MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b289b1dc38fa9bbd5086bb53a41d36466f899df423df495ae8e7bfd9b06e846. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

404Keylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	2b289b1dc38fa9bbd5086bb53a41d36466f899df423df495ae8e7bfd9b06e846
SHA3-384 hash:	3226331117bb65f35efd166b1dabc3a7cb5a9619484ca5f066715e858889e8561d3b6902f707445705fe1378dc49b7ef
SHA1 hash:	721b06c235f114db43fc277c5e49b18f784e7a2d
MD5 hash:	f2b95510e786de6ca512776c9982149f
humanhash:	tennessee-south-single-muppet
File name:	标准的样本格式更新.xlsx.exe
Download:	download sample
Signature	404Keylogger Create hunting rule
File size:	825'856 bytes
First seen:	2020-11-03 08:07:18 UTC
Last seen:	2020-11-03 10:00:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:HiskcTP82O8fgX2RyabyF/Yl97u+NXdJ62IknEUAkIoV+6F4caVicYIjI:CsfwSgAlbfl97u+c2IknEUYE+6F4rEc
Threatray	77 similar samples on MalwareBazaar
TLSH	F505AEF66286EB6AC80F043FF84B256193D9DB2D99F8814643C5B119137C7CE66AC4CB
Reporter	cocaman
Tags:	404Keylogger exe

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Phoenix

Link:

https://www.capesandbox.com/analysis/81992/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.58453.31108.29994.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Setting a keyboard event handler

Reading critical registry keys

Sending a custom TCP request

Deleting a recently created file

Result

Threat name:

404Keylogger AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/518955

Signature

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected 404Keylogger

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2b289b1dc38fa9bbd5086bb53a41d36466f899df423df495ae8e7bfd9b06e846/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-03 06:50:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fmujwhodr6u3xviino2tuqotmrtprgo7ii67jfnorz573gyg5bda._file

Verdict:

malicious

404Keylogger

4efd69650a6654537a07b5e0e329281da26ca7da81a8f8c1fbcfa535fec76c50

404Keylogger

6014abff3f883feb405938f546265bc9d6fd5a0397778d10fbbcf7e7a04370af

404Keylogger

6dcc42aad646c84eadd068ea14762f62a5d769a6e03b65a859edea2749902dce

404Keylogger

946200f42fe267c47b2e0983a1d2e1249b78433412f4a0874eee89d985b76553

404Keylogger

a7e8c4d24e013f48bed29fb9a5f0d80c60be249862213e142c7feb47f07ac39e

404Keylogger

b2a4c9e1fbafc010c19f17103ed3454b96fd23e047a6a03cb01ecdc9f026709e

404Keylogger

d5d3cde374721294f774229ce8fa3cbf3edd4d3b489448ea7449ee63bbdc2c31

404Keylogger

dc00e8e3f7021f242e16107ba976697d93616473833233e85fec9842dca480df

404Keylogger

e4a3e20e267b49025b0c602b0af5b19c57711fc07f5442c356d5c57e1ee7cd31

404Keylogger

+ 67 additional samples on MalwareBazaar

Result

Malware family:

404keylogger

Score:

10/10

Tags:

persistence family:404keylogger keylogger spyware stealer

Link:

https://tria.ge/reports/201103-pk22d5393e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies service

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

404 Keylogger

404 Keylogger Main Executable

Unpacked files

SH256 hash:

2b289b1dc38fa9bbd5086bb53a41d36466f899df423df495ae8e7bfd9b06e846

MD5 hash:

f2b95510e786de6ca512776c9982149f

SHA1 hash:

721b06c235f114db43fc277c5e49b18f784e7a2d

Link:

https://www.unpac.me/results/c9e6d248-ae41-4d54-8e46-b0de97eab1c8/

SH256 hash:

1ada18368f81e394e39a5c96ceca73d9fc7eb1cfa01478d1b49eaa28c72b6cba

MD5 hash:

73bd1fe662f1a80c67f747e05dcec4c9

SHA1 hash:

089a8058bb4122cd917e9fc0f52eed553614b1b4

Detections:

win_404keylogger_g0

Link:

https://www.unpac.me/results/c9e6d248-ae41-4d54-8e46-b0de97eab1c8/

Parent samples :

2ac51bddbe245f1d8b6fd18e3e1c361445243006b9e8cdbfb9d5fcaa6cba2420
50bf9e38c817f386cbf2b43ce3766d898571a21e5bb690ad89f851d5bf017bb7
dc00e8e3f7021f242e16107ba976697d93616473833233e85fec9842dca480df
e4a3e20e267b49025b0c602b0af5b19c57711fc07f5442c356d5c57e1ee7cd31
2b289b1dc38fa9bbd5086bb53a41d36466f899df423df495ae8e7bfd9b06e846
5b4e102595fcfeb47ebf79618cd38e451c8543eb264d7faff586370023b3ccc0
825ed5beee88383c1efb87faad69a6e1650960e08418ce84252852acf1fe5a38
5f76f22bc543897362a09bd6d101583fa0fe5bcaa02b3fd5f67b7c193a1b7ee5

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/c9e6d248-ae41-4d54-8e46-b0de97eab1c8/

SH256 hash:

cdb07a65de8d5d2037e323abc6094416b8cd4284cf79a8be8e2c5de012d5ef6c

MD5 hash:

b73811c98f2fefadd66f4c7f2fc0ff58

SHA1 hash:

a6ba54a7dc09b0abf04dc2f2995ba79999f4268c

Link:

https://www.unpac.me/results/c9e6d248-ae41-4d54-8e46-b0de97eab1c8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/2b289b1dc38fa9bbd5086bb53a41d36466f899df423df495ae8e7bfd9b06e846

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	Telegram_bot_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

Rule name:	win_404keylogger_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT, Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

r00 8cf480b0f56ea24df72ca1ce3288c23c2dd56d3c995afcc7cb9b75c2b0b4ceff

404Keylogger

exe 2b289b1dc38fa9bbd5086bb53a41d36466f899df423df495ae8e7bfd9b06e846

(this sample)

Delivery method

Other

Dropped by

SHA256 8cf480b0f56ea24df72ca1ce3288c23c2dd56d3c995afcc7cb9b75c2b0b4ceff

Cape

https://www.capesandbox.com/analysis/81992/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample