MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cac6951b870ea92b65b38ffbae3777f979788da0a8fac7ddc0cab11eb46e6e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


404Keylogger


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cac6951b870ea92b65b38ffbae3777f979788da0a8fac7ddc0cab11eb46e6e8
SHA3-384 hash: 234048692b37f5d0f62937bc935584b7f833709c36c0291f40e643cd77c41b18566e3c20fa24792c522ea68d7309c49b
SHA1 hash: 151714c7dcd3ac326f7fe477703ca180e0e44f9e
MD5 hash: 0ec204fa7f4755fb26e17db7a9b6c473
humanhash: blue-lithium-apart-sixteen
File name:Emailing PAYMENT 001-31-515208021256.exe
Download: download sample
Signature 404Keylogger
Create hunting rule
File size:447'488 bytes
First seen:2020-08-03 07:45:14 UTC
Last seen:2020-08-03 08:39:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:v76IcY77y1yHcnnirCnD/hL3R/6oBLtF7cOkOHUf:T9cY7+QHcniwlBioXF7cOkOH
Threatray 270 similar samples on MalwareBazaar
TLSH 05949D6C17E00A1AF9AE1B7EAC320503DF65F04F5C27A39F06B154AA08BBB949D50F57
Reporter abuse_ch
Tags:404Keylogger exe


Avatar
abuse_ch
Malspam distributing 404Keylogger:

HELO: dunesindustries.com
Sending IP: 185.222.57.207
From: Baskar <baskar@dunesindustries.com>
Subject: Re: [victim-domain] Bank slips for new orders deposits
Attachment: Emailing PAYMENT 001-31-515208021256.r00 (contains "Emailing PAYMENT 001-31-515208021256.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37492/
Detection(s):
Sanesecurity.Rogue.0hr.20200802-0305.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Reading critical registry keys
Sending a custom TCP request
Result
Threat name:
404Keylogger AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/407648
Signature
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected 404Keylogger
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3cac6951b870ea92b65b38ffbae3777f979788da0a8fac7ddc0cab11eb46e6e8/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-02 05:22:03 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hswgsunyodvjfns3hd73vy3xp6lzpcg2bkh2y7o4bsvrd22g43ua._file
Verdict:
unknown
Similar samples:
0e2359712d56cd2288252596dcb2b77f444c2aeb53b3a88846058aa327f8f4cb
404Keylogger
15ac6b1a7fdb92b545dae44b1a88d6328629944771bdce75002637cdbf299027
404Keylogger
2f42e1baa78e2d7160734d4a9a849cff5f95cc2f7dfa161aa9c62429a0058dbe
404Keylogger
53a05748df93fa8c44d170d47a1abd61ec9ec27980867c7cb87d3d9841f70ccf
404Keylogger
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
404Keylogger
a540201f44f378a2bcade1e6190cd5784ae7cc0bc0f1138436afeb7b10ef7050
404Keylogger
d1176c3c4ab396d3bad7dd15c881fdb4e38922e9f7e539dc1035768f366edcf9
404Keylogger
e0b95a4255056cbad985d2d8e2ef1ab22720b758af99bd8d15a5d2d81d650fff
404Keylogger
e9111465f64f15932c37cbcf81cc493a8f8abf34470670729f5b63bb48f7d31b
404Keylogger
f155dd64a514c9ea5ffc36222d1c66c8daf6416945dbc8e8dd7a5b2cefae02d3
404Keylogger
+ 260 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200803-lavbh46yhe/
Behaviour
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3cac6951b870ea92b65b38ffbae3777f979788da0a8fac7ddc0cab11eb46e6e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

r00 0af21101bfccf3d7d4e614592285f4f8ef89dcae54c192e64c1344eeda0f489a

404Keylogger

Executable exe 3cac6951b870ea92b65b38ffbae3777f979788da0a8fac7ddc0cab11eb46e6e8

(this sample)

  
Dropped by
MD5 4bf6aee4a3bddc0b454ff21353de3733
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37492/
  
Dropped by
SHA256 0af21101bfccf3d7d4e614592285f4f8ef89dcae54c192e64c1344eeda0f489a

Comments