MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 537f499dd0028377360979ca7ae771d7acb31c451ef806b7d05541cf541f15cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


404Keylogger


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 537f499dd0028377360979ca7ae771d7acb31c451ef806b7d05541cf541f15cb
SHA3-384 hash: f6ffad67c3cfabff85ad4b2ea58d6156f232fe0a59b41c118b1a6d3707153daa50666362bb19afdd37ed96b73274ca31
SHA1 hash: c1d5d1e61a07853fe2ffbf4f6adbad30f10ee15a
MD5 hash: f817b5ee0d91a28b04cce2d36c175362
humanhash: thirteen-quiet-bakerloo-north
File name:lista de orden pdf.exe
Download: download sample
Signature 404Keylogger
Create hunting rule
File size:777'216 bytes
First seen:2020-07-04 07:23:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5e2f1cd1b2c806b5c16bbe16172ec3d (3 x Loki, 2 x AgentTesla, 1 x HawkEye)
ssdeep 12288:lAs8PmmVUXLBugvnML2Td2Jbk1TTwz3/HzRRVxIhAiUapUPs:OPsBuD+cWw/9iqiFZ
Threatray 2'274 similar samples on MalwareBazaar
TLSH E1F47DBEB2E04477D1731A7D9D6BA374582ABD52AD38B90A7BF4CC4C4E392413835293
Reporter abuse_ch
Tags:404Keylogger exe


Avatar
abuse_ch
Malspam distributing 404Keylogger:

HELO: mail.cidelsa.com
Sending IP: 190.223.44.24
From: Selene Ruth Marcelo Reyes <smarcelor@cidelsa.com>
Subject: peticiones sobre producto
Attachment: lista de orden pdf.arj (contains "lista de orden pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.10673.21609.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/537f499dd0028377360979ca7ae771d7acb31c451ef806b7d05541cf541f15cb/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-03 19:17:21 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kn7uthoqakbxonqjphfhvz3r26wlghcfd34ann6qkva46va7cxfq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0d2948ed8c5b18fec94625284e574525981d429737a02b8e8c899518f0977723
404Keylogger
0d78a8f492fe38d77f142c41284771dfda83b2f2856e0a850260235ffb8b6e22
404Keylogger
40ef9adfcf675caf8054ca9c3635f3e47bc0bb99f74b63781976adeedbecdc5b
404Keylogger
5f94c2d722aeb9ec5e324dde64992b7baec9db6f6c0ff39b61fcda6813ec16fd
404Keylogger
946200f42fe267c47b2e0983a1d2e1249b78433412f4a0874eee89d985b76553
404Keylogger
f06b23f31cd428634e38aaa481e099c1f4e3cd6f62caa67ef535264132a695f7
404Keylogger
f1e136159f76900454c4b84e7dee3455e2eeefadcc86ac21d1fa40750aecc5fa
404Keylogger
f94835d0cfac325ba2187c8bec1f9e9cff185a087be4de42832731c3c7a51adc
404Keylogger
fc23f4b6273823d342d92e5fef7e4befc6ca4be41048054eb360ed0923db5983
404Keylogger
fd25d39f3f2eeec2ecf1db20ea303f7389a1ed1b703ab6991e656d13811af1a2
404Keylogger
+ 2'264 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/200704-x3xh4kk4es/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Modifies system certificate store
Looks up external IP address via web service
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
UPX packed file
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

arj c69bd986a00a4db57ff048094f24db9bb5f859ab96e023931ec6511b330a9cf2

404Keylogger

Executable exe 537f499dd0028377360979ca7ae771d7acb31c451ef806b7d05541cf541f15cb

(this sample)

  
Dropped by
MD5 d05c180ddbf7cc7b81eca29e06fafe7d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c69bd986a00a4db57ff048094f24db9bb5f859ab96e023931ec6511b330a9cf2
Cape
Cape
https://www.capesandbox.com/analysis/18813/

Comments