{ "stream": 1, "alerted": true, "@version": "1", "app_proto": "ftp-data", "files": [ { "magic": "data", "sid": [], "size": 1892, "tx_id": 0, "stored": false, "mimetype": "text/plain", "filename": "HawkEye_Keylogger_Stealer_Records_BREAUX-WIN7-PC 5.2.2019 9:36:28 PM.txt", "state": "UNKNOWN", "gaps": false } ], "payload_printable": ".. ==============================================\r\n Operating System Intel Recovery\r\n ==============================================\r\nPC Name: BREAUX-WIN7-PC\r\nLocal Time: 5/2/2019 9:36:23 PM\r\nInstalled Language: en-US\r\nNet Version: 2.0.50727.5420\r\nOperating System Platform: Win32NT\r\nOperating System Version: 6.1.7601.65536\r\nOperating System: Microsoft Windows 7 Enterprise \r\nInternal IP Address: 10.0.0.227\r\nExternal IP Address: \r\nInstalled Anti-Virus: \r\nInstalled Firewall: \r\n ==============================================\r\n WEB Browser Password Stealer\r\n ==============================================\r\n==================================================\r\nURL : https://accounts.google.com/signin/v2/sl/pwd\r\nWeb Browser : Chrome\r\nUser Name : adriana.breaux@gmail.com\r\nPassword : P@ssw0rd$\r\nPassword Strength : Very Strong\r\nUser Name Field : identifier\r\nPassword Field : password\r\n==================================================\r\n\r\n==================================================\r\nURL : https://www.bbt.com/\r\nWeb Browser : Internet Explorer 7.0 - 9.0\r\nUser Name : adriana.breaux\r\nPassword : P@ssw0rd$\r\nPassword Strength : Very Strong\r\nUser Name Field : \r\nPassword Field : \r\n==================================================\r\n\r\n\r\n ==============================================\r\n Mail Messenger Password Stealer\r\n ==============================================\r\n==================================================\r\nName : Adriana Breaux\r\nApplication : MS Outlook", "packet_info": { "linktype": 1 }, "type": "json-log", "tags": [ "beats_input_codec_json_applied" ], "src_ip": "10.0.0.227", "flow": { "start": "2023-10-23T05:10:02.219083+0200", "dest_ip": "145.14.145.4", "bytes_toserver": 3235, "dest_port": 37280, "bytes_toclient": 328, "src_port": 49206, "pkts_toclient": 6, "pkts_toserver": 8, "src_ip": "10.0.0.227" }, "geoip": { "country_code3": "US", "location": { "lon": -97.822, "lat": 37.751 }, "latitude": 37.751, "country_name": "United States", "ip": "145.14.145.4", "continent_code": "NA", "provider": { "autonomous_system_organization": "Hostinger International Limited", "autonomous_system_number": 204915 }, "country": { "name": "United States", "geoname_id": 6252001, "iso_code": "US" }, "longitude": -97.822, "coordinate": [ -97.822, 37.751 ], "continent": { "name": "North America", "geoname_id": 6255149, "code": "NA" }, "country_code2": "US", "registered_country": { "name": "Germany", "geoname_id": 2921044, "is_in_european_union": true, "iso_code": "DE" }, "timezone": "" }, "command": "STOR", "in_iface": "tppdummy0", "see_name": "STS-500-QALAB-SSP", "proto": "TCP", "timestamp": "2023-10-23T05:10:02.219226+0200", "host": "discord-probe", "event_type": "alert", "capture_file": "/var/log/suricata/pcaps//log-1698023728-2.pcap", "dest_port": 37280, "src_port": 49206, "agent": { "type": "filebeat", "ephemeral_id": "fb7be2ea-f53c-4100-9688-329299e45b01", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "version": "7.17.10", "hostname": "discord-probe", "name": "discord-probe" }, "log": { "offset": 603304660, "file": { "path": "/var/log/suricata/eve-alert.json" } }, "alert": { "signature": "ETPRO MALWARE Hawkeye Keylogger Sending Data", "category": "A Network Trojan was detected", "rev": 2, "severity": 1, "signature_id": 2812868, "action": "allowed", "metadata": { "created_at": [ "2015_09_03" ], "updated_at": [ "2022_03_17" ] }, "gid": 1 }, "ether": { "dest_mac": "20:e5:2a:b6:93:f1", "src_mac": "84:8f:69:09:86:c0" }, "see_id": "6c2b59a0d0f2", "logger": "logstash-manager", "dest_ip": "145.14.145.4", "packet": "IOUqtpPxhI9pCYbACABFAAOrAZpAAIAGyL0KAADjkQ6RBMA2kaA6U+Y8yb33plAZ+vCVgAAAIDIwMDIvMjAwMy8yMDA3LzIwMTANCkVtYWlsICAgICAgICAgICAgIDogYWRyaWFuYS5icmVhdXhAZ21haWwuY29tDQpTZXJ2ZXIgICAgICAgICAgICA6IHBvcC5nbWFpbC5jb20NClNlcnZlciBQb3J0ICAgICAgIDogOTk1DQpTZWN1cmVkICAgICAgICAgICA6IE5vDQpUeXBlICAgICAgICAgICAgICA6IFBPUDMNClVzZXIgICAgICAgICAgICAgIDogYWRyaWFuYS5icmVhdXgNClBhc3N3b3JkICAgICAgICAgIDogUEBzc3cwcmQkDQpQcm9maWxlICAgICAgICAgICA6IE91dGxvb2sNClBhc3N3b3JkIFN0cmVuZ3RoIDogVmVyeSBTdHJvbmcNClNNVFAgU2VydmVyICAgICAgIDogc210cC5nbWFpbC5jb20NClNNVFAgU2VydmVyIFBvcnQgIDogNTg3DQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEludGVybmV0IERvd25sb2FkIE1hbmFnZXIgU3RlYWxlcg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpEb3dubG9hZGVyIFBhc3N3b3JkIFN0ZWFsZXINCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0=", "parent_id": 649270989041033, "tenant": 9, "flow_id": 659482860666166, "@timestamp": "2023-10-23T03:10:02.219Z", "filename": "HawkEye_Keylogger_Stealer_Records_BREAUX-WIN7-PC 5.2.2019 9:36:28 PM.txt", "net_info": { "src": [ "Private class A", "Internet" ], "src_agg": "private-class-a.internet", "dest": [ "Internet" ], "dest_agg": "internet" }, "input": { "type": "log" }, "sig": { "created": "2015-09-03", "updated": "2022-03-17", "source": "etpro5-optimized" }, "_id": "q2uAWosBmjVXQHqty3dT" }