keylogger_data

Keylogger Activity

Wapack Labs currently maintains collections that yield thousands of newly compromised global accounts and credentials on a daily basis in industries ranging from shipping/receiving to maritime port operations to manufacturing and finance. Wapack Labs currently collects against 350+ key logger aggregation points for dozens of key logger applications. Wapack Labs has collected hundreds of thousands of indicators associated with known keyloggers.

Field	Description
area_code	area code geolocated from indicator
attacker_server	name of keylogger endpoint from which output was observed
city	city name geolocated from indicator
country	two character country code geolocated from indicator
description	name of keylogger output file - this can define the type of keylogger app variant, such as Predator or Hawkeye
domain_cat	general site categorization of indicator
etl_date	date data was exported, transformed or loaded (ETL)
first_seen	when keylogger output first observed
indicator	indicator extracted from keylogger output
indicator_context	context in which keylogger indicator observed; keylogged email, portal, etc.
indicator_type	indicator type
last_seen	when keylogger output last observed
location	latitude and longitude coordinates
password_redact	populated with "< redacted >" if password was captured by keylogger
postal_code	postal code geolocated from indicator
raw_data_file	normalized name of keylogger output file - consists of MD5 hash +_content.txt or .eml
region	region name geolocated from indicator
url_cat	specific URL site categorization of an indicator
username	observed username credential captured by keylogger (if applicable)
victim_src_ip	IP address observed sending keylogger outputs. While called victim_src_ip, this IP may not always represent a victim, for example it may represent non-keylogger data observed sending information to the endpoint
victim_whois	Whois of victim_src_ip