API tools faq
paste
Neonprimetime

2018-04-09 Korben Dallas @KorbenD_Intel Hawkeye sample

Neonprimetime
Apr 9th, 2018
612
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.02 KB | None | 0 0
raw download clone embed print report
  1. found by Korben Dallas @KorbenD_Intel
  2. https://twitter.com/KorbenD_Intel/status/983440061772582912
  3. hxxp://emifile[.]com/zcast/
  4. https://www.reverse.it/sample/a02ef42dc3f903a66c6eef374bc4a9f186fdf8e3f7ab5a4a0b833a65aca3acb5/5acbceee7ca3e149fb207535
  5. fes.exe
  6. md5, 7c57c615432a2262c638238bf1625cbf
  7. ---------
  8.  
  9. --------
  10. interesting file locations
  11. --------
  12. C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsolts.exe
  13. md5,7C57C615432A2262C638238BF1625CBF
  14.  
  15. ---------
  16. interesting in-memory strings
  17. ---------
  18. 0x2a5fad8 (66): C:\Users\HawkEye\Desktop\Reborn\Stub\obj\x86\Debug\Reborn Stub.pdb
  19. 0x2cdfbb5 (104): HawkEye Keylogger - Reborn v8 - {0} Logs - {1} \ {2}
  20. 0x2cdfc1e (122): HawkEye Keylogger - Reborn v8{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
  21. 0x2d50f34 (32): KeePass csv file
  22. 0x2d50f70 (30): Eudora.ini file
  23. 0x2d50ff0 (30): Outlook Express
  24. 0x2d51010 (22): IncrediMail
  25. 0x2d51036 (52): Group Mail Free
  26. 0x2d5106c (60): MS Outlook 2002/2003/2007/2010
  27. 0x2d510b6 (22): Hotmail/MSN
  28. 0x2d510ce (50): Yahoo! Mail
  29. 0x2d51102 (22): Thunderbird
  30. 0x2d5111a (28): Google Desktop
  31. 0x2d51138 (24): Windows Mail
  32. 0x2d51152 (34): Windows Live Mail
  33. 0x2d51176 (24): Outlook 2013
  34. 0x2d51190 (24): Outlook 2016
  35. 0x2d5156e (44): 2003 - 2016 Nir Sofer
  36. 0x2d515a2 (22): ProductName
  37. 0x2d515bc (30): Mail PassView
  38. 0x2d50c96 (38): Email Accounts List
  39. 0x2d50cbe (128): Select base folder of Netscape!Select base folder of ThunderBird
  40. 0x2d50d40 (148): Select Eudora.ini filename/Select the location of Thunderbird installation
  41. 0x2d4c7ec (23): \Microsoft\Windows Mail
  42. 0x2d4c804 (28): \Microsoft\Windows Live Mail
  43. 0x2d4c858 (14): Yahoo! User ID
  44. 0x2d4c8d0 (49): c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb
  45. 0x2d4ba08 (129): SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
  46. 0x2d4ae18 (100): www.google.com/Please log in to your Gmail account
  47. 0x2d4adcb (57): "Account","Login Name","Password","Web Site","Comments"
  48. 0x2d4ada8 (12): %s@gmail.com
  49. 0x2d4adb8 (12): %s@yahoo.com
  50. 0x2d4ac88 (31): Software\IncrediMail\Identities
  51. 0x2d2ef03 (73): c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb
  52. 0x2d2b6d7 (40): Opera\Opera\wand.dat
  53. 0x2d2b703 (58): Opera\Opera7\profile\wand.dat
  54. 0x2d2b74b (76): Opera Software\Opera Stable\Login Data
  55. 0x2d25303 (138): SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins
  56. 0x2cde152 (66): http://bot.whatismyipaddress.com/
  57. 0x2cde196 (66): Win32_NetworkAdapterConfiguration
  58. 0x2cde48a (32): AntiVirusProduct
  59. 0x2cde4e4 (30): FirewallProduct
  60. 0x2cdd870 (20): Screenshot
  61. 0x2cdd8b4 (78): http://uploads.im/api?upload&format=xml
  62. 0x2cdb0d4 (19): get_ClipboardLogger
  63. 0x2cdb0e8 (19): set_ClipboardLogger
  64. 0x2cdb0fc (19): get_KeyStrokeLogger
  65. 0x2cdb110 (19): set_KeyStrokeLogger
  66. 0x2cdb124 (16): get_WebCamLogger
  67. 0x2cdb135 (16): set_WebCamLogger
  68. 0x2cdb146 (20): get_ScreenshotLogger
  69. 0x2cdb15b (20): set_ScreenshotLogger
  70. 0x2a38789 (72): https://login.yahoo.com/config/login
  71. 0x29ee772 (19): random seed: reborn
  72. 0x29ee79a (14): clipboardHook
  73. 0x29ee7ae (12): keyboardHook
  74. 0x29eac56 (60): The Wireshark Network Analyzer
  75. 0x29eaca4 (38): Emulation Detected!
  76. 0x29eaccc (20): rstrui.exe
  77. 0x29eace2 (24): AvastSvc.exe
  78. 0x29eacfc (24): avconfig.exe
  79. 0x29ead16 (22): AvastUI.exe
  80. 0x29ead2e (20): avscan.exe
  81. 0x29ead44 (20): instup.exe
  82. 0x29ead6c (22): mbamgui.exe
  83. 0x29ead84 (20): mbampt.exe
  84. 0x29ead9a (34): mbamscheduler.exe
  85. 0x29eadbe (30): mbamservice.exe
  86. 0x29eadde (28): hijackthis.exe
  87. 0x29eadfc (24): spybotsd.exe
  88. 0x29eae2a (24): avcenter.exe
  89. 0x29eae44 (22): avguard.exe
  90. 0x29eae84 (24): avgcsrvx.exe
  91. 0x29eae9e (30): avgidsagent.exe
  92. 0x29eaebe (20): avgrsx.exe
  93. 0x29eaed4 (24): avgwdsvc.exe
  94. 0x29eaf00 (24): zlclient.exe
  95. 0x29eaf1a (22): bdagent.exe
  96. 0x29eaf32 (32): keyscrambler.exe
  97. 0x29eaf64 (26): wireshark.exe
  98. 0x29eaf80 (24): ComboFix.exe
  99. 0x29eaf9a (22): MSASCui.exe
  100. 0x29eafb2 (24): MpCmdRun.exe
  101. 0x29eafcc (22): msseces.exe
  102. 0x29eafe4 (22): MsMpEng.exe
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!