6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2c1f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2c1f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2c1f0:$c1: Elevation:Administrator!new:
|
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x266e0:$a1: \Opera Software\Opera Stable\Login Data
- 0x269e0:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x261d8:$a3: \Google\Chrome\User Data\Default\Login Data
|
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x28a55:$r1: Classes\Folder\shell\open\command
- 0x28ab9:$r1: Classes\Folder\shell\open\command
- 0x28b0d:$r1: Classes\Folder\shell\open\command
- 0x28b85:$r1: Classes\Folder\shell\open\command
- 0x28adc:$k1: DelegateExecute
|
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x28014:$s1: RDPClip
- 0x28cf4:$s2: Grabber
- 0x28d04:$s2: Grabber
- 0x28600:$s3: Ave_Maria Stealer OpenSource
- 0x285b8:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x2c310:$s6: /n:%temp%\ellocnak.xml
- 0x2c340:$s7: Hey I'm Admin
|
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x28d14:$pwsh: powershell
- 0x2553b:$s2: User-Agent:
- 0x2587c:$s4: LdrLoadDll
- 0x28508:$s4: LdrLoadDll
- 0x250c4:$v6: start
|
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x28948:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x271ac:$a2: SMTP Password
- 0x25d78:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x2c1f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x28838:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x26a38:$a6: \Torch\User Data\Default\Login Data
- 0x2c310:$a7: /n:%temp%\ellocnak.xml
- 0x2c340:$a9: Hey I'm Admin
- 0x26f84:$a10: \logins.json
- 0x2708c:$a10: \logins.json
- 0x27970:$a11: Accounts\Account.rec0
- 0x28600:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack | AveMaria_WarZone | unknown | unknown | - 0x28948:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x285e4:$str2: MsgBox.exe
- 0x28a24:$str4: \System32\cmd.exe
- 0x28600:$str6: Ave_Maria
- 0x27b98:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x271ac:$str8: SMTP Password
- 0x261d8:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x27b44:$str12: \sqlmap.dll
- 0x27b5c:$str12: \sqlmap.dll
- 0x2c1f0:$str16: Elevation:Administrator!new
- 0x2c310:$str17: /n:%temp%
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x5120:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x5120:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2318:$c1: Elevation:Administrator!new:
- 0x5120:$c1: Elevation:Administrator!new:
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df8cd0.5.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2318:$c1: Elevation:Administrator!new:
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xb18:$c1: Elevation:Administrator!new:
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x5704c:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x5704c:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x5704c:$c1: Elevation:Administrator!new:
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x51524:$a1: \Opera Software\Opera Stable\Login Data
- 0x51824:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x5101c:$a3: \Google\Chrome\User Data\Default\Login Data
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x53899:$r1: Classes\Folder\shell\open\command
- 0x538fd:$r1: Classes\Folder\shell\open\command
- 0x53951:$r1: Classes\Folder\shell\open\command
- 0x539c9:$r1: Classes\Folder\shell\open\command
- 0x53920:$k1: DelegateExecute
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x52e58:$s1: RDPClip
- 0x53b38:$s2: Grabber
- 0x53b48:$s2: Grabber
- 0x53444:$s3: Ave_Maria Stealer OpenSource
- 0x533fc:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x5716c:$s6: /n:%temp%\ellocnak.xml
- 0x5719c:$s7: Hey I'm Admin
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x53b58:$pwsh: powershell
- 0x5037f:$s2: User-Agent:
- 0x506c0:$s4: LdrLoadDll
- 0x5334c:$s4: LdrLoadDll
- 0x4ff08:$v6: start
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x5378c:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x51ff0:$a2: SMTP Password
- 0x50bbc:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x5704c:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x5367c:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x5187c:$a6: \Torch\User Data\Default\Login Data
- 0x5716c:$a7: /n:%temp%\ellocnak.xml
- 0x5719c:$a9: Hey I'm Admin
- 0x51dc8:$a10: \logins.json
- 0x51ed0:$a10: \logins.json
- 0x527b4:$a11: Accounts\Account.rec0
- 0x53444:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x441:$r1: Classes\Folder\shell\open\command
- 0x495:$r1: Classes\Folder\shell\open\command
- 0x50d:$r1: Classes\Folder\shell\open\command
- 0x464:$k1: DelegateExecute
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x60098:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x60098:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x60098:$c1: Elevation:Administrator!new:
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x5a570:$a1: \Opera Software\Opera Stable\Login Data
- 0x5a870:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x5a068:$a3: \Google\Chrome\User Data\Default\Login Data
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x5c8e5:$r1: Classes\Folder\shell\open\command
- 0x5c949:$r1: Classes\Folder\shell\open\command
- 0x5c99d:$r1: Classes\Folder\shell\open\command
- 0x5ca15:$r1: Classes\Folder\shell\open\command
- 0x5c96c:$k1: DelegateExecute
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x5bea4:$s1: RDPClip
- 0x5cb84:$s2: Grabber
- 0x5cb94:$s2: Grabber
- 0x5c490:$s3: Ave_Maria Stealer OpenSource
- 0x5c448:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x601b8:$s6: /n:%temp%\ellocnak.xml
- 0x601e8:$s7: Hey I'm Admin
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x5cba4:$pwsh: powershell
- 0x593cb:$s2: User-Agent:
- 0x5970c:$s4: LdrLoadDll
- 0x5c398:$s4: LdrLoadDll
- 0x58f54:$v6: start
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x5c7d8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x5b03c:$a2: SMTP Password
- 0x59c08:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x60098:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x5c6c8:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x5a8c8:$a6: \Torch\User Data\Default\Login Data
- 0x601b8:$a7: /n:%temp%\ellocnak.xml
- 0x601e8:$a9: Hey I'm Admin
- 0x5ae14:$a10: \logins.json
- 0x5af1c:$a10: \logins.json
- 0x5b800:$a11: Accounts\Account.rec0
- 0x5c490:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2c1f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2c1f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2c1f0:$c1: Elevation:Administrator!new:
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x266e0:$a1: \Opera Software\Opera Stable\Login Data
- 0x269e0:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x261d8:$a3: \Google\Chrome\User Data\Default\Login Data
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x28a55:$r1: Classes\Folder\shell\open\command
- 0x28ab9:$r1: Classes\Folder\shell\open\command
- 0x28b0d:$r1: Classes\Folder\shell\open\command
- 0x28b85:$r1: Classes\Folder\shell\open\command
- 0x28adc:$k1: DelegateExecute
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x28014:$s1: RDPClip
- 0x28cf4:$s2: Grabber
- 0x28d04:$s2: Grabber
- 0x28600:$s3: Ave_Maria Stealer OpenSource
- 0x285b8:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x2c310:$s6: /n:%temp%\ellocnak.xml
- 0x2c340:$s7: Hey I'm Admin
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x28d14:$pwsh: powershell
- 0x2553b:$s2: User-Agent:
- 0x2587c:$s4: LdrLoadDll
- 0x28508:$s4: LdrLoadDll
- 0x250c4:$v6: start
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x28948:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x271ac:$a2: SMTP Password
- 0x25d78:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x2c1f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x28838:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x26a38:$a6: \Torch\User Data\Default\Login Data
- 0x2c310:$a7: /n:%temp%\ellocnak.xml
- 0x2c340:$a9: Hey I'm Admin
- 0x26f84:$a10: \logins.json
- 0x2708c:$a10: \logins.json
- 0x27970:$a11: Accounts\Account.rec0
- 0x28600:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack | AveMaria_WarZone | unknown | unknown | - 0x28948:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x285e4:$str2: MsgBox.exe
- 0x28a24:$str4: \System32\cmd.exe
- 0x28600:$str6: Ave_Maria
- 0x27b98:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x271ac:$str8: SMTP Password
- 0x261d8:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x27b44:$str12: \sqlmap.dll
- 0x27b5c:$str12: \sqlmap.dll
- 0x2c1f0:$str16: Elevation:Administrator!new
- 0x2c310:$str17: /n:%temp%
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x12e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x15e8:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0xde0:$a3: \Google\Chrome\User Data\Default\Login Data
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x365d:$r1: Classes\Folder\shell\open\command
- 0x36c1:$r1: Classes\Folder\shell\open\command
- 0x3715:$r1: Classes\Folder\shell\open\command
- 0x378d:$r1: Classes\Folder\shell\open\command
- 0x36e4:$k1: DelegateExecute
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x3550:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1db4:$a2: SMTP Password
- 0x980:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x3440:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x1640:$a6: \Torch\User Data\Default\Login Data
- 0x1b8c:$a10: \logins.json
- 0x1c94:$a10: \logins.json
- 0x2578:$a11: Accounts\Account.rec0
- 0x3208:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack | AveMaria_WarZone | unknown | unknown | - 0x3550:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x31ec:$str2: MsgBox.exe
- 0x362c:$str4: \System32\cmd.exe
- 0x3208:$str6: Ave_Maria
- 0x27a0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x1db4:$str8: SMTP Password
- 0xde0:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x274c:$str12: \sqlmap.dll
- 0x2764:$str12: \sqlmap.dll
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x12e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x15e8:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0xde0:$a3: \Google\Chrome\User Data\Default\Login Data
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x365d:$r1: Classes\Folder\shell\open\command
- 0x36c1:$r1: Classes\Folder\shell\open\command
- 0x3715:$r1: Classes\Folder\shell\open\command
- 0x378d:$r1: Classes\Folder\shell\open\command
- 0x36e4:$k1: DelegateExecute
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x3550:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1db4:$a2: SMTP Password
- 0x980:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x3440:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x1640:$a6: \Torch\User Data\Default\Login Data
- 0x1b8c:$a10: \logins.json
- 0x1c94:$a10: \logins.json
- 0x2578:$a11: Accounts\Account.rec0
- 0x3208:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack | AveMaria_WarZone | unknown | unknown | - 0x3550:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x31ec:$str2: MsgBox.exe
- 0x362c:$str4: \System32\cmd.exe
- 0x3208:$str6: Ave_Maria
- 0x27a0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x1db4:$str8: SMTP Password
- 0xde0:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x274c:$str12: \sqlmap.dll
- 0x2764:$str12: \sqlmap.dll
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.498f1a0.13.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.498f1a0.13.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.498f1a0.13.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x97610:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x97610:$c1: Elevation:Administrator!new:
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x91b00:$a1: \Opera Software\Opera Stable\Login Data
- 0x91e00:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x915f8:$a3: \Google\Chrome\User Data\Default\Login Data
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x93e75:$r1: Classes\Folder\shell\open\command
- 0x93ed9:$r1: Classes\Folder\shell\open\command
- 0x93f2d:$r1: Classes\Folder\shell\open\command
- 0x93fa5:$r1: Classes\Folder\shell\open\command
- 0x93efc:$k1: DelegateExecute
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x93434:$s1: RDPClip
- 0x94114:$s2: Grabber
- 0x94124:$s2: Grabber
- 0x93a20:$s3: Ave_Maria Stealer OpenSource
- 0x939d8:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x97730:$s6: /n:%temp%\ellocnak.xml
- 0x97760:$s7: Hey I'm Admin
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x94134:$pwsh: powershell
- 0x9095b:$s2: User-Agent:
- 0x90c9c:$s4: LdrLoadDll
- 0x93928:$s4: LdrLoadDll
- 0x904e4:$v6: start
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x93d68:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x925cc:$a2: SMTP Password
- 0x91198:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x97610:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x93c58:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x91e58:$a6: \Torch\User Data\Default\Login Data
- 0x97730:$a7: /n:%temp%\ellocnak.xml
- 0x97760:$a9: Hey I'm Admin
- 0x923a4:$a10: \logins.json
- 0x924ac:$a10: \logins.json
- 0x92d90:$a11: Accounts\Account.rec0
- 0x93a20:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x3b88:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x3b88:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
- 0x3b88:$c1: Elevation:Administrator!new:
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x1ee8:$a1: \Opera Software\Opera Stable\Login Data
- 0x21e8:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x19e0:$a3: \Google\Chrome\User Data\Default\Login Data
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x425d:$r1: Classes\Folder\shell\open\command
- 0x42c1:$r1: Classes\Folder\shell\open\command
- 0x4315:$r1: Classes\Folder\shell\open\command
- 0x438d:$r1: Classes\Folder\shell\open\command
- 0x42e4:$k1: DelegateExecute
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x451c:$pwsh: powershell
- 0xd43:$s2: User-Agent:
- 0x1084:$s4: LdrLoadDll
- 0x3d10:$s4: LdrLoadDll
- 0x8cc:$v6: start
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x4150:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x29b4:$a2: SMTP Password
- 0x1580:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x4040:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x2240:$a6: \Torch\User Data\Default\Login Data
- 0x278c:$a10: \logins.json
- 0x2894:$a10: \logins.json
- 0x3178:$a11: Accounts\Account.rec0
- 0x3e08:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack | AveMaria_WarZone | unknown | unknown | - 0x4150:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x3dec:$str2: MsgBox.exe
- 0x422c:$str4: \System32\cmd.exe
- 0x3e08:$str6: Ave_Maria
- 0x33a0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x29b4:$str8: SMTP Password
- 0x19e0:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x334c:$str12: \sqlmap.dll
- 0x3364:$str12: \sqlmap.dll
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x144144:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x144144:$c1: Elevation:Administrator!new:
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x140991:$r1: Classes\Folder\shell\open\command
- 0x1409f5:$r1: Classes\Folder\shell\open\command
- 0x140a49:$r1: Classes\Folder\shell\open\command
- 0x140ac1:$r1: Classes\Folder\shell\open\command
- 0x140a18:$k1: DelegateExecute
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack | INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste | Detects executables potentially checking for WinJail sandbox window | ditekSHen | - 0x1d78a:$v1: SbieDll.dll
- 0x1d7a4:$v2: USER
- 0x1d7b0:$v3: SANDBOX
- 0x1d7c2:$v4: VIRUS
- 0x1d812:$v4: VIRUS
- 0x1d7d0:$v5: MALWARE
- 0x1d7e2:$v6: SCHMIDTI
- 0x1d7f6:$v7: CURRENTUSER
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x13ff50:$s1: RDPClip
- 0x140c30:$s2: Grabber
- 0x140c40:$s2: Grabber
- 0x14053c:$s3: Ave_Maria Stealer OpenSource
- 0x1404f4:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x144264:$s6: /n:%temp%\ellocnak.xml
- 0x144294:$s7: Hey I'm Admin
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x140c50:$pwsh: powershell
- 0x13d477:$s2: User-Agent:
- 0x13d7b8:$s4: LdrLoadDll
- 0x140444:$s4: LdrLoadDll
- 0x13d000:$v6: start
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x140884:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x13f0e8:$a2: SMTP Password
- 0x13dcb4:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x144144:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x140774:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x13e974:$a6: \Torch\User Data\Default\Login Data
- 0x144264:$a7: /n:%temp%\ellocnak.xml
- 0x144294:$a9: Hey I'm Admin
- 0x13eec0:$a10: \logins.json
- 0x13efc8:$a10: \logins.json
- 0x13f8ac:$a11: Accounts\Account.rec0
- 0x14053c:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
5.2.hAwKqJPm.exe.2bad884.5.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x5e230:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
5.2.hAwKqJPm.exe.2bad884.5.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x5e230:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x5e230:$c1: Elevation:Administrator!new:
|
5.2.hAwKqJPm.exe.2bad884.5.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x58708:$a1: \Opera Software\Opera Stable\Login Data
- 0x58a08:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x58200:$a3: \Google\Chrome\User Data\Default\Login Data
|
5.2.hAwKqJPm.exe.2bad884.5.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
5.2.hAwKqJPm.exe.2bad884.5.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
5.2.hAwKqJPm.exe.2bad884.5.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
5.2.hAwKqJPm.exe.2bad884.5.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x5aa7d:$r1: Classes\Folder\shell\open\command
- 0x5aae1:$r1: Classes\Folder\shell\open\command
- 0x5ab35:$r1: Classes\Folder\shell\open\command
- 0x5abad:$r1: Classes\Folder\shell\open\command
- 0x5ab04:$k1: DelegateExecute
|
5.2.hAwKqJPm.exe.2bad884.5.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x5a03c:$s1: RDPClip
- 0x5ad1c:$s2: Grabber
- 0x5ad2c:$s2: Grabber
- 0x5a628:$s3: Ave_Maria Stealer OpenSource
- 0x5a5e0:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x5e350:$s6: /n:%temp%\ellocnak.xml
- 0x5e380:$s7: Hey I'm Admin
|
5.2.hAwKqJPm.exe.2bad884.5.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x5ad3c:$pwsh: powershell
- 0x57563:$s2: User-Agent:
- 0x578a4:$s4: LdrLoadDll
- 0x5a530:$s4: LdrLoadDll
- 0x570ec:$v6: start
|
5.2.hAwKqJPm.exe.2bad884.5.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x5a970:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x591d4:$a2: SMTP Password
- 0x57da0:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x5e230:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x5a860:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x58a60:$a6: \Torch\User Data\Default\Login Data
- 0x5e350:$a7: /n:%temp%\ellocnak.xml
- 0x5e380:$a9: Hey I'm Admin
- 0x58fac:$a10: \logins.json
- 0x590b4:$a10: \logins.json
- 0x59998:$a11: Accounts\Account.rec0
- 0x5a628:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x5e298:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x5e298:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x5e298:$c1: Elevation:Administrator!new:
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x58770:$a1: \Opera Software\Opera Stable\Login Data
- 0x58a70:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x58268:$a3: \Google\Chrome\User Data\Default\Login Data
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x58e4c:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x58e4c:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x58e4c:$c1: Elevation:Administrator!new:
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x5aae5:$r1: Classes\Folder\shell\open\command
- 0x5ab49:$r1: Classes\Folder\shell\open\command
- 0x5ab9d:$r1: Classes\Folder\shell\open\command
- 0x5ac15:$r1: Classes\Folder\shell\open\command
- 0x5ab6c:$k1: DelegateExecute
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x5a0a4:$s1: RDPClip
- 0x5ad84:$s2: Grabber
- 0x5ad94:$s2: Grabber
- 0x5a690:$s3: Ave_Maria Stealer OpenSource
- 0x5a648:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x5e3b8:$s6: /n:%temp%\ellocnak.xml
- 0x5e3e8:$s7: Hey I'm Admin
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x5ada4:$pwsh: powershell
- 0x575cb:$s2: User-Agent:
- 0x5790c:$s4: LdrLoadDll
- 0x5a598:$s4: LdrLoadDll
- 0x57154:$v6: start
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x53324:$a1: \Opera Software\Opera Stable\Login Data
- 0x53624:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x52e1c:$a3: \Google\Chrome\User Data\Default\Login Data
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x5a9d8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x5923c:$a2: SMTP Password
- 0x57e08:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x5e298:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x5a8c8:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x58ac8:$a6: \Torch\User Data\Default\Login Data
- 0x5e3b8:$a7: /n:%temp%\ellocnak.xml
- 0x5e3e8:$a9: Hey I'm Admin
- 0x59014:$a10: \logins.json
- 0x5911c:$a10: \logins.json
- 0x59a00:$a11: Accounts\Account.rec0
- 0x5a690:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x55699:$r1: Classes\Folder\shell\open\command
- 0x556fd:$r1: Classes\Folder\shell\open\command
- 0x55751:$r1: Classes\Folder\shell\open\command
- 0x557c9:$r1: Classes\Folder\shell\open\command
- 0x55720:$k1: DelegateExecute
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x54c58:$s1: RDPClip
- 0x55938:$s2: Grabber
- 0x55948:$s2: Grabber
- 0x55244:$s3: Ave_Maria Stealer OpenSource
- 0x551fc:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x58f6c:$s6: /n:%temp%\ellocnak.xml
- 0x58f9c:$s7: Hey I'm Admin
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x55958:$pwsh: powershell
- 0x5217f:$s2: User-Agent:
- 0x524c0:$s4: LdrLoadDll
- 0x5514c:$s4: LdrLoadDll
- 0x51d08:$v6: start
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x5558c:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x53df0:$a2: SMTP Password
- 0x529bc:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x58e4c:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x5547c:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x5367c:$a6: \Torch\User Data\Default\Login Data
- 0x58f6c:$a7: /n:%temp%\ellocnak.xml
- 0x58f9c:$a9: Hey I'm Admin
- 0x53bc8:$a10: \logins.json
- 0x53cd0:$a10: \logins.json
- 0x545b4:$a11: Accounts\Account.rec0
- 0x55244:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack | AveMaria_WarZone | unknown | unknown | - 0x5558c:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x55228:$str2: MsgBox.exe
- 0x55668:$str4: \System32\cmd.exe
- 0x55244:$str6: Ave_Maria
- 0x547dc:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x53df0:$str8: SMTP Password
- 0x52e1c:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x54788:$str12: \sqlmap.dll
- 0x547a0:$str12: \sqlmap.dll
- 0x58e4c:$str16: Elevation:Administrator!new
- 0x58f6c:$str17: /n:%temp%
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2a9f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2a9f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2a9f0:$c1: Elevation:Administrator!new:
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x252e0:$a1: \Opera Software\Opera Stable\Login Data
- 0x255e0:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x24dd8:$a3: \Google\Chrome\User Data\Default\Login Data
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x27655:$r1: Classes\Folder\shell\open\command
- 0x276b9:$r1: Classes\Folder\shell\open\command
- 0x2770d:$r1: Classes\Folder\shell\open\command
- 0x27785:$r1: Classes\Folder\shell\open\command
- 0x276dc:$k1: DelegateExecute
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x26c14:$s1: RDPClip
- 0x278f4:$s2: Grabber
- 0x27904:$s2: Grabber
- 0x27200:$s3: Ave_Maria Stealer OpenSource
- 0x271b8:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x2ab10:$s6: /n:%temp%\ellocnak.xml
- 0x2ab40:$s7: Hey I'm Admin
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x27914:$pwsh: powershell
- 0x2493b:$s2: User-Agent:
- 0x27108:$s4: LdrLoadDll
- 0x244c4:$v6: start
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x27548:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x25dac:$a2: SMTP Password
- 0x2a9f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x27438:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x25638:$a6: \Torch\User Data\Default\Login Data
- 0x2ab10:$a7: /n:%temp%\ellocnak.xml
- 0x2ab40:$a9: Hey I'm Admin
- 0x25b84:$a10: \logins.json
- 0x25c8c:$a10: \logins.json
- 0x26570:$a11: Accounts\Account.rec0
- 0x27200:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack | AveMaria_WarZone | unknown | unknown | - 0x27548:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x271e4:$str2: MsgBox.exe
- 0x27624:$str4: \System32\cmd.exe
- 0x27200:$str6: Ave_Maria
- 0x26798:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x25dac:$str8: SMTP Password
- 0x24dd8:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x26744:$str12: \sqlmap.dll
- 0x2675c:$str12: \sqlmap.dll
- 0x2a9f0:$str16: Elevation:Administrator!new
- 0x2ab10:$str17: /n:%temp%
|
5.2.hAwKqJPm.exe.2bb4ad0.7.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x56fe4:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
5.2.hAwKqJPm.exe.2bb4ad0.7.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x56fe4:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x56fe4:$c1: Elevation:Administrator!new:
|
5.2.hAwKqJPm.exe.2bb4ad0.7.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x514bc:$a1: \Opera Software\Opera Stable\Login Data
- 0x517bc:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x50fb4:$a3: \Google\Chrome\User Data\Default\Login Data
|
5.2.hAwKqJPm.exe.2bb4ad0.7.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
5.2.hAwKqJPm.exe.2bb4ad0.7.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
5.2.hAwKqJPm.exe.2bb4ad0.7.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
5.2.hAwKqJPm.exe.2bb4ad0.7.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x53831:$r1: Classes\Folder\shell\open\command
- 0x53895:$r1: Classes\Folder\shell\open\command
- 0x538e9:$r1: Classes\Folder\shell\open\command
- 0x53961:$r1: Classes\Folder\shell\open\command
- 0x538b8:$k1: DelegateExecute
|
5.2.hAwKqJPm.exe.2bb4ad0.7.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x52df0:$s1: RDPClip
- 0x53ad0:$s2: Grabber
- 0x53ae0:$s2: Grabber
- 0x533dc:$s3: Ave_Maria Stealer OpenSource
- 0x53394:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x57104:$s6: /n:%temp%\ellocnak.xml
- 0x57134:$s7: Hey I'm Admin
|
5.2.hAwKqJPm.exe.2bb4ad0.7.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x53af0:$pwsh: powershell
- 0x50317:$s2: User-Agent:
- 0x50658:$s4: LdrLoadDll
- 0x532e4:$s4: LdrLoadDll
- 0x4fea0:$v6: start
|
5.2.hAwKqJPm.exe.2bb4ad0.7.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x53724:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x51f88:$a2: SMTP Password
- 0x50b54:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x56fe4:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x53614:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x51814:$a6: \Torch\User Data\Default\Login Data
- 0x57104:$a7: /n:%temp%\ellocnak.xml
- 0x57134:$a9: Hey I'm Admin
- 0x51d60:$a10: \logins.json
- 0x51e68:$a10: \logins.json
- 0x5274c:$a11: Accounts\Account.rec0
- 0x533dc:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x58de4:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x58de4:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x58de4:$c1: Elevation:Administrator!new:
|
5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x532bc:$a1: \Opera Software\Opera Stable\Login Data
- 0x535bc:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x52db4:$a3: \Google\Chrome\User Data\Default\Login Data
|
5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x55631:$r1: Classes\Folder\shell\open\command
- 0x55695:$r1: Classes\Folder\shell\open\command
- 0x556e9:$r1: Classes\Folder\shell\open\command
- 0x55761:$r1: Classes\Folder\shell\open\command
- 0x556b8:$k1: DelegateExecute
|
5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x54bf0:$s1: RDPClip
- 0x558d0:$s2: Grabber
- 0x558e0:$s2: Grabber
- 0x551dc:$s3: Ave_Maria Stealer OpenSource
- 0x55194:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x58f04:$s6: /n:%temp%\ellocnak.xml
- 0x58f34:$s7: Hey I'm Admin
|
5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x558f0:$pwsh: powershell
- 0x52117:$s2: User-Agent:
- 0x52458:$s4: LdrLoadDll
- 0x550e4:$s4: LdrLoadDll
- 0x51ca0:$v6: start
|
5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x55524:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x53d88:$a2: SMTP Password
- 0x52954:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x58de4:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x55414:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x53614:$a6: \Torch\User Data\Default\Login Data
- 0x58f04:$a7: /n:%temp%\ellocnak.xml
- 0x58f34:$a9: Hey I'm Admin
- 0x53b60:$a10: \logins.json
- 0x53c68:$a10: \logins.json
- 0x5454c:$a11: Accounts\Account.rec0
- 0x551dc:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack | AveMaria_WarZone | unknown | unknown | - 0x55524:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x551c0:$str2: MsgBox.exe
- 0x55600:$str4: \System32\cmd.exe
- 0x551dc:$str6: Ave_Maria
- 0x54774:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x53d88:$str8: SMTP Password
- 0x52db4:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x54720:$str12: \sqlmap.dll
- 0x54738:$str12: \sqlmap.dll
- 0x58de4:$str16: Elevation:Administrator!new
- 0x58f04:$str17: /n:%temp%
|
5.2.hAwKqJPm.exe.2bad884.5.raw.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x60030:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
5.2.hAwKqJPm.exe.2bad884.5.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x60030:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x60030:$c1: Elevation:Administrator!new:
|
5.2.hAwKqJPm.exe.2bad884.5.raw.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x5a508:$a1: \Opera Software\Opera Stable\Login Data
- 0x5a808:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x5a000:$a3: \Google\Chrome\User Data\Default\Login Data
|
5.2.hAwKqJPm.exe.2bad884.5.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
5.2.hAwKqJPm.exe.2bad884.5.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
5.2.hAwKqJPm.exe.2bad884.5.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
5.2.hAwKqJPm.exe.2bad884.5.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x5c87d:$r1: Classes\Folder\shell\open\command
- 0x5c8e1:$r1: Classes\Folder\shell\open\command
- 0x5c935:$r1: Classes\Folder\shell\open\command
- 0x5c9ad:$r1: Classes\Folder\shell\open\command
- 0x5c904:$k1: DelegateExecute
|
5.2.hAwKqJPm.exe.2bad884.5.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x5be3c:$s1: RDPClip
- 0x5cb1c:$s2: Grabber
- 0x5cb2c:$s2: Grabber
- 0x5c428:$s3: Ave_Maria Stealer OpenSource
- 0x5c3e0:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x60150:$s6: /n:%temp%\ellocnak.xml
- 0x60180:$s7: Hey I'm Admin
|
5.2.hAwKqJPm.exe.2bad884.5.raw.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x5cb3c:$pwsh: powershell
- 0x59363:$s2: User-Agent:
- 0x596a4:$s4: LdrLoadDll
- 0x5c330:$s4: LdrLoadDll
- 0x58eec:$v6: start
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x12e8:$a1: \Opera Software\Opera Stable\Login Data
- 0x15e8:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0xde0:$a3: \Google\Chrome\User Data\Default\Login Data
|
5.2.hAwKqJPm.exe.2bad884.5.raw.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x5c770:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x5afd4:$a2: SMTP Password
- 0x59ba0:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x60030:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x5c660:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x5a860:$a6: \Torch\User Data\Default\Login Data
- 0x60150:$a7: /n:%temp%\ellocnak.xml
- 0x60180:$a9: Hey I'm Admin
- 0x5adac:$a10: \logins.json
- 0x5aeb4:$a10: \logins.json
- 0x5b798:$a11: Accounts\Account.rec0
- 0x5c428:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
5.2.hAwKqJPm.exe.2bad884.5.raw.unpack | AveMaria_WarZone | unknown | unknown | - 0x5c770:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x5c40c:$str2: MsgBox.exe
- 0x5c84c:$str4: \System32\cmd.exe
- 0x5c428:$str6: Ave_Maria
- 0x5b9c0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x5afd4:$str8: SMTP Password
- 0x5a000:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x5b96c:$str12: \sqlmap.dll
- 0x5b984:$str12: \sqlmap.dll
- 0x60030:$str16: Elevation:Administrator!new
- 0x60150:$str17: /n:%temp%
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x365d:$r1: Classes\Folder\shell\open\command
- 0x36c1:$r1: Classes\Folder\shell\open\command
- 0x3715:$r1: Classes\Folder\shell\open\command
- 0x378d:$r1: Classes\Folder\shell\open\command
- 0x36e4:$k1: DelegateExecute
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x3550:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x1db4:$a2: SMTP Password
- 0x980:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x3440:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x1640:$a6: \Torch\User Data\Default\Login Data
- 0x1b8c:$a10: \logins.json
- 0x1c94:$a10: \logins.json
- 0x2578:$a11: Accounts\Account.rec0
- 0x3208:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack | AveMaria_WarZone | unknown | unknown | - 0x3550:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x31ec:$str2: MsgBox.exe
- 0x362c:$str4: \System32\cmd.exe
- 0x3208:$str6: Ave_Maria
- 0x27a0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x1db4:$str8: SMTP Password
- 0xde0:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x274c:$str12: \sqlmap.dll
- 0x2764:$str12: \sqlmap.dll
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2a9f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2a9f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2a9f0:$c1: Elevation:Administrator!new:
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth | - 0x252e0:$a1: \Opera Software\Opera Stable\Login Data
- 0x255e0:$a2: \Comodo\Dragon\User Data\Default\Login Data
- 0x24dd8:$a3: \Google\Chrome\User Data\Default\Login Data
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x27655:$r1: Classes\Folder\shell\open\command
- 0x276b9:$r1: Classes\Folder\shell\open\command
- 0x2770d:$r1: Classes\Folder\shell\open\command
- 0x27785:$r1: Classes\Folder\shell\open\command
- 0x276dc:$k1: DelegateExecute
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x26c14:$s1: RDPClip
- 0x278f4:$s2: Grabber
- 0x27904:$s2: Grabber
- 0x27200:$s3: Ave_Maria Stealer OpenSource
- 0x271b8:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x2ab10:$s6: /n:%temp%\ellocnak.xml
- 0x2ab40:$s7: Hey I'm Admin
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x27914:$pwsh: powershell
- 0x2493b:$s2: User-Agent:
- 0x27108:$s4: LdrLoadDll
- 0x244c4:$v6: start
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x27548:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x25dac:$a2: SMTP Password
- 0x2a9f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x27438:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x25638:$a6: \Torch\User Data\Default\Login Data
- 0x2ab10:$a7: /n:%temp%\ellocnak.xml
- 0x2ab40:$a9: Hey I'm Admin
- 0x25b84:$a10: \logins.json
- 0x25c8c:$a10: \logins.json
- 0x26570:$a11: Accounts\Account.rec0
- 0x27200:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack | AveMaria_WarZone | unknown | unknown | - 0x27548:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x271e4:$str2: MsgBox.exe
- 0x27624:$str4: \System32\cmd.exe
- 0x27200:$str6: Ave_Maria
- 0x26798:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- 0x25dac:$str8: SMTP Password
- 0x24dd8:$str11: \Google\Chrome\User Data\Default\Login Data
- 0x26744:$str12: \sqlmap.dll
- 0x2675c:$str12: \sqlmap.dll
- 0x2a9f0:$str16: Elevation:Administrator!new
- 0x2ab10:$str17: /n:%temp%
|
5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x10ebf8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x10ebf8:$c1: Elevation:Administrator!new:
|
5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x10b445:$r1: Classes\Folder\shell\open\command
- 0x10b4a9:$r1: Classes\Folder\shell\open\command
- 0x10b4fd:$r1: Classes\Folder\shell\open\command
- 0x10b575:$r1: Classes\Folder\shell\open\command
- 0x10b4cc:$k1: DelegateExecute
|
5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack | INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste | Detects executables potentially checking for WinJail sandbox window | ditekSHen | - 0x1a0ce:$v1: SbieDll.dll
- 0x1a0e8:$v2: USER
- 0x1a0f4:$v3: SANDBOX
- 0x1a106:$v4: VIRUS
- 0x1a156:$v4: VIRUS
- 0x1a114:$v5: MALWARE
- 0x1a126:$v6: SCHMIDTI
- 0x1a13a:$v7: CURRENTUSER
|
5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x10aa04:$s1: RDPClip
- 0x10b6e4:$s2: Grabber
- 0x10b6f4:$s2: Grabber
- 0x10aff0:$s3: Ave_Maria Stealer OpenSource
- 0x10afa8:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x10ed18:$s6: /n:%temp%\ellocnak.xml
- 0x10ed48:$s7: Hey I'm Admin
|
5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x10b704:$pwsh: powershell
- 0x107f2b:$s2: User-Agent:
- 0x10826c:$s4: LdrLoadDll
- 0x10aef8:$s4: LdrLoadDll
- 0x107ab4:$v6: start
|
5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x10b338:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x109b9c:$a2: SMTP Password
- 0x108768:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x10ebf8:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x10b228:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x109428:$a6: \Torch\User Data\Default\Login Data
- 0x10ed18:$a7: /n:%temp%\ellocnak.xml
- 0x10ed48:$a9: Hey I'm Admin
- 0x109974:$a10: \logins.json
- 0x109a7c:$a10: \logins.json
- 0x10a360:$a11: Accounts\Account.rec0
- 0x10aff0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x2c1f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x2c1f0:$c1: Elevation:Administrator!new:
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x28a55:$r1: Classes\Folder\shell\open\command
- 0x28ab9:$r1: Classes\Folder\shell\open\command
- 0x28b0d:$r1: Classes\Folder\shell\open\command
- 0x28b85:$r1: Classes\Folder\shell\open\command
- 0x28adc:$k1: DelegateExecute
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x28014:$s1: RDPClip
- 0x28cf4:$s2: Grabber
- 0x28d04:$s2: Grabber
- 0x28600:$s3: Ave_Maria Stealer OpenSource
- 0x285b8:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x2c310:$s6: /n:%temp%\ellocnak.xml
- 0x2c340:$s7: Hey I'm Admin
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x28d14:$pwsh: powershell
- 0x2553b:$s2: User-Agent:
- 0x2587c:$s4: LdrLoadDll
- 0x28508:$s4: LdrLoadDll
- 0x250c4:$v6: start
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x28948:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x271ac:$a2: SMTP Password
- 0x25d78:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x2c1f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x28838:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x26a38:$a6: \Torch\User Data\Default\Login Data
- 0x2c310:$a7: /n:%temp%\ellocnak.xml
- 0x2c340:$a9: Hey I'm Admin
- 0x26f84:$a10: \logins.json
- 0x2708c:$a10: \logins.json
- 0x27970:$a11: Accounts\Account.rec0
- 0x28600:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.464c000.10.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0xd80:$c1: Elevation:Administrator!new:
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.464c000.10.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x7c210:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x7c210:$c1: Elevation:Administrator!new:
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x78a75:$r1: Classes\Folder\shell\open\command
- 0x78ad9:$r1: Classes\Folder\shell\open\command
- 0x78b2d:$r1: Classes\Folder\shell\open\command
- 0x78ba5:$r1: Classes\Folder\shell\open\command
- 0x78afc:$k1: DelegateExecute
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack | MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen | - 0x78034:$s1: RDPClip
- 0x78d14:$s2: Grabber
- 0x78d24:$s2: Grabber
- 0x78620:$s3: Ave_Maria Stealer OpenSource
- 0x785d8:$s4: \MidgetPorn\workspace\MsgBox.exe
- 0x7c330:$s6: /n:%temp%\ellocnak.xml
- 0x7c360:$s7: Hey I'm Admin
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack | MALWARE_Win_EXEPWSH_DLAgent | Detects SystemBC | ditekSHen | - 0x78d34:$pwsh: powershell
- 0x7555b:$s2: User-Agent:
- 0x7589c:$s4: LdrLoadDll
- 0x78528:$s4: LdrLoadDll
- 0x750e4:$v6: start
|
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack | Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown | - 0x78968:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
- 0x771cc:$a2: SMTP Password
- 0x75d98:$a3: select signon_realm, origin_url, username_value, password_value from logins
- 0x7c210:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x78858:$a5: for /F "usebackq tokens=*" %%A in ("
- 0x76a58:$a6: \Torch\User Data\Default\Login Data
- 0x7c330:$a7: /n:%temp%\ellocnak.xml
- 0x7c360:$a9: Hey I'm Admin
- 0x76fa4:$a10: \logins.json
- 0x770ac:$a10: \logins.json
- 0x77990:$a11: Accounts\Account.rec0
- 0x78620:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
|
Click to see the 212 entries |