keylogger_data
Keylogger Activity
Wapack Labs currently maintains collections that yield thousands of newly compromised global accounts and credentials on a daily basis in industries ranging from shipping/receiving to maritime port operations to manufacturing and finance. Wapack Labs currently collects against 350+ key logger aggregation points for dozens of key logger applications. Wapack Labs has collected hundreds of thousands of indicators associated with known keyloggers.
Field | Description |
area_code | area code geolocated from indicator |
attacker_server | name of keylogger endpoint from which output was observed |
city | city name geolocated from indicator |
country | two character country code geolocated from indicator |
description | name of keylogger output file - this can define the type of keylogger app variant, such as Predator or Hawkeye |
domain_cat | general site categorization of indicator |
etl_date | date data was exported, transformed or loaded (ETL) |
first_seen | when keylogger output first observed |
indicator | indicator extracted from keylogger output |
indicator_context | context in which keylogger indicator observed; keylogged email, portal, etc. |
indicator_type | indicator type |
last_seen | when keylogger output last observed |
location | latitude and longitude coordinates |
password_redact | populated with "< redacted >" if password was captured by keylogger |
postal_code | postal code geolocated from indicator |
raw_data_file | normalized name of keylogger output file - consists of MD5 hash +_content.txt or .eml |
region | region name geolocated from indicator |
url_cat | specific URL site categorization of an indicator |
username | observed username credential captured by keylogger (if applicable) |
victim_src_ip | IP address observed sending keylogger outputs. While called victim_src_ip, this IP may not always represent a victim, for example it may represent non-keylogger data observed sending information to the endpoint |
victim_whois | Whois of victim_src_ip |
Last updated