MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


404Keylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7
SHA3-384 hash: 21864510bd6182774a40534baecc9f3267f05ef025d2d309bf7fe0f5f32ccced2f3b520ad9fcc3be0354da96d35b900d
SHA1 hash: 44222b7cc9de3847bef8c6b5f5639a824edbaf7b
MD5 hash: d35463b27bc9d531685c21d6b25bcb23
humanhash: mountain-apart-spring-may
File name:orden010221.exe
Download: download sample
Signature 404Keylogger
Create hunting rule
File size:494'080 bytes
First seen:2021-02-02 07:32:34 UTC
Last seen:2021-02-02 09:31:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:gb09CXxbZi970MGS33h3fIzRIBfzG7qCv7d6:gUIbZnSnhHfzGuCDI
Threatray 79 similar samples on MalwareBazaar
TLSH 08B401292EBC9E2BC25E7F7D09B0E11423FCC2501915D70EEFD42DE8A626FDD1981A85
Reporter abuse_ch
Tags:404Keylogger DHL ESP exe geo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: corsersac.com
Sending IP: 45.153.242.195
From: Javier Exebio <jexebio@corsersac.com>
Subject: Fwd: ActualizaciĆ³n planos DHL
Attachment: Orden010221.zip (contains "orden010221.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
orden010221.exe
Verdict:
Malicious activity
Analysis date:
2021-02-02 07:33:42 UTC
Tags:
evasion trojan stealer
Link:
https://app.any.run/tasks/da67e7ec-bb4b-46e7-8bcf-3815b8aee8d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Phoenix
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115061/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Enabling the 'hidden' option for analyzed file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Reading critical registry keys
Sending a custom TCP request
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
404Keylogger AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/596210
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected 404Keylogger
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-02 06:44:59 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=enek2osci7zj75apxpol6vm55x3ds3rp3ifbvfut2sh2b4f4cs3q._file
Verdict:
malicious
Similar samples:
01911f32fe6a9ad9db8891af99d4e05ec2eecc8f6f38d16aa0f947d6f174fe5c
404Keylogger
0264a3c84d3a268983747939a9345ccdd32e2614133e362803cc992e0aaf6897
404Keylogger
16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0
404Keylogger
1fc0b64aa5ad4ffdfdd207d5d59dfe238ab1573b793d6da0dca9df7918fdad9e
404Keylogger
2e806e0101522c188033d18c53d9d8a3a769257c38898b2446a8b6b9b5a90ee8
404Keylogger
2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9
404Keylogger
3ad31e065d9ef9cd13549f44d2d1a7ec02c0776eacd140faa32d81ae63c35b54
404Keylogger
6a5bf81d82a8112290a0eef40ece993c13143ad63feb1b4452528187a98627b0
404Keylogger
d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d
404Keylogger
d438b1aeeca792f5e1a704a232b6f261a78ce95bfec3a7907d4066944b8a9030
404Keylogger
+ 69 additional samples on MalwareBazaar
Result
Malware family:
404keylogger
Create hunting rule
Score:
  10/10
Tags:
family:404keylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210202-vvpszbk7e6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
404 Keylogger
404 Keylogger Main Executable
Unpacked files
SH256 hash:
fec081ce4c7e335a4958bc768e6365fa29d8205ead247269220b8c0c6a73981f
MD5 hash:
f46a8cad49debe3102558c84deed3456
SHA1 hash:
d93074b012d55aabb54c132808e6e97be9562cfd
Link:
https://www.unpac.me/results/cfe0df50-0343-4b9b-8ec4-f2dc1977002e/
SH256 hash:
28e223acfacbcfab86fe8ccc529ca08b9c7980bef29773801030595580a879b7
MD5 hash:
b369c5f529ecb562585c4612d8eac936
SHA1 hash:
3328c756f8b4bcf0d2ac5f679ce0cf988cf03501
Detections:
win_404keylogger_g0
Create hunting rule
Link:
https://www.unpac.me/results/cfe0df50-0343-4b9b-8ec4-f2dc1977002e/
Parent samples :
2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9
d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d
3ad31e065d9ef9cd13549f44d2d1a7ec02c0776eacd140faa32d81ae63c35b54
16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0
2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7
ab0cffef6a335af8549441d2e2003a45a1cf2c8c022f2c7e9578979737cdaf26
SH256 hash:
3b34db2f86c4d1a69163baa9eca943ab22ce8f1205439d5f2bb9c8a1f2c81903
MD5 hash:
1c61129d5d76bdfa7973eda27bf8e109
SHA1 hash:
2d204d1362ff9c0d6c09d320e7e4b53307e37cc0
Link:
https://www.unpac.me/results/cfe0df50-0343-4b9b-8ec4-f2dc1977002e/
SH256 hash:
2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7
MD5 hash:
d35463b27bc9d531685c21d6b25bcb23
SHA1 hash:
44222b7cc9de3847bef8c6b5f5639a824edbaf7b
Link:
https://www.unpac.me/results/cfe0df50-0343-4b9b-8ec4-f2dc1977002e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_KB_ID_Infostealer
Create hunting rule
Author:ditekshen
Description:Detects exfiltration email addresses correlated from various infostealers. The same email can be observed in multiple families.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Phoenix
Create hunting rule
Author:ditekSHen
Description:Phoenix/404KeyLogger keylogger payload
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:Telegram_bot_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:win_404keylogger_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT, Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

zip 4f8719454a5d66f66217862dfa00f945e23fa900ebbb2a15020e95d1456d9e8f

404Keylogger

Executable exe 2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7

(this sample)

  
Dropped by
MD5 a9a5156e6c02ef71536fa26d7a19883d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/115061/
  
Dropped by
SHA256 4f8719454a5d66f66217862dfa00f945e23fa900ebbb2a15020e95d1456d9e8f

Comments