MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae6ad2297366fb5194e553992732f0a5740de2c5fe4b7be56fd2e1a52cb915c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

404Keylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 10 File information Comments

SHA256 hash:	ae6ad2297366fb5194e553992732f0a5740de2c5fe4b7be56fd2e1a52cb915c4
SHA3-384 hash:	be2a41e82c4654da08a1c1fa7fd329d29e8e4d749b0f072da8de5584073997579488ef3965c1bbc894885b78195bf8b4
SHA1 hash:	091df496943099bfe2f03c5a0d53789ed89f094e
MD5 hash:	82ce2f8364d3dca44267a6b049b4a070
humanhash:	magnesium-xray-lake-rugby
File name:	orden de compra.exe
Download:	download sample
Signature	404Keylogger Create hunting rule
File size:	854'016 bytes
First seen:	2021-02-19 07:09:54 UTC
Last seen:	2021-02-19 08:36:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:Ygs1igEFKsIHLJ+lyMziSR9De65ASncRoLoXTerD7FJTO187Du0lvBbczjQgykMQ:BFKLriziS1NtoqrLTO8DdB+7M2ygp
Threatray	94 similar samples on MalwareBazaar
TLSH	1905F13263886F97E17F87F49A24101093F5B71BD723F68E3ED902CD19A1E845A7271A
Reporter	abuse_ch
Tags:	404Keylogger exe

abuse_ch

Malspam distributing 404Keylogger:

HELO: ej0.504.nvbo.cf
Sending IP: 104.248.239.234
From: DesarrolloOrganizacional <psicologia@pollofelizsaltillo.com.mx>
Subject: RV: Orden de compra - Proyecto Rocasal - Urgente
Attachment: orden de compra.arj (contains "orden de compra.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

128

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Phoenix

Link:

https://www.capesandbox.com/analysis/117903/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.545.15949.28645.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

404Keylogger AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/612347

Signature

.NET source code references suspicious native API functions

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected 404Keylogger

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ae6ad2297366fb5194e553992732f0a5740de2c5fe4b7be56fd2e1a52cb915c4/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2021-02-19 07:10:10 UTC

AV detection:

16 of 48 (33.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vzvnekltm35vdfhfkomsomxquv2a3ywf7zfxxzlp2lq2klfzcxca._file

Verdict:

malicious

404Keylogger

0264a3c84d3a268983747939a9345ccdd32e2614133e362803cc992e0aaf6897

404Keylogger

16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0

404Keylogger

2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7

404Keylogger

2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9

404Keylogger

3ad31e065d9ef9cd13549f44d2d1a7ec02c0776eacd140faa32d81ae63c35b54

404Keylogger

40ed2cee21f04d3dd5a62951a4b99976327816ee918255bc12b6d40247b2b1c0

404Keylogger

ab0cffef6a335af8549441d2e2003a45a1cf2c8c022f2c7e9578979737cdaf26

404Keylogger

d438b1aeeca792f5e1a704a232b6f261a78ce95bfec3a7907d4066944b8a9030

404Keylogger

d509c4f1ddd6e950b6dd0937275519234c856d7b75e16c6d3a9d1ac2434da345

404Keylogger

+ 84 additional samples on MalwareBazaar

Result

Malware family:

404keylogger

Score:

10/10

Tags:

family:404keylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210219-9pc2yl24ts/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

404 Keylogger

404 Keylogger Main Executable

Unpacked files

SH256 hash:

b2f91d1427c7b60a3ad485bed04ba75636560783c9265a8f26542d5f6aa5d8a9

MD5 hash:

5ad6dc03137fc80e4e691f4b409d9120

SHA1 hash:

edb38e49ce79ecce33ce9a891df56468c3a4016e

Link:

https://www.unpac.me/results/afd49b26-abe7-44dc-bc6c-74cef3a588cf/

SH256 hash:

ae6ad2297366fb5194e553992732f0a5740de2c5fe4b7be56fd2e1a52cb915c4

MD5 hash:

82ce2f8364d3dca44267a6b049b4a070

SHA1 hash:

091df496943099bfe2f03c5a0d53789ed89f094e

Link:

https://www.unpac.me/results/afd49b26-abe7-44dc-bc6c-74cef3a588cf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Password Stealer

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/ae6ad2297366fb5194e553992732f0a5740de2c5fe4b7be56fd2e1a52cb915c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_KB_ID_Infostealer Create hunting rule
Author:	ditekshen
Description:	Detects exfiltration email addresses correlated from various infostealers. The same email can be observed in multiple families.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	@ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Phoenix Create hunting rule
Author:	ditekSHen
Description:	Phoenix/404KeyLogger keylogger payload

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184