MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 869fb5f7b10290ff21a86dfd49ad5cb09089f3fa543bb94282154596a431dcca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

404Keylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	869fb5f7b10290ff21a86dfd49ad5cb09089f3fa543bb94282154596a431dcca
SHA3-384 hash:	a6ba0924ef31e0b81ac2fa36d9c0fbba2f922401fb5a2178176d7478be79eacdd82afc8a457cba914fac3628ab6d43e7
SHA1 hash:	5f5feb85a9320786f9c7ace79d49d4fb1da29988
MD5 hash:	49b396bde1a157e96029cf10cb993bf5
humanhash:	may-bakerloo-mars-sink
File name:	DHL Shipment Notification Document 9671450633.exe
Download:	download sample
Signature	404Keylogger Create hunting rule
File size:	673'792 bytes
First seen:	2020-10-09 05:58:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	526c0f274df58763f4b5b74cc1aa8506 (5 x Loki, 4 x 404Keylogger, 2 x MassLogger)
ssdeep	12288:1dUTWK/dyJQU71SjXIOHuaNspkXIGq8OGr4U:12BkJQjjdvwYtOc
Threatray	1'903 similar samples on MalwareBazaar
TLSH	9DE48E23E2A05437C1731A7C9C1F5BB4DA35FE102928A9466BF4DE4C9F397907A29293
Reporter	abuse_ch
Tags:	404Keylogger DHL exe

abuse_ch

Malspam distributing unidentified malware:

HELO: dhl.com
Sending IP: 45.153.243.120
From: DHL PARCEL <dhlparcl@dhl.com>
Subject: DHL Wrong Shipment Notification
Attachment: DHL Shipment Notification Document 9671450633.arj (contains "DHL Shipment Notification Document 9671450633.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Phoenix

Link:

https://www.capesandbox.com/analysis/69393/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Connection attempt

Result

Threat name:

404Keylogger AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/486255

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected 404Keylogger

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/869fb5f7b10290ff21a86dfd49ad5cb09089f3fa543bb94282154596a431dcca/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-10-08 14:56:05 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q2p3l55rakip6ininx6utlk4wciit472kq53squccvcznjbr3tfa._file

Verdict:

malicious

404Keylogger

121cba7566201217f8725044bc4e51283b873305c5e84b9e1623313cefa5fe4b

404Keylogger

2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9

404Keylogger

3ad31e065d9ef9cd13549f44d2d1a7ec02c0776eacd140faa32d81ae63c35b54

404Keylogger

482c86b2e6323b9d41b0692af170ac5241998c15bbb486ed2bab2e60a6841c10

404Keylogger

7cef313bae579b3735126139266cd34225fc71e2a38b83ad6e69ba703b71d85e

404Keylogger

8243c8a72e7a2021b4d956f5dafc19ded0162e9eb99f158f8da83660ea9368b5

404Keylogger

b371bd339b7bb8fdab7ad80e9a563ebb17d6722c7d08dca5cfc19dad62d00e87

404Keylogger

d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d

404Keylogger

eacb842bfb2638dad0dfc194ecf323a019780a3ab3be7f2f21e2a0d5726156f2

404Keylogger

+ 1'893 additional samples on MalwareBazaar

Result

Malware family:

404keylogger

Score:

10/10

Tags:

upx spyware stealer keylogger family:404keylogger

Link:

https://tria.ge/reports/201009-6ys2g2c5ya/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

404 Keylogger

404 Keylogger Main Executable

Unpacked files

SH256 hash:

869fb5f7b10290ff21a86dfd49ad5cb09089f3fa543bb94282154596a431dcca

MD5 hash:

49b396bde1a157e96029cf10cb993bf5

SHA1 hash:

5f5feb85a9320786f9c7ace79d49d4fb1da29988

Link:

https://www.unpac.me/results/8ae7af4c-d2d1-4046-8e9d-fe62034c7029/

SH256 hash:

116ec927d44188d785b956cf26405a388a9fa35820f4ea2a783e6d739e22afe0

MD5 hash:

770cc582d1d8f337f194c3cbbbd7cab2

SHA1 hash:

a545082ea3b2600d1e5559a140e63b4f0cd5849d

Detections:

win_404keylogger_g0

Link:

https://www.unpac.me/results/8ae7af4c-d2d1-4046-8e9d-fe62034c7029/

Parent samples :

869fb5f7b10290ff21a86dfd49ad5cb09089f3fa543bb94282154596a431dcca
48bd479dd78532b0b8a04394e3bcc9d053484c1b43840cc40e453952b9f8161d

SH256 hash:

3d567b5332c50452fcde62f1b20e73c3aa51f3721a7ef3ae3fcefdb7b6ed9c1b

MD5 hash:

66ae0bdadd6b397194a50425683f8f0d

SHA1 hash:

2dda5ea2da2714fa95dde0c670fcb6e7459f9f7f

Detections:

win_404keylogger_g0

Link:

https://www.unpac.me/results/8ae7af4c-d2d1-4046-8e9d-fe62034c7029/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/869fb5f7b10290ff21a86dfd49ad5cb09089f3fa543bb94282154596a431dcca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	Telegram_bot_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

Rule name:	win_404keylogger_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT, Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

arj 6e347c94340746934e6237e90a9747d02f8c36ee911cb2b9d09d5c7dd1e4314b

404Keylogger

exe 869fb5f7b10290ff21a86dfd49ad5cb09089f3fa543bb94282154596a431dcca

(this sample)

Dropped by

MD5 6dcae08348ee0b4f12fcb94713f4d048

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/69393/

Dropped by

SHA256 6e347c94340746934e6237e90a9747d02f8c36ee911cb2b9d09d5c7dd1e4314b

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample