MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 825ed5beee88383c1efb87faad69a6e1650960e08418ce84252852acf1fe5a38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

404Keylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 10 File information Comments

SHA256 hash:	825ed5beee88383c1efb87faad69a6e1650960e08418ce84252852acf1fe5a38
SHA3-384 hash:	b2d6eeb0b7d7189188c787222f9d6c33a0ef8df8bae4fe1c148ca18c509487f20a031fa346e7af08169f7230d1a09feb
SHA1 hash:	55c6c6927f89fa25ea0d31c05be7246053e82d6f
MD5 hash:	80e294f39a6cdd42d2a300b843f199b3
humanhash:	stream-bulldog-edward-north
File name:	Payment Reminder & SOA 202020121158.exe
Download:	download sample
Signature	404Keylogger Create hunting rule
File size:	1'025'024 bytes
First seen:	2020-12-21 07:38:54 UTC
Last seen:	2020-12-21 09:34:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:aa+cus930bmqlFclRx84gj9lr8153oyyCnUq4C5G9aIaDwkZMgBhKblDqGyCWslq:R0bTlC9848KnU5wG9QD/
Threatray	1'272 similar samples on MalwareBazaar
TLSH	BC25AE243EEA501DF273AF754BE4B592DAAFF6733B07E45E1090038A4613A41DED2639
Reporter	abuse_ch
Tags:	404Keylogger exe

abuse_ch

Malspam distributing unidentified malware:

HELO: se5m-lax1.servconfig.com
Sending IP: 23.235.223.120
From: Debbyc <debbyc@mfctpe.com.tw>
Subject: RE: SOA
Attachment: Payment Reminder SOA 202020121158.r11 (contains "Payment Reminder & SOA 202020121158.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

183

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment Reminder & SOA 202020121158.exe

Verdict:

Malicious activity

Analysis date:

2020-12-21 07:39:15 UTC

Tags:

evasion trojan 404keylogger stealer

Link:

https://app.any.run/tasks/79eeae6d-4316-4be9-9c49-2f85495ad6cb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.fc.31164.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Setting a keyboard event handler

Reading critical registry keys

Sending a custom TCP request

Enabling autorun by creating a file

Result

Gathering data

Result

Threat name:

404Keylogger AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/567206

Signature

.NET source code contains very large strings

.NET source code references suspicious native API functions

Binary contains a suspicious time stamp

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected 404Keylogger

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/825ed5beee88383c1efb87faad69a6e1650960e08418ce84252852acf1fe5a38/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2020-12-21 00:01:02 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qjpnlpxora4dyhx3q75k22ng4fsqsyhaqqmm5bbffbjkz4p6li4a._file

Verdict:

malicious

404Keylogger

1237b8ef1ef28e7481b47113c644429a68c87858cc5ee8a020607f75696863d1

404Keylogger

1414f24264a3c0579250f74acdbb4ffffc79cf787221704b80cdab5829212bff

404Keylogger

1bd16b971407f4aeb31f7eb8392b2299b22cc8e1778a8c770e7ac4c0150681e8

404Keylogger

1c29149081e94e1ad00a2575210eada3b8a9c23e7dc9230c17870078f7e5d619

404Keylogger

8acbf14306b787f2e29dd9e13e57da8cea6609a3ba9aa86e126243e690a4bf63

404Keylogger

90736a2b5a9e0da6df6b85727e56ff363a6795ca4e948a6163ff19f5d947daba

404Keylogger

9c1f76b540f055b2b6131cde2f6896e73f3e0170070c0551d90d20364156d32c

404Keylogger

a46ba41ed485d6f17d3da30e84f784ef419206d2378bc127c7095e7bbb2c1de6

404Keylogger

a7120c8022437adb5629ea851c83f9efd6e57d9f5598f735e66fc11381fd707d

404Keylogger

+ 1'262 additional samples on MalwareBazaar

Result

Malware family:

404keylogger

Score:

10/10

Tags:

family:404keylogger keylogger spyware stealer

Link:

https://tria.ge/reports/201221-qxc73rnmte/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

404 Keylogger

404 Keylogger Main Executable

Unpacked files

SH256 hash:

1ada18368f81e394e39a5c96ceca73d9fc7eb1cfa01478d1b49eaa28c72b6cba

MD5 hash:

73bd1fe662f1a80c67f747e05dcec4c9

SHA1 hash:

089a8058bb4122cd917e9fc0f52eed553614b1b4

Detections:

win_404keylogger_g0

Link:

https://www.unpac.me/results/0f95a5ce-50b7-4451-adec-2e10d6268a73/

Parent samples :

2ac51bddbe245f1d8b6fd18e3e1c361445243006b9e8cdbfb9d5fcaa6cba2420
50bf9e38c817f386cbf2b43ce3766d898571a21e5bb690ad89f851d5bf017bb7
dc00e8e3f7021f242e16107ba976697d93616473833233e85fec9842dca480df
e4a3e20e267b49025b0c602b0af5b19c57711fc07f5442c356d5c57e1ee7cd31
2b289b1dc38fa9bbd5086bb53a41d36466f899df423df495ae8e7bfd9b06e846
5b4e102595fcfeb47ebf79618cd38e451c8543eb264d7faff586370023b3ccc0
825ed5beee88383c1efb87faad69a6e1650960e08418ce84252852acf1fe5a38
5f76f22bc543897362a09bd6d101583fa0fe5bcaa02b3fd5f67b7c193a1b7ee5

SH256 hash:

49d07520c59d84fd3183abb08929218fa02ecb6c4b2872b66086abea31707c18

MD5 hash:

bf4e332244846f42b5235942fbd279c8

SHA1 hash:

5addba488ec18dee76271bb2d6da4adb7e94506a

Link:

https://www.unpac.me/results/0f95a5ce-50b7-4451-adec-2e10d6268a73/

SH256 hash:

51b11613df0a8a93c9bf286ff3696c32f50b7763d78425815afaf1d8564fa186

MD5 hash:

6ecc999b80aac33f4255cd30134483ee

SHA1 hash:

86e68ae281efd6741d89eb30388040bb9e68034b

Link:

https://www.unpac.me/results/0f95a5ce-50b7-4451-adec-2e10d6268a73/

SH256 hash:

55a73ea481545e72a1121704f662a86627bd975784cc5145c7e19e5be0a38fcc

MD5 hash:

23a0c7dfc6cef264950ffe999054bcd1

SHA1 hash:

e2b040af55ce7f0b1e09b743610eb62fdfd269f7

Link:

https://www.unpac.me/results/0f95a5ce-50b7-4451-adec-2e10d6268a73/

SH256 hash:

825ed5beee88383c1efb87faad69a6e1650960e08418ce84252852acf1fe5a38

MD5 hash:

80e294f39a6cdd42d2a300b843f199b3

SHA1 hash:

55c6c6927f89fa25ea0d31c05be7246053e82d6f

Link:

https://www.unpac.me/results/0f95a5ce-50b7-4451-adec-2e10d6268a73/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/825ed5beee88383c1efb87faad69a6e1650960e08418ce84252852acf1fe5a38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	@ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Phoenix Create hunting rule
Author:	ditekshen
Description:	Phoenix/404KeyLogger keylogger payload

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	Telegram_bot_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

Rule name:	win_404keylogger_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT, Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

rar f9c0249f169283b662a332d0f998d6aeeb61f4ef8c816e1b3faa5f2fa5143f7c

404Keylogger

exe 825ed5beee88383c1efb87faad69a6e1650960e08418ce84252852acf1fe5a38

(this sample)

Dropped by

MD5 27a6b925127ae51392562c5fe9143635

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 f9c0249f169283b662a332d0f998d6aeeb61f4ef8c816e1b3faa5f2fa5143f7c

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample