          Click to see the 88 entries
          No Sigma rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: PasswordStealer.NET.exeVirustotal: Detection: 85%Perma Link
          Source: PasswordStealer.NET.exeMetadefender: Detection: 68%Perma Link
          Source: PasswordStealer.NET.exeReversingLabs: Detection: 89%
          Source: PasswordStealer.NET.exeAvira: detected
          Source: https://a.pomf.cat/Avira URL Cloud: Label: phishing
          Source: http://pomf.cat/upload.phpVirustotal: Detection: 7%Perma Link
          Source: PasswordStealer.NET.exeJoe Sandbox ML: detected
          Source: 12.0.AppLaunch.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.0.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.2.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.0.AppLaunch.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.0.AppLaunch.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.0.AppLaunch.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
          Source: PasswordStealer.NET.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: PasswordStealer.NET.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: robo.pdb source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.365829610.0000000002D00000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp

          Networking

          barindex
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS traffic detected: query: 202.200.1.0.in-addr.arpa replaycode: Name error (3)
          Source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: AppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
          Source: AppLaunch.exe, 0000000C.00000002.376545778.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bot.whatismyipaddress.com4
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pomf.cat/upload.php
          Source: PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
          Source: AppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a.pomf.cat/
          Source: unknownDNS traffic detected: queries for: 202.200.1.0.in-addr.arpa

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR
          Source: PasswordStealer.NET.exe, 00000001.00000002.365348911.00000000010F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          System Summary

          barindex
          Source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: PasswordStealer.NET.exe, y/n.csLarge array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840
          Source: 1.0.PasswordStealer.NET.exe.9a0000.0.unpack, y/n.csLarge array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840
          Source: 1.2.PasswordStealer.NET.exe.9a0000.0.unpack, y/n.csLarge array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840
          Source: PasswordStealer.NET.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_009A46281_2_009A4628
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_009A45501_2_009A4550
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013FD9B81_2_013FD9B8
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013FD9B3