MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


404Keylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9
SHA3-384 hash: 0b302cc2defa0b58c0397afca79d2909f0137072ce893bf907bdc2a828bfc092d6c468859bf4d715b54a63207c24a026
SHA1 hash: eb0d154f47220a518c9edaca8995df9a1ad2febe
MD5 hash: ebaa6c8133bc97f822be7baa40ffc535
humanhash: red-enemy-berlin-wyoming
File name:cotizacion.exe
Download: download sample
Signature 404Keylogger
Create hunting rule
File size:673'792 bytes
First seen:2020-10-08 12:28:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 526c0f274df58763f4b5b74cc1aa8506 (5 x Loki, 4 x 404Keylogger, 2 x MassLogger)
ssdeep 12288:9dUTWK/dyJQU71SjXIOHuaNspkXIGq8Obtw87oRqI:92BkJQjjdvwYtO57oRqI
Threatray 1'894 similar samples on MalwareBazaar
TLSH 60E48E23E2E04437C1732A7D9C1F5BB4DA35BE102E2899466BF4DE4C9F397907929293
Reporter abuse_ch
Tags:404Keylogger exe


Avatar
abuse_ch
Malspam distributing 404Keylogger:

HELO: segurosequinoccial.com
Sending IP: 45.153.242.51
From: ianzas_web1@segurosequinoccial.com
Subject: Cotizacion
Attachment: Cotizacion.zip (contains "cotizacion.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Phoenix
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69213/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Enabling the 'hidden' option for analyzed file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a custom TCP request
Deleting a recently created file
Result
Threat name:
404Keylogger AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485360
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected 404Keylogger
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 11:11:31 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2twf4rfvkk3wpzr2cehdm7iinmpjcy4xrfwpp2hwpi4sondgw4q._file
Verdict:
malicious
Similar samples:
01911f32fe6a9ad9db8891af99d4e05ec2eecc8f6f38d16aa0f947d6f174fe5c
404Keylogger
0264a3c84d3a268983747939a9345ccdd32e2614133e362803cc992e0aaf6897
404Keylogger
108de1bd47a6c60e2ba5ec4d5b1e47f42bd4e6048fc09d940c441e26f8ee45dc
404Keylogger
121cba7566201217f8725044bc4e51283b873305c5e84b9e1623313cefa5fe4b
404Keylogger
482c86b2e6323b9d41b0692af170ac5241998c15bbb486ed2bab2e60a6841c10
404Keylogger
7cef313bae579b3735126139266cd34225fc71e2a38b83ad6e69ba703b71d85e
404Keylogger
8243c8a72e7a2021b4d956f5dafc19ded0162e9eb99f158f8da83660ea9368b5
404Keylogger
cfc5db8087a4d35d9516ad2753876afd4e0629c6bdc28364a49474beaae02ba9
404Keylogger
d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d
404Keylogger
d438b1aeeca792f5e1a704a232b6f261a78ce95bfec3a7907d4066944b8a9030
404Keylogger
+ 1'884 additional samples on MalwareBazaar
Result
Malware family:
404keylogger
Create hunting rule
Score:
  10/10
Tags:
upx stealer keylogger family:404keylogger spyware
Link:
https://tria.ge/reports/201008-4gsersbpde/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
404 Keylogger
404 Keylogger Main Executable
Unpacked files
SH256 hash:
2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9
MD5 hash:
ebaa6c8133bc97f822be7baa40ffc535
SHA1 hash:
eb0d154f47220a518c9edaca8995df9a1ad2febe
Link:
https://www.unpac.me/results/08bdf806-84ca-4f7b-8dbe-c7790a845cb0/
SH256 hash:
28e223acfacbcfab86fe8ccc529ca08b9c7980bef29773801030595580a879b7
MD5 hash:
b369c5f529ecb562585c4612d8eac936
SHA1 hash:
3328c756f8b4bcf0d2ac5f679ce0cf988cf03501
Detections:
win_404keylogger_g0
Create hunting rule
Link:
https://www.unpac.me/results/08bdf806-84ca-4f7b-8dbe-c7790a845cb0/
Parent samples :
2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9
d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d
3ad31e065d9ef9cd13549f44d2d1a7ec02c0776eacd140faa32d81ae63c35b54
16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0
2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7
ab0cffef6a335af8549441d2e2003a45a1cf2c8c022f2c7e9578979737cdaf26
SH256 hash:
083310a4b513c1c322b3874ca44ecf384ae00d3547d0c00bb8b6b30a9d9a13bd
MD5 hash:
4bf0d2e1c521afb64f08abc35f424630
SHA1 hash:
13ad952f236ba0d8acc50c0cb0f0be50e16b5222
Detections:
win_404keylogger_g0
Create hunting rule
Link:
https://www.unpac.me/results/08bdf806-84ca-4f7b-8dbe-c7790a845cb0/
Parent samples :
2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9
d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d
3ad31e065d9ef9cd13549f44d2d1a7ec02c0776eacd140faa32d81ae63c35b54
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

zip 935feb874c1b207a90f4683c697c85102cce85921208044c0ea92cb153ef37a4

404Keylogger

Executable exe 2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9

(this sample)

  
Dropped by
MD5 87b836f482d99cbee7f0eb98cc7ebaac
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69213/
  
Dropped by
SHA256 935feb874c1b207a90f4683c697c85102cce85921208044c0ea92cb153ef37a4

Comments