MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

404Keylogger

Vendor detections: 8

Intelligence 8 IOCs YARA 7 File information Comments

SHA256 hash:	16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0
SHA3-384 hash:	c5d529936fb1387e53d96494615381da474333a3a7d867e6be9779a4eaf4b8d5d64bf0a6742638c3ba3eda8834261e5a
SHA1 hash:	56a0e3ac605232c62dcd2d0c69b4d30070a91a77
MD5 hash:	dd5d50506fd70f80667f33296d7f45d4
humanhash:	mississippi-eleven-princess-skylark
File name:	SecuriteInfo.com.Trojan.DownLoader35.677.11398.13959
Download:	download sample
Signature	404Keylogger Create hunting rule
File size:	347'648 bytes
First seen:	2020-10-14 19:04:39 UTC
Last seen:	2020-10-14 19:40:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	6144:YjETAS6B9YTpvNH3PSpqHxmWdEFqIQFCRaAB8X/pHuqhwJoj:/P6nKplXapqRmRFqIkCRaAiX/E+a
Threatray	24 similar samples on MalwareBazaar
TLSH	1174129DF704991FCE3DA773A4A002641E7A688B9077CF6B6C48A0EE47C6F7585A01F1
Reporter	SecuriteInfoCom
Tags:	404Keylogger

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Phoenix

Link:

https://www.capesandbox.com/analysis/71009/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader35.677.11398.13959.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Sending a UDP request

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Sending a custom TCP request

Deleting a recently created file

Unauthorized injection to a system process

Result

Threat name:

404Keylogger AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/491705

Signature

Antivirus / Scanner detection for submitted sample

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Sigma detected: RegAsm connects to smtp port

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected 404Keylogger

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0/

Threat name:

ByteCode-MSIL.Trojan.Ymacco

Status:

Malicious

First seen:

2020-10-14 17:33:17 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Verdict:

unknown

404Keylogger

2f3474e57e4d3df1cedeef87e3716fa9143a63cf7ffdd9273273f41c8a8bc223

404Keylogger

6637c089017af9c448d8235e20db32603d8547f0611187341cf184dc66c170b4

404Keylogger

89e9fd57dffefa56428cdea17fb31951591e0f7fbe8d25859dd7c8221f048d3d

404Keylogger

99a9f37b29dd440c803ea37c57a6acded495d4b49c165f66b3fbe8a427972799

404Keylogger

a183a94f7c049de1770e76be272a29e0ec7b3b4344ef5c4dc2fe9ddd5962b5bd

404Keylogger

aba7c1c07ed945bc78f128ced4eef1c58253a55e6d31395228322281e791a15f

404Keylogger

b60f7101e7fe4632ce94f03fe039e6ff31d5d4a00b304fff73f7cfd3d9023e4c

404Keylogger

b646b8f4e9a67cab72124eaa7db809117f7d887e27e2eaafffacdc2703668cda

404Keylogger

cd62c1ca555d8caedbf2f6974500577216b34549681682d8802af804f0510f46

404Keylogger

+ 14 additional samples on MalwareBazaar

Result

Malware family:

404keylogger

Score:

10/10

Tags:

stealer keylogger family:404keylogger spyware

Link:

https://tria.ge/reports/201014-7l72hzahl6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

404 Keylogger

404 Keylogger Main Executable

Unpacked files

SH256 hash:

16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0

MD5 hash:

dd5d50506fd70f80667f33296d7f45d4

SHA1 hash:

56a0e3ac605232c62dcd2d0c69b4d30070a91a77

Link:

https://www.unpac.me/results/8f5c285d-040c-4041-b958-047c90da2f67/

SH256 hash:

28e223acfacbcfab86fe8ccc529ca08b9c7980bef29773801030595580a879b7

MD5 hash:

b369c5f529ecb562585c4612d8eac936

SHA1 hash:

3328c756f8b4bcf0d2ac5f679ce0cf988cf03501

Detections:

win_404keylogger_g0

Link:

https://www.unpac.me/results/8f5c285d-040c-4041-b958-047c90da2f67/

Parent samples :

2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9
d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d
3ad31e065d9ef9cd13549f44d2d1a7ec02c0776eacd140faa32d81ae63c35b54
16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0
2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7
ab0cffef6a335af8549441d2e2003a45a1cf2c8c022f2c7e9578979737cdaf26

SH256 hash:

fcb0f4e9e5f98fdc70aaf0332571645c707fcbf79c0450c3fcd6868894c3b7a0

MD5 hash:

6366b8054f8a6e27075fdd880014400a

SHA1 hash:

f58dda2dec27972634440f530c5bb786bff78cdf

Link:

https://www.unpac.me/results/8f5c285d-040c-4041-b958-047c90da2f67/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	Telegram_bot_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

Rule name:	win_404keylogger_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT, Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

404Keylogger

exe 16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0

(this sample)

Cape

https://www.capesandbox.com/analysis/71009/

URLhaus

https://urlhaus.abuse.ch/url/693367/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample