MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d438b1aeeca792f5e1a704a232b6f261a78ce95bfec3a7907d4066944b8a9030. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


404Keylogger


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d438b1aeeca792f5e1a704a232b6f261a78ce95bfec3a7907d4066944b8a9030
SHA3-384 hash: eefeb4bac5b4547a531698ff35517463c17a745b61578819c0bb84d2b8d2665855bedc70499ed9f09fd0037fd9059e75
SHA1 hash: 7e20bfbf46b72fce96a3ba7925a6777e23f170ba
MD5 hash: 3d17c378137eec14c9dc45811c1c83c5
humanhash: three-winter-moon-pennsylvania
File name:MMO47.exe
Download: download sample
Signature 404Keylogger
Create hunting rule
File size:798'208 bytes
First seen:2020-06-25 06:02:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a29f4efb911c4906418600fd25679688 (11 x Loki, 10 x AgentTesla, 2 x HawkEye)
ssdeep 12288:A16DRdrkQMFHVsMlrsy/bz5JF4WHC1PgI9vFcnQdTZByM9SVZLkm0bZO7cV1m:269dI9Dl7bPF4sm9dNdNByMEfAm0SyE
Threatray 1'994 similar samples on MalwareBazaar
TLSH 4C057EE2F2B14433C1721A3B8D6B52F5582ABE11BD2865462BE4DDCC9F3F64138352A7
Reporter abuse_ch
Tags:404Keylogger ESP exe geo


Avatar
abuse_ch
Malspam distributing 404Keylogger:

HELO: se.com
Sending IP: 45.147.231.244
From: Fernando Ramos <fernando.ramos1@se.com>
Subject: Oferta Seguro y supervisión de Datawaves a CPF Shell
Attachment: MMO47.arj (contains "MMO47.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Phoenix
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13934/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Webalta-6862190-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.10803.7096.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Enabling the 'hidden' option for analyzed file
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a custom TCP request
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d438b1aeeca792f5e1a704a232b6f261a78ce95bfec3a7907d4066944b8a9030/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2q4ldlxmu6jplynhasrdfnxsmgtyz2k373b2ped5ibtjis4ksaya._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
01911f32fe6a9ad9db8891af99d4e05ec2eecc8f6f38d16aa0f947d6f174fe5c
404Keylogger
0264a3c84d3a268983747939a9345ccdd32e2614133e362803cc992e0aaf6897
404Keylogger
06cd18b13e77f513e826da358a65d6f61b05769ce830c8fb9d15b916c672ea61
404Keylogger
1dc070d234e0a6924f80b80f65d559aedd504b9c8fb3633a1c6ece3b11aefcf5
404Keylogger
3570ad6cca0092ef3dae27f25444acbf024ec2ae484146148214765791b2d289
404Keylogger
50f2b41bb5e2dead969345319a9617715492e979937f0b11264f927cd007f903
404Keylogger
60bcd840701607269f42880c4d96fe9242aa4916e3204fc034cb972d53cb2461
404Keylogger
745364797a55e8213e5ccc2fc6dcac6ae92aed3c78d8d0b1fa7eb9684bda6167
404Keylogger
9c857f21dae9912b85da12eb7d48ce8949ac6c50b98181b49fbaa39bd261827e
404Keylogger
d2dc5299f64dc02a7e375d91f73145c7eb88a0a1155a21f4c7f4a4e07c5117b4
404Keylogger
+ 1'984 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware evasion trojan
Link:
https://tria.ge/reports/200625-9pjh4e3k92/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Modifies system certificate store
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

arj 9b6e5c0f99f26a60c13602eccb31991c4c0e900884b606a5569e55cb9ccd4733

404Keylogger

Executable exe d438b1aeeca792f5e1a704a232b6f261a78ce95bfec3a7907d4066944b8a9030

(this sample)

  
Dropped by
MD5 3ca7ef923b2347446a5ef0f671962915
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13934/
  
Dropped by
SHA256 9b6e5c0f99f26a60c13602eccb31991c4c0e900884b606a5569e55cb9ccd4733

Comments