MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 151caa538da3b32889f7aa47133860846700a816b902f5eeac6bb39d795c6812. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

404Keylogger

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	151caa538da3b32889f7aa47133860846700a816b902f5eeac6bb39d795c6812
SHA3-384 hash:	ec47f78093108512f039e2157858ff0a6ec9773b71c3cf14438c8e218a58421d5f6ee66ef35310c218775bef7ebd49d8
SHA1 hash:	875fe32e6e14889fc7b473e91f070d46999ed07a
MD5 hash:	1fa18abde13192d33d6347abe0bf734e
humanhash:	finch-helium-lima-queen
File name:	uT5wiEYASje8CME.exe
Download:	download sample
Signature	404Keylogger Create hunting rule
File size:	593'920 bytes
First seen:	2020-07-08 07:45:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:85fVE6O5n+vToVe6D4hgmfEOEaKGNXle3FAMgMQk1k+v+h9x4J7LZS1Ce:85fVEW0Ve6Da7EOEoVe3FA+Ax4JRS1C
Threatray	18 similar samples on MalwareBazaar
TLSH	3BC4016195A48F67D92D97FDA475081203BA6F1AB831EBAD8EC0B0F52F737C10416B1B
Reporter	abuse_ch
Tags:	404Keylogger exe

abuse_ch

Malspam distributing 404Keylogger:

HELO: slot0.fundscript.xyz
Sending IP: 45.95.169.179
From: info@fundscript.xyz
Reply-To: info@fundscript.xyz
Attachment: Vouch_me.xlsm

404Keylogger payload URL:
https://seedwellresources.xyz/uT5wiEYASje8CME.exe

Intelligence

File Origin

# of uploads :

1

# of downloads :

98

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/22957/

Detection(s):

SecuriteInfo.com.Trojan.Malware.300983.susgen.6977.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Launching the process to change network settings

Enabling autorun with Startup directory

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/151caa538da3b32889f7aa47133860846700a816b902f5eeac6bb39d795c6812/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-08 07:47:03 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cuokuu4nuozsrcpxvjdrgodaqrtqbkawxebpl3vmnozz26k4naja._file

Verdict:

unknown

Similar samples:

1b68f5ab26d4fd7c7ca1933dd8dcc6f6f879104a072dc92f9d5917ad42a3cfd7

346b977e05b99881c7ec168c2fa0b68f84ec633d764eb52dd9795e372f45b1b4

34fd926b213a1c5726124dff74dbf69c731f8e823168d17cc1c9448501ed314f

38a83ed65dd375ad496b01eb7bf0f050983b1a289f1fcb01e9898fa7565ddd63

555028b1ee606e6d75d849940ceb77d3205fa196cf414370facdbce575f99d85

6e9b80abff99f9ce1d477c30f23c7ab327c1d5fef3edda5f68497aacd35ae03b

7302711920290930c1668ecf6519c207fdafb56b7f6d894b1e3fd4e4b920ad81

942040aa151db7981d1d09c3cf264df1ada08805011a4720812016bd231048a7

b7a6133cc3253f40c306f93cd28219a26d1354e7e360be9014c46ee3f7f67053

dbeb99d2b3f5ab13560c96f80ee6153f909f64aac45d4ad56e2468320430acd3

+ 8 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200708-c5qfl5beee/

Behaviour

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Modifies service

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xlsm 3d2f4071f4039fc8d0fa05ecc9cbad6f350e028dbae28f059d6f40446e688a16

exe 151caa538da3b32889f7aa47133860846700a816b902f5eeac6bb39d795c6812

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/408900/

Dropped by

MD5 7d50d1522e40087223060bc413bcf35d

Dropped by

SHA256 3d2f4071f4039fc8d0fa05ecc9cbad6f350e028dbae28f059d6f40446e688a16

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/22957/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample