MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c346d3a0a6b975f4d663c2640bd6bd8fe0f0028b31420b68b5a585fec69eafc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


404Keylogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c346d3a0a6b975f4d663c2640bd6bd8fe0f0028b31420b68b5a585fec69eafc9
SHA3-384 hash: ff3fee30b6c9c0c2b00b6eb2103d1e9c7b949a84688dce32c9576191d6bd20b3a4d56bff66d8c0f71a3a53a82d64414a
SHA1 hash: 83874ac89ffc018f26f7f0b4ec8dcbb67803b5ad
MD5 hash: ebb6953b42064816c172bf1384bff891
humanhash: item-yankee-michigan-golf
File name:orden de compra xls.exe
Download: download sample
Signature 404Keylogger
Create hunting rule
File size:517'120 bytes
First seen:2021-02-24 07:02:08 UTC
Last seen:2021-02-24 09:04:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:sxJ/FI9Oeh9MvM3TS80eQMF7Rvf5BHppfDk:LhlTSQRRvfHp
Threatray 99 similar samples on MalwareBazaar
TLSH 9EB45C2432885B5EF47EFB3A9515140FA3F9B647C715CACBBD8981CF1C22E8487A5B12
Reporter abuse_ch
Tags:404Keylogger exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: df0.317.xvonq.ml
Sending IP: 161.35.121.193
From: Vanessa Zuasnabar (GP) <vanessa.zuasnabar@grating-prodac.pe>
Subject: ORDEN DE COMPRA 04-21
Attachment: Orden de compra xls.zip (contains "orden de compra xls.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
orden de compra xls.exe
Verdict:
Malicious activity
Analysis date:
2021-02-24 07:36:37 UTC
Tags:
evasion trojan stealer
Link:
https://app.any.run/tasks/3dc39927-3780-47ae-aed7-8e1a87749fb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Phoenix
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118852/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.CPN.genEldorado.1998.28758.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
404Keylogger AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616378
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected 404Keylogger
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c346d3a0a6b975f4d663c2640bd6bd8fe0f0028b31420b68b5a585fec69eafc9/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 22:52:58 UTC
AV detection:
7 of 45 (15.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yndnhifgxf27jvtdyjsaxvv5r7qpaaulgfbaw2fvuwc75ru6v7eq._file
Verdict:
malicious
Similar samples:
2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7
404Keylogger
2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9
404Keylogger
40ed2cee21f04d3dd5a62951a4b99976327816ee918255bc12b6d40247b2b1c0
404Keylogger
56954b030b0fb79acd6b85fde734d8f1e0788720d9dc7342957c536ef8e36f5f
404Keylogger
6ba09bf0b6f9ed13f6600679a0c81cc79dc1461213798b606178f3815078aedd
404Keylogger
6e027a958577efeae259befdc9aabf5656088885342e896673d005e748367743
404Keylogger
97c4048a24673f2d7bcdebc7f0d154891163f842e778ea0503e26c135450f528
404Keylogger
ae6ad2297366fb5194e553992732f0a5740de2c5fe4b7be56fd2e1a52cb915c4
404Keylogger
d0330a3b06b8e087a69c98583ab2f3858c82d09b3cbee3c8732e0d06b595ddef
404Keylogger
d438b1aeeca792f5e1a704a232b6f261a78ce95bfec3a7907d4066944b8a9030
404Keylogger
+ 89 additional samples on MalwareBazaar
Result
Malware family:
404keylogger
Create hunting rule
Score:
  10/10
Tags:
family:404keylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210224-qbrdc76jle/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
404 Keylogger
404 Keylogger Main Executable
Unpacked files
SH256 hash:
e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44
MD5 hash:
b6ce7c1d81b9271eab825ea63de154c3
SHA1 hash:
0e7b89555314f8908c1098b652c9bf50e5ecc27b
Link:
https://www.unpac.me/results/ed7aac45-e3d8-4a37-a564-b7f7b83541e6/
SH256 hash:
c346d3a0a6b975f4d663c2640bd6bd8fe0f0028b31420b68b5a585fec69eafc9
MD5 hash:
ebb6953b42064816c172bf1384bff891
SHA1 hash:
83874ac89ffc018f26f7f0b4ec8dcbb67803b5ad
Link:
https://www.unpac.me/results/ed7aac45-e3d8-4a37-a564-b7f7b83541e6/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

zip 93d1b435018f922a8d54b39f7cfb572ec446aed80929a8354761eef51e0de69c

404Keylogger

Executable exe c346d3a0a6b975f4d663c2640bd6bd8fe0f0028b31420b68b5a585fec69eafc9

(this sample)

  
Dropped by
MD5 c628a149fa2c41e3f40aa49c3cc1b4b7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 93d1b435018f922a8d54b39f7cfb572ec446aed80929a8354761eef51e0de69c
Cape
Cape
https://www.capesandbox.com/analysis/118852/

Comments