MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab0cffef6a335af8549441d2e2003a45a1cf2c8c022f2c7e9578979737cdaf26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

404Keylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 11 File information Comments

SHA256 hash:	ab0cffef6a335af8549441d2e2003a45a1cf2c8c022f2c7e9578979737cdaf26
SHA3-384 hash:	0403ca95bf2ffbcfb83631d641840dd1596f06bf0b8baf69ffea4b5a808695f2e3ab58a4446c2ab9c56be033832bcb4f
SHA1 hash:	14a02a1fae97b91b00599ec1a5df55a06f9bbdc4
MD5 hash:	8f303fb00513b4194cfd968ffe27253f
humanhash:	four-solar-pluto-north
File name:	cotizar planos.exe
Download:	download sample
Signature	404Keylogger Create hunting rule
File size:	945'152 bytes
First seen:	2021-02-04 09:42:18 UTC
Last seen:	2021-02-04 11:44:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:LD7yBYQghtipAhZX+ceCnwJms07PGQwotcrPUK7EUbOF2nL2PFSq5Q9gsA:LD7yBYQ+ewIceOs0aQduPzb+z0q0A
Threatray	248 similar samples on MalwareBazaar
TLSH	D515D0262399EF49D17D6B784064D13093F1A812DB36C7AEBED194EF2865F82871A703
Reporter	abuse_ch
Tags:	404Keylogger exe

abuse_ch

Malspam distributing unidentified malware:

HELO: wsu0.bnjo.ga
Sending IP: 165.227.133.176
From: COTIZAR <carlos.fuerte@rumi-ingenieros.com>
Subject: RE: Actualización planos - URGENTE
Attachment: COTIZAR PLANOS.zip (contains "cotizar planos.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cotizar planos.exe

Verdict:

Malicious activity

Analysis date:

2021-02-04 09:49:46 UTC

Tags:

evasion trojan stealer

Link:

https://app.any.run/tasks/d3d7bf2b-87d3-4121-a63a-2a866832b305

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Phoenix

Link:

https://www.capesandbox.com/analysis/115538/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.72843.23261.29812.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Enabling the 'hidden' option for analyzed file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Setting a keyboard event handler

Reading critical registry keys

Sending a custom TCP request

Deleting a recently created file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

404Keylogger AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/598990

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected 404Keylogger

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab0cffef6a335af8549441d2e2003a45a1cf2c8c022f2c7e9578979737cdaf26/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-04 09:43:26 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vmgp733kgnnpqveuihjoeab2iwq46lemaixsy7uvpclzon6nv4ta._file

Verdict:

malicious

404Keylogger

16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0

404Keylogger

2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7

404Keylogger

2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9

404Keylogger

372cd98605fe6e02dc881fbca3e1e8b9fe3f9b089cfd5006fb783b393c04fa0a

404Keylogger

3ad31e065d9ef9cd13549f44d2d1a7ec02c0776eacd140faa32d81ae63c35b54

404Keylogger

8026c043c1f755c370b8ecc74d3b7a1e9c9b009e8aea67ac65d00950c48c4744

404Keylogger

b2739489880576a89cb1c779ee33cc20b37de99e7484f43262730fbf28697062

404Keylogger

cdafc39c9d75a7d353104eb7b8a216847ee244af786e563610b19ece912f0176

404Keylogger

ea80a43b3f2c88ccf2b784aadf8eabc0141c1740dc56d5b5bb7c90d522a57d04

404Keylogger

+ 238 additional samples on MalwareBazaar

Result

Malware family:

404keylogger

Score:

10/10

Tags:

family:404keylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210204-v9j64623rx/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

404 Keylogger

404 Keylogger Main Executable

Unpacked files

SH256 hash:

df57234780f5cd20c6172424198e132b4e9a898b5c798fddc0c055e28e021f30

MD5 hash:

7b8e54badbf307c9ccebd4268c0f3965

SHA1 hash:

d36fe0a54d45440f76c26056cb9facb0cb3a66c8

Link:

https://www.unpac.me/results/185b6e39-343b-46e3-9805-0e53d81371e6/

SH256 hash:

28e223acfacbcfab86fe8ccc529ca08b9c7980bef29773801030595580a879b7

MD5 hash:

b369c5f529ecb562585c4612d8eac936

SHA1 hash:

3328c756f8b4bcf0d2ac5f679ce0cf988cf03501

Detections:

win_404keylogger_g0

Link:

https://www.unpac.me/results/185b6e39-343b-46e3-9805-0e53d81371e6/

Parent samples :

2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9
d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d
3ad31e065d9ef9cd13549f44d2d1a7ec02c0776eacd140faa32d81ae63c35b54
16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0
2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7
ab0cffef6a335af8549441d2e2003a45a1cf2c8c022f2c7e9578979737cdaf26

SH256 hash:

efd406a4c434314068ef08c7c848fcc39495694e6b9a958bc774558f115c7ea5

MD5 hash:

f55c6486af25b7072b657a05c8c4be08

SHA1 hash:

f5939e0099d005c360919ccab504029238bfabad

Link:

https://www.unpac.me/results/185b6e39-343b-46e3-9805-0e53d81371e6/

SH256 hash:

ab0cffef6a335af8549441d2e2003a45a1cf2c8c022f2c7e9578979737cdaf26

MD5 hash:

8f303fb00513b4194cfd968ffe27253f

SHA1 hash:

14a02a1fae97b91b00599ec1a5df55a06f9bbdc4

Link:

https://www.unpac.me/results/185b6e39-343b-46e3-9805-0e53d81371e6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/ab0cffef6a335af8549441d2e2003a45a1cf2c8c022f2c7e9578979737cdaf26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_KB_ID_Infostealer Create hunting rule
Author:	ditekshen
Description:	Detects exfiltration email addresses correlated from various infostealers. The same email can be observed in multiple families.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	@ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Phoenix Create hunting rule
Author:	ditekSHen
Description:	Phoenix/404KeyLogger keylogger payload

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	Telegram_bot_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

Rule name:	win_404keylogger_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT, Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

zip 336577f0f05a0a2972c318b58022eaa52c66eee65390b1003f18b3345f593d30

404Keylogger

exe ab0cffef6a335af8549441d2e2003a45a1cf2c8c022f2c7e9578979737cdaf26

(this sample)

Dropped by

MD5 a8e733998d1f9c3ff0da82028aa28b73

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/115538/

Dropped by

SHA256 336577f0f05a0a2972c318b58022eaa52c66eee65390b1003f18b3345f593d30

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample