MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0264a3c84d3a268983747939a9345ccdd32e2614133e362803cc992e0aaf6897. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


404Keylogger


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0264a3c84d3a268983747939a9345ccdd32e2614133e362803cc992e0aaf6897
SHA3-384 hash: ba7f86c5a49e28d68d81efa4c86145dac2b9c394e299c6fc56e4f3c419bbf5858a0495d9e4c3d8df9cf0c2eab4c7f2a8
SHA1 hash: cb2ac642f5743533b79fef9bd4e97da0b1c18aef
MD5 hash: 4257c31396f2298a0ff642464ea2de68
humanhash: stream-robin-yankee-carpet
File name:cuentas.exe
Download: download sample
Signature 404Keylogger
Create hunting rule
File size:720'384 bytes
First seen:2020-07-11 06:10:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 18b4de308ad51a2f49b22dc6eb50f125 (1 x FormBook, 1 x AgentTesla, 1 x 404Keylogger)
ssdeep 12288:cFCEbHHA0GxbQs7fbEBa6rqOcEGnWwLGzS7OUOMPfNm3VTjVgoSez:ohnApQs7pgw3dO8XNmlTj+oJz
Threatray 2'350 similar samples on MalwareBazaar
TLSH 0FE48D63F2D14833C16F1A389D0B5774AD26FE103A28AD872BF46D4C5F396A13936297
Reporter abuse_ch
Tags:404Keylogger exe


Avatar
abuse_ch
Malspam distributing 404Keylogger:

HELO: arrendamex.com.mx
Sending IP: 212.114.52.54
From: <notificaciones@arrendamex.com.mx>
Subject: INFORMES LEGALES GERENCIALES 2020
Attachment: CUENTAS.zip (contains "cuentas.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Phoenix
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24554/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.18141.28437.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Enabling the 'hidden' option for analyzed file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a custom TCP request
Creating a file in the Windows subdirectories
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0264a3c84d3a268983747939a9345ccdd32e2614133e362803cc992e0aaf6897/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-10 20:31:13 UTC
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ajskhscnhitita3upe42snc4zxjs4jqucm7dmkadzsms4cvpnclq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
01911f32fe6a9ad9db8891af99d4e05ec2eecc8f6f38d16aa0f947d6f174fe5c
404Keylogger
06ff593c0c848c19d9f138b5b5d37894c8defc8ef4ddd44a9d027cea28be869c
404Keylogger
0d2948ed8c5b18fec94625284e574525981d429737a02b8e8c899518f0977723
404Keylogger
121cba7566201217f8725044bc4e51283b873305c5e84b9e1623313cefa5fe4b
404Keylogger
4c95dcdc9172ac4d122a5de060b618102f5ed91bfc564ee3f340c9357a7c220b
404Keylogger
6645ca72c1da8e6325dc17645413624742d223df8ca65c6a178ff600bc00cb52
404Keylogger
946200f42fe267c47b2e0983a1d2e1249b78433412f4a0874eee89d985b76553
404Keylogger
b371bd339b7bb8fdab7ad80e9a563ebb17d6722c7d08dca5cfc19dad62d00e87
404Keylogger
d438b1aeeca792f5e1a704a232b6f261a78ce95bfec3a7907d4066944b8a9030
404Keylogger
f94835d0cfac325ba2187c8bec1f9e9cff185a087be4de42832731c3c7a51adc
404Keylogger
+ 2'340 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/200711-3541hvjgka/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Looks up external IP address via web service
Looks up external IP address via web service
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

zip e1fc749fe1825eea056389973da030207359e60215385360d8524a26ed9acee0

404Keylogger

Executable exe 0264a3c84d3a268983747939a9345ccdd32e2614133e362803cc992e0aaf6897

(this sample)

  
Dropped by
MD5 b1210e56771074c7c07692d95e4c6289
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e1fc749fe1825eea056389973da030207359e60215385360d8524a26ed9acee0
Cape
Cape
https://www.capesandbox.com/analysis/24554/

Comments