Haan

Copyright © MegaSecurity

By c-cure


Informations
Author c-cure
Family Haan
Category Information Stealer
Version Haan
Additional Information
Server:
c:\WINDOWS\TEMP\server\server\ev0.exe 
c:\WINDOWS\SYSTEM\wincmd.exe 

size: 177 KB

port: 80 TCP

startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Author Information / Description
-= ev0luti0n HTTP keylogger =-  
                                    ._                    _.
                                       ~ expl0it_shad0w ~
 
-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

o0 - Table Of Contents - 0o

-= Section 1 =-

A> Introduction
B> Instructions
C> Trojan Removal
D> Contacting Me



-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 1,A =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Introduction

I wanted to make a keylogger with a difference,
I dont think one has been made like this yet, if it has let me know.
This is a Keylogger that records all the key strokes to a file, 
and it allows you to view them,
just by typing the victims IP address in the Internet Explorer
( or some other Internet browser ).

NOTE: the keylogger sucks, so im working on a better one.



-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 1,B =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Instructions

Follow these instructions.

1. Rename "Server.exe" to what ever you want,
   make it convincing, not like "TROJAN.exe" or "KEYLOGGER.exe".

2> Send it to them and tell them its a new hacking tool,
      NOTE: Try binding it with a real one. If you know how.

( Once the victim opens it, it hides in memory and records all the key strokes on the computer,
  so you can view them with an Internet Browser like MSIE. )

3> Connect to there machine on port 80 with an Internet browser, as stated above.
   Type in there IP address into it and just hit Enter. 
   For example if the victims IP address was 127.0.0.1 you type in http://127.0.0.1 or
   just 127.0.0.1.

4> have Phunn.



-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 1,C =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Trojan Removal

Follow these simple instruction to remove ALL traces of the trojan.

1> Goto inside the windows\system directory and remove all these files.

smsg.html - Online HTML file
wincmd.exe - The Trojan Itself
Msvbrt60.dll - A needed DLL
evlog.dat - Stored keystokes

NOTE: If you can not delete wincmd.exe, or any of the other files,
just boot into MS-DOS and delete them there.
using the Del command.

2> Open up your Registry Editor and remove the following entry.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Wincmd - its a string.

3> Thats it.

If you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.