MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 feafbaf136b60be701a0dbd0f812d09e79c4d88bfea6b80b9569f641b7ce82b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


404Keylogger


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: feafbaf136b60be701a0dbd0f812d09e79c4d88bfea6b80b9569f641b7ce82b2
SHA3-384 hash: fe5b4c70251c096176105902a7e68efcfd9eaf17f9cd955dd93b6e8cefc21fae43eaf1692a464741081e51b8d12a31f8
SHA1 hash: 2b2bd86b31e12044ecdba42cc6d8b3fea01d1e03
MD5 hash: 911fe269c48c164a7bf64e3d81d42991
humanhash: lamp-autumn-angel-alanine
File name:MT103-20832-20489.exe
Download: download sample
Signature 404Keylogger
Create hunting rule
File size:560'640 bytes
First seen:2020-05-20 11:40:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd14599cca3bfe5eac2aca6e33e2157b (7 x AgentTesla, 3 x Loki, 1 x NanoCore)
ssdeep 12288:3BEm2TGS371Df9rjlPd+2ZrC0JA+FO/nrTn6yrHP:3ynTR7FVrD+OXSTvrv
Threatray 2'420 similar samples on MalwareBazaar
TLSH 37C49F32E2E14837D1635A7D9C1B526C983ABE113D39698B7BF43C4C6F392853927293
Reporter abuse_ch
Tags:404Keylogger exe MailChannels


Avatar
abuse_ch
Malspam distributing 404Keylogger:

HELO: blue.elm.relay.mailchannels.net
Sending IP: 23.83.212.20
From: Fabiana Fernandez <sales@rich-tek.co.th>
Subject: Balance Payment for Order 018122020.
Attachment: MT103-20832-20489.arj (contains "MT103-20832-20489.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 12:37:41 UTC
File Type:
PE (Exe)
Extracted files:
273
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=72x3v4jwwyf6oana3pipqewqtz44jwel72tlqc4vnh3edn6oqkza._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
01e932fe6a5240f2a1f05190b4cf64247842b1a96d858ba98c5f515234103706
404Keylogger
06ff593c0c848c19d9f138b5b5d37894c8defc8ef4ddd44a9d027cea28be869c
404Keylogger
0904cc3ac5743bc4e4f4dcfa31ec6cfe449c12646542f970cbfd53d8dd6915bf
404Keylogger
51d5ab8487876cbc9c82c7450affdab67de13f1ff8b126f82fefa4281698ad59
404Keylogger
5c2ea777da33a621b23492ec92638ae11c24dd7f77e9607277d77a7a02f5ee5b
404Keylogger
72085a6683fbd36131021d63dff1637225c452606c901a7ebe58bdd7795af521
404Keylogger
757207b0f638a3e70800aaa7cb4eda7e207f3641158d4a789d50b231fbe4f136
404Keylogger
79b5482b4c782cf8336701470de400c788089677dea8464daf218c4fb876eacb
404Keylogger
88cafb917c5b75cc01d0f23f8cfb19463a801cf78cc921a111ebcb1e46e801ea
404Keylogger
f4fa3604afcd80c55941153dbd9d16f4449871fef52050b6d8d12564182f4102
404Keylogger
+ 2'410 additional samples on MalwareBazaar
Result
Malware family:
404keylogger
Create hunting rule
Score:
  10/10
Tags:
family:404keylogger keylogger spyware stealer upx
Link:
https://tria.ge/reports/201109-k4cyhtw6se/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
404 Keylogger
404 Keylogger Main Executable
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

arj e8644b5e88bbb7ecd34683f3b957aaa9ef88825f6090444b01dc662b74d4c9da

404Keylogger

Executable exe feafbaf136b60be701a0dbd0f812d09e79c4d88bfea6b80b9569f641b7ce82b2

(this sample)

  
Dropped by
MD5 5e3a32cc320a7b7cf7cc8d07586357ba
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e8644b5e88bbb7ecd34683f3b957aaa9ef88825f6090444b01dc662b74d4c9da

Comments