MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40ed2cee21f04d3dd5a62951a4b99976327816ee918255bc12b6d40247b2b1c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


404Keylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40ed2cee21f04d3dd5a62951a4b99976327816ee918255bc12b6d40247b2b1c0
SHA3-384 hash: 82d0666f91832394fea864199fc44be0315b8497189d240394695e636a27d15b0a40bf19cc6600daec422b38c9947a3b
SHA1 hash: 3e4a79872d1b33f48bb6f07a21d5cb5806243194
MD5 hash: b398016c2c3010ef8c0f27aa42b644a6
humanhash: solar-wolfram-fix-winner
File name:OC2211.exe
Download: download sample
Signature 404Keylogger
Create hunting rule
File size:601'600 bytes
First seen:2021-02-16 06:27:42 UTC
Last seen:2021-02-16 09:01:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:KbeZ4+70pKXQlNVChbacUYBneDCAxRzaJVo4sqHm00Y1JkgB:oeyIObqneDCcqo7O551Jt
Threatray 85 similar samples on MalwareBazaar
TLSH 6BD46B2223AC5F5BF07EBBB5A478640087F2B902E779D65C7DE400DE1A61F80CA95B53
Reporter abuse_ch
Tags:404Keylogger exe


Avatar
abuse_ch
Malspam distributing 404Keylogger:

HELO: rt0.208.xorox.gq
Sending IP: 128.199.97.59
From: Sales <finanzas@comex.com.pe>
Subject: Orden de compra OC221 (Purchase order OC221) Urgente
Attachment: OC2211.arj (contains "OC2211.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Phoenix
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117289/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.73020.32695.23315.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Enabling the 'hidden' option for analyzed file
Result
Threat name:
404Keylogger AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/608626
Signature
.NET source code references suspicious native API functions
Found malware configuration
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected 404Keylogger
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40ed2cee21f04d3dd5a62951a4b99976327816ee918255bc12b6d40247b2b1c0/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-15 23:19:17 UTC
AV detection:
9 of 45 (20.00%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=idwsz3rb6bgt3vngffi2jomzoyzhqfxosgbflpasw3kaer5swhaa._file
Verdict:
malicious
Similar samples:
01911f32fe6a9ad9db8891af99d4e05ec2eecc8f6f38d16aa0f947d6f174fe5c
404Keylogger
16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0
404Keylogger
2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7
404Keylogger
2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9
404Keylogger
3ad31e065d9ef9cd13549f44d2d1a7ec02c0776eacd140faa32d81ae63c35b54
404Keylogger
58fca7f53b148930126a886b687c15d5810557d0034ec75261dbd94c90698031
404Keylogger
80893e190d49fdc68aec0754db2ffe46c60dccecff6d6d42591858ddba315fa6
404Keylogger
a65c812000900485065a8a2d13fed88aeb45077d8bd14424fe4a3a363e147e14
404Keylogger
b3571a21fc2b55b230d8aa1a0141af014b5e4a2eb3817ce0016bceb7a664d422
404Keylogger
d438b1aeeca792f5e1a704a232b6f261a78ce95bfec3a7907d4066944b8a9030
404Keylogger
+ 75 additional samples on MalwareBazaar
Result
Malware family:
404keylogger
Create hunting rule
Score:
  10/10
Tags:
family:404keylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210216-ngshepat7x/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
404 Keylogger
404 Keylogger Main Executable
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/4e9233f9-a4fe-4f38-9314-490085894637/
SH256 hash:
40ed2cee21f04d3dd5a62951a4b99976327816ee918255bc12b6d40247b2b1c0
MD5 hash:
b398016c2c3010ef8c0f27aa42b644a6
SHA1 hash:
3e4a79872d1b33f48bb6f07a21d5cb5806243194
Link:
https://www.unpac.me/results/4e9233f9-a4fe-4f38-9314-490085894637/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
Link:
https://yomi.yoroi.company/submissions/40ed2cee21f04d3dd5a62951a4b99976327816ee918255bc12b6d40247b2b1c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_KB_ID_Infostealer
Create hunting rule
Author:ditekshen
Description:Detects exfiltration email addresses correlated from various infostealers. The same email can be observed in multiple families.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Phoenix
Create hunting rule
Author:ditekSHen
Description:Phoenix/404KeyLogger keylogger payload
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:Telegram_bot_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

arj 6e1e4c43639edf7e533f22aa67b4fbe57d43f8e66ce607ce61aef631fcc92ab3

404Keylogger

Executable exe 40ed2cee21f04d3dd5a62951a4b99976327816ee918255bc12b6d40247b2b1c0

(this sample)

  
Dropped by
MD5 c4252b3cac9fa0a08a98ae4b2ffdca9b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/117289/
  
Dropped by
SHA256 6e1e4c43639edf7e533f22aa67b4fbe57d43f8e66ce607ce61aef631fcc92ab3

Comments