MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 463310350b11f648122f686b760d583275d10bb5e2fc7e810788cb2553436418. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


404Keylogger


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 463310350b11f648122f686b760d583275d10bb5e2fc7e810788cb2553436418
SHA3-384 hash: 2d4b1ae80824fd089911baca1c20f7282158da8939b1b78daf3a9f74333a1e6fac20e4fb99ee52b976392745b06ab5b4
SHA1 hash: 3cebbaf2d89e986fad904e7ea656008e291cb599
MD5 hash: 905359fdbefb6263bc5f31579000a0d8
humanhash: white-dakota-xray-august
File name:Order List 10072020.exe
Download: download sample
Signature 404Keylogger
Create hunting rule
File size:712'704 bytes
First seen:2020-07-10 11:22:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6c5aa4620701f1d844f97acdde133aa4 (7 x AgentTesla, 1 x FormBook, 1 x 404Keylogger)
ssdeep 12288:pAopB9+000R6HuSl6TXBoSRN13ndwCCj1VwbzV+7zKCEC7n4RMd:p3j4a6OSlEbh3ndz9N2n7N
Threatray 2'640 similar samples on MalwareBazaar
TLSH 4DE49E22F2E14437D1B3FE3D9C1B93A8983ABE512D38A9863BE51D4C4F3569139252D3
Reporter abuse_ch
Tags:404Keylogger exe


Avatar
abuse_ch
Malspam distributing 404Keylogger:

HELO: thuhil.com
Sending IP: 45.153.241.102
From: Purchase Manager <sales@thuhil.com>
Subject: NEW ORDER ref: 10072020
Attachment: Order List 10072020.arj (contains "Order List 10072020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24373/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Enabling the 'hidden' option for analyzed file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a custom TCP request
Creating a file in the Windows subdirectories
Moving of the original file
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/463310350b11f648122f686b760d583275d10bb5e2fc7e810788cb2553436418/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-10 11:24:05 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iyzranilch3eqerpnbvxmdkygj25cc5v4l6h5aihrdfsku2dmqma._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
14a6748757c109080de791b34d158b8e1e7b99831d64bde4d901f5f4ef0a4c20
404Keylogger
22de80f7b695a2d2de01c7de28554a3588b1a115c370df9d4ed6da63fa2fbc21
404Keylogger
3c3c2afe57269ba1438595d34dfd3db570514bcf7b404a3ae8a38f8481729da3
404Keylogger
4d10520e2b80ca42e98590435c36c5409a458d9a5bd0ad35b0f444d2ceb2626d
404Keylogger
67586cd711a0de6176d2df1bde9bf36f024f893328ae9c447bdf5e636e99502b
404Keylogger
7b2c3d840df187976a61997b49d7b8a409360528bc2f8edaae80c26bcc86e6bf
404Keylogger
7dd02ed6230b0adde343aca84f8693a1c0d3ade225679849bf72849ad84107ca
404Keylogger
9c38ee8e0a3c1c135ec3c4dd93b8ea67c0a39a83f1f4960c219eeb6e12ea66ce
404Keylogger
c2dc84d69a583c5a9f37109f1c2066af3eca496a1aabb2589c5918a1ca3cb1d7
404Keylogger
cbeefe51466bc72c1d6ac6d8a24c4da9a9c8f66d2e388a057bb6ce5c197c152d
404Keylogger
+ 2'630 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/200710-zwhtlgae8s/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Looks up external IP address via web service
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
UPX packed file
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

arj 0b4e18bd6b3f3875fbd98f618473733b4d7bc478dc17d86219a2c14325e03fb6

404Keylogger

Executable exe 463310350b11f648122f686b760d583275d10bb5e2fc7e810788cb2553436418

(this sample)

  
Dropped by
MD5 01d3fd5bc27a88094799ed39e780ab6b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/24373/
  
Dropped by
SHA256 0b4e18bd6b3f3875fbd98f618473733b4d7bc478dc17d86219a2c14325e03fb6

Comments