MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b50262bf6a9e901dacf870f4e693f0803901e6a6e7ea25008fd8114068f2011f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

404Keylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	b50262bf6a9e901dacf870f4e693f0803901e6a6e7ea25008fd8114068f2011f
SHA3-384 hash:	b238a292e85b7925244e1b805d228776f5e2fca15ab4169ba867ffac8b58d1b7913bbfb5e4f8eeab717f8fed8f628f50
SHA1 hash:	77535ac6740f8b3dd93a0a5433b1dd4947da4a1c
MD5 hash:	5319a6a100e21921d3339ede12a5031b
humanhash:	beer-stream-friend-mango
File name:	PO 25724 0021.exe
Download:	download sample
Signature	404Keylogger Create hunting rule
File size:	781'312 bytes
First seen:	2024-08-01 06:40:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	21371b611d91188d602926b15db6bd48 (70 x Formbook, 33 x AgentTesla, 20 x RemcosRAT)
ssdeep	12288:DsHzOUNUSB/o5LsI1uwajJ5yvv1l2fdvnu8tIw7r23AD8BEh9ziYZweG3370aMU5:SiUmSB/o5d1ubcvYcic3HKUYuL0asub
Threatray	5 similar samples on MalwareBazaar
TLSH	T15CF4233219E1ECA9C27063B5D8B6CED186A17870DE957FBB8B90F39FA430315C405B66
TrID	39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	abuse_ch
Tags:	404Keylogger exe

Intelligence

File Origin

# of uploads :

# of downloads :

334

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO 25724 0021.exe

Verdict:

No threats detected

Analysis date:

2024-08-01 06:59:14 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/61482d3c-98cb-4863-80c1-d0750c5d5e41

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66ab2e0d037b02d0daecdd55

Tags:

s h e l l c o d e c r y p t e r

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

autoit lolbin microsoft_visual_cc packed packed packed phishing shell32 upx

Link:

https://www.filescan.io/uploads/66ab2e0678d5c73fb1ca6e03/reports/ac636423-1bfc-428c-8832-d52f15581c79/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/b50262bf6a9e901dacf870f4e693f0803901e6a6e7ea25008fd8114068f2011f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4a45d00f-c656-403f-8641-48f4a1c35edd

Result

Threat name:

VIP Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1485814

Signature

AI detected suspicious sample

Antivirus detection for URL or domain

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Files With System Process Name In Unsuspected Locations

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected Generic Dropper

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b50262bf6a9e901dacf870f4e693f0803901e6a6e7ea25008fd8114068f2011f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b50262bf6a9e901dacf870f4e693f0803901e6a6e7ea25008fd8114068f2011f/

Threat name:

Win32.Trojan.AutoInMalInjector

Status:

Malicious

First seen:

2024-07-25 16:30:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wubgfp3kt2ib3lhyod2one7qqa4qdzvg47vckaep3aiua2hsaepq._file

Verdict:

malicious

404Keylogger

b89d413c29fae1513b365fee87eec36a1d74648325c5f955285b06fe6d35f20b

404Keylogger

c10f72e90f08921781cab13aa7d3a9d21c961cf97f46590eed4c1cbc6ebc1d66

404Keylogger

cd347d3994f5f74555bc0fe47b78c63d247f91093614b0d69d33a0971c96c102

404Keylogger

d2c0a67e9f5a36e878853d5f8a0e493d7d29362c2cff1b805cb7b29f52cd0faf

404Keylogger

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery upx

Link:

https://tria.ge/reports/240801-hfsb2s1erg/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/cf0b19e5-9cb8-4abd-b147-112c963199a2

Unpacked files

SH256 hash:

72531558a1e9388c76105976c95d971ff43117ab1fdd5363f6e0061eae005d51

MD5 hash:

71dced3b8c76db490af0c8fcf4e41b21

SHA1 hash:

cf66319224c33a471426a342472138588ba72fc5

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

Link:

https://www.unpac.me/results/6ec47288-3137-4726-9ae9-eb264016d82f/

Parent samples :

b50262bf6a9e901dacf870f4e693f0803901e6a6e7ea25008fd8114068f2011f
8b799752acd2bad6565aa2560efd2d9fb3439428c8a50bbfb44749d476d286af

SH256 hash:

fee7d8c1acad1cb8f2b409dfece5044dfdab47960d3400f28bf00d2c3185dc2c

MD5 hash:

2694fde73a0d543f5ca5ea8c4de2d4e7

SHA1 hash:

9d665a7d915d7a5296b314a5cc1654949c726a65

Detections:

win_mofksys_auto

SUSP_Imphash_Mar23_2

Link:

https://www.unpac.me/results/6ec47288-3137-4726-9ae9-eb264016d82f/

Parent samples :

b50262bf6a9e901dacf870f4e693f0803901e6a6e7ea25008fd8114068f2011f
8b799752acd2bad6565aa2560efd2d9fb3439428c8a50bbfb44749d476d286af
4d59b35375d85ca3dd06c76cedea67009a37075e179d0ae192b9412b24bec974
51fde361f93dc3702ed13354d064da8422188f3e1b06d9c9b04951da07d89cb8
ee4202466c3df1bb44773ee382d9814bf0daac585b416e44ab0eeefc7a588aaa
1a60823d2507bf095559dd725fcd7d87c20c98c61bab8c65551ad58892095909
b7eab5f19a05b4dc7dc0d210995778e5c74e0aac6e26c740e3a7593774c5d8bf
c75d0dd517c95d24288b71934a0bab7d6ede632eb13af2b142099c6667bf0a6e

SH256 hash:

1fa40eaecca2abef6bfb4f161b0736e4b9a393eb9c552b92907555ef1df195ee

MD5 hash:

e2e85f6f664ee34836040c6d9b3e2426

SHA1 hash:

a75c9a810006edf6f7c177f2b1df8cca928a3ce7

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/6ec47288-3137-4726-9ae9-eb264016d82f/

SH256 hash:

b50262bf6a9e901dacf870f4e693f0803901e6a6e7ea25008fd8114068f2011f

MD5 hash:

5319a6a100e21921d3339ede12a5031b

SHA1 hash:

77535ac6740f8b3dd93a0a5433b1dd4947da4a1c

Link:

https://www.unpac.me/results/6ec47288-3137-4726-9ae9-eb264016d82f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b50262bf6a9e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.94

Link:

https://yomi.yoroi.company/submissions/b50262bf6a9e901dacf870f4e693f0803901e6a6e7ea25008fd8114068f2011f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::GetAce
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::timeGetTime
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample