MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b4e102595fcfeb47ebf79618cd38e451c8543eb264d7faff586370023b3ccc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

404Keylogger

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	5b4e102595fcfeb47ebf79618cd38e451c8543eb264d7faff586370023b3ccc0
SHA3-384 hash:	16da5f059f06d12bef12fcc871899c2568165f89f3ab0b0f38f2e70881a05a037fd9a313cc3dcad4e2091d6afb896884
SHA1 hash:	d3a25025afd82f5db880e42049db87f4f5203d7d
MD5 hash:	9611b45fe4e49dc87f3869d87ca0ff36
humanhash:	alaska-fourteen-mike-table
File name:	SIWFT refTRF08463473 20201611.exe
Download:	download sample
Signature	404Keylogger Create hunting rule
File size:	421'888 bytes
First seen:	2020-11-16 09:38:17 UTC
Last seen:	2020-11-16 11:44:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:7FOiRm/VlAZSQnD5Rybuz0cg7bEdCSRdBHMlU8LFy:7HA/VlgSQDfybuwl7bEd1t8LF
Threatray	74 similar samples on MalwareBazaar
TLSH	D794E03216C5FE96C3AE1FB5E5A126041FF8B91B9B20E70DBEDC10D92532789C921772
Reporter	cocaman
Tags:	404Keylogger exe SWIFT

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.InjectNET.14.5031.28313.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Setting a keyboard event handler

Reading critical registry keys

Sending a custom TCP request

Deleting a recently created file

Result

Gathering data

Result

Threat name:

404Keylogger AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/537361

Signature

.NET source code contains potential unpacker

Found malware configuration

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected 404Keylogger

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5b4e102595fcfeb47ebf79618cd38e451c8543eb264d7faff586370023b3ccc0/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-11-16 06:51:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lnhbajmv7t7li7v7pfqyzu4oiuoikq7lezgx7l7vqy3qai5tztaa._file

Verdict:

malicious

404Keylogger

2b289b1dc38fa9bbd5086bb53a41d36466f899df423df495ae8e7bfd9b06e846

404Keylogger

50bf9e38c817f386cbf2b43ce3766d898571a21e5bb690ad89f851d5bf017bb7

404Keylogger

946200f42fe267c47b2e0983a1d2e1249b78433412f4a0874eee89d985b76553

404Keylogger

cfb435bdd8d3e8b95c5c6ca82fd51b7f4369746ca664ff6d660d0715b58f07da

404Keylogger

d5d3cde374721294f774229ce8fa3cbf3edd4d3b489448ea7449ee63bbdc2c31

404Keylogger

dc00e8e3f7021f242e16107ba976697d93616473833233e85fec9842dca480df

404Keylogger

e4a3e20e267b49025b0c602b0af5b19c57711fc07f5442c356d5c57e1ee7cd31

404Keylogger

f94835d0cfac325ba2187c8bec1f9e9cff185a087be4de42832731c3c7a51adc

404Keylogger

fd8062e9977fd80b004b6dc3fd635aef07841b974c88ae1903ffaf3257a9fd35

404Keylogger

+ 64 additional samples on MalwareBazaar

Result

Malware family:

404keylogger

Score:

10/10

Tags:

family:404keylogger keylogger persistence spyware stealer

Link:

https://tria.ge/reports/201116-4apsg8vmsj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

404 Keylogger

404 Keylogger Main Executable

Unpacked files

SH256 hash:

5b4e102595fcfeb47ebf79618cd38e451c8543eb264d7faff586370023b3ccc0

MD5 hash:

9611b45fe4e49dc87f3869d87ca0ff36

SHA1 hash:

d3a25025afd82f5db880e42049db87f4f5203d7d

Link:

https://www.unpac.me/results/9ec1baa7-ef3d-4930-a761-09d44b5202fa/

SH256 hash:

9691a940213c16a9b4df2109b833827b2ac126200be80d8584df4a3b739f2553

MD5 hash:

2acba3fed9c53d971bc3e7848aeaa6e7

SHA1 hash:

078d4bf33bba72c5e6b5f77d23e8f241a704d163

Link:

https://www.unpac.me/results/9ec1baa7-ef3d-4930-a761-09d44b5202fa/

SH256 hash:

1ada18368f81e394e39a5c96ceca73d9fc7eb1cfa01478d1b49eaa28c72b6cba

MD5 hash:

73bd1fe662f1a80c67f747e05dcec4c9

SHA1 hash:

089a8058bb4122cd917e9fc0f52eed553614b1b4

Detections:

win_404keylogger_g0

Link:

https://www.unpac.me/results/9ec1baa7-ef3d-4930-a761-09d44b5202fa/

Parent samples :

2ac51bddbe245f1d8b6fd18e3e1c361445243006b9e8cdbfb9d5fcaa6cba2420
50bf9e38c817f386cbf2b43ce3766d898571a21e5bb690ad89f851d5bf017bb7
dc00e8e3f7021f242e16107ba976697d93616473833233e85fec9842dca480df
e4a3e20e267b49025b0c602b0af5b19c57711fc07f5442c356d5c57e1ee7cd31
2b289b1dc38fa9bbd5086bb53a41d36466f899df423df495ae8e7bfd9b06e846
5b4e102595fcfeb47ebf79618cd38e451c8543eb264d7faff586370023b3ccc0
825ed5beee88383c1efb87faad69a6e1650960e08418ce84252852acf1fe5a38
5f76f22bc543897362a09bd6d101583fa0fe5bcaa02b3fd5f67b7c193a1b7ee5

SH256 hash:

cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e

MD5 hash:

8cd5d2014866f4ef60802ff1826998a6

SHA1 hash:

8ff75946905d0b117080cc5a07e6e0bbea4e9bbd

Link:

https://www.unpac.me/results/9ec1baa7-ef3d-4930-a761-09d44b5202fa/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	Telegram_bot_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

rar 84c7583ce4e2ab51a3aed368da4911e2dea94822da6783ae9e108e230aba65a6

404Keylogger

exe 5b4e102595fcfeb47ebf79618cd38e451c8543eb264d7faff586370023b3ccc0

(this sample)

Delivery method

Other

Dropped by

SHA256 84c7583ce4e2ab51a3aed368da4911e2dea94822da6783ae9e108e230aba65a6

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample