MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56954b030b0fb79acd6b85fde734d8f1e0788720d9dc7342957c536ef8e36f5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

404Keylogger

Vendor detections: 9

Intelligence 9 IOCs YARA 10 File information Comments

SHA256 hash:	56954b030b0fb79acd6b85fde734d8f1e0788720d9dc7342957c536ef8e36f5f
SHA3-384 hash:	26a1f2953ebfa116650201eb9308dd6c605a09b24b1f2e116f72be097814747eb13a4a346ddf77e07068f15e5d7fb198
SHA1 hash:	ea93257d9fe5451fea4473ea14c3eb5ec765cfa6
MD5 hash:	81d8a0ae9daae847fe302737e191507f
humanhash:	ohio-ceiling-asparagus-zulu
File name:	iAxkn PDF.exe
Download:	download sample
Signature	404Keylogger Create hunting rule
File size:	409'600 bytes
First seen:	2021-02-22 19:03:57 UTC
Last seen:	2021-02-22 20:29:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	6144:+xAJLUs4ISijNq4vhRD8/LE+8uUFvnxsP48V9q/yPUgXDESxH:ecvn/+8HFPxs7PUPSZ
Threatray	91 similar samples on MalwareBazaar
TLSH	31948D28235C9B4DE53DB7385170964FC3F5B553EB62D28F3EC111AB1CA2E818F62A91
Reporter	abuse_ch
Tags:	404Keylogger CHL exe geo

abuse_ch

Malspam distributing 404Keylogger:

HELO: mail.cobralex.cl
Sending IP: 200.55.220.148
From: Carmen Elena. Romero <ceromero@enlace-chile.cl>
Subject: Solicitud de cotización #iAxkn32
Attachment: iAxkn PDF.arj (contains "iAxkn PDF.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

174

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Phoenix

Link:

https://www.capesandbox.com/analysis/118386/

Detection(s):

SecuriteInfo.com.Malware.AI.1881095700.17152.29690.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

404Keylogger AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/614472

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected 404Keylogger

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/56954b030b0fb79acd6b85fde734d8f1e0788720d9dc7342957c536ef8e36f5f/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-02-22 19:04:07 UTC

AV detection:

13 of 28 (46.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k2kuwaylb63zvtllqx66ongy6hqhrbza3hohgquvprjw56hdn5pq._file

Verdict:

malicious

404Keylogger

10c468006317bde4cabce1e987e1b1af0302c5cb9f2fb81c666d47c1bf67d16a

404Keylogger

16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0

404Keylogger

2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7

404Keylogger

40ed2cee21f04d3dd5a62951a4b99976327816ee918255bc12b6d40247b2b1c0

404Keylogger

642e7c5b6904fe50c539440104b792feece1754c754b69e4d369ad494222cb78

404Keylogger

6a32e223e2cb89976bf1d24cd60a33b567d35c01fddacc618998fb40125852d5

404Keylogger

ae6ad2297366fb5194e553992732f0a5740de2c5fe4b7be56fd2e1a52cb915c4

404Keylogger

d438b1aeeca792f5e1a704a232b6f261a78ce95bfec3a7907d4066944b8a9030

404Keylogger

f1a43d8b49bda3c88eb1c314c9460a92c0b467ea8db4c9086ac8e3bfe358e511

404Keylogger

+ 81 additional samples on MalwareBazaar

Result

Malware family:

404keylogger

Score:

10/10

Tags:

family:404keylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210222-zwte31s3mn/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

404 Keylogger

404 Keylogger Main Executable

Unpacked files

SH256 hash:

e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44

MD5 hash:

b6ce7c1d81b9271eab825ea63de154c3

SHA1 hash:

0e7b89555314f8908c1098b652c9bf50e5ecc27b

Link:

https://www.unpac.me/results/8108588c-dd5f-4f81-ae82-62dad9412980/

SH256 hash:

56954b030b0fb79acd6b85fde734d8f1e0788720d9dc7342957c536ef8e36f5f

MD5 hash:

81d8a0ae9daae847fe302737e191507f

SHA1 hash:

ea93257d9fe5451fea4473ea14c3eb5ec765cfa6

Link:

https://www.unpac.me/results/8108588c-dd5f-4f81-ae82-62dad9412980/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/56954b030b0fb79acd6b85fde734d8f1e0788720d9dc7342957c536ef8e36f5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_KB_ID_Infostealer Create hunting rule
Author:	ditekshen
Description:	Detects exfiltration email addresses correlated from various infostealers. The same email can be observed in multiple families.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	@ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Phoenix Create hunting rule
Author:	ditekSHen
Description:	Phoenix/404KeyLogger keylogger payload

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184