MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


404Keylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d
SHA3-384 hash: b62d308a54f97132fb50e0660a2b7e631b61ce54d6199f18f58f3b8fc05adbdcd2880fcca600bf490191ad284206c1bc
SHA1 hash: 52327953d0dc8f5271cf216929074537b37b70dd
MD5 hash: 1f3b160cc2fe493a66f24e1213eb4297
humanhash: solar-florida-vegan-michigan
File name:DFN061Z.exe
Download: download sample
Signature 404Keylogger
Create hunting rule
File size:673'792 bytes
First seen:2020-10-08 12:28:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 526c0f274df58763f4b5b74cc1aa8506 (5 x Loki, 4 x 404Keylogger, 2 x MassLogger)
ssdeep 12288:VdUTWK/dyJQU71SjXIOHuaNspkXIGq8OJUzmPV:V2BkJQjjdvwYtOtPV
Threatray 1'893 similar samples on MalwareBazaar
TLSH 9CE48E23E2E05437C1731A7D9C1F4BB4DA35BE103A28A9466BF4DE4C9F397907929293
Reporter abuse_ch
Tags:404Keylogger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Phoenix
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69215/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Enabling the 'hidden' option for analyzed file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a custom TCP request
Deleting a recently created file
Result
Threat name:
404Keylogger AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485365
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected 404Keylogger
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 12:30:10 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2nn7je4fb34ff7m3judooe6dkafcsbopcaulxahojky72pg63zoq._file
Verdict:
malicious
Similar samples:
01911f32fe6a9ad9db8891af99d4e05ec2eecc8f6f38d16aa0f947d6f174fe5c
404Keylogger
0264a3c84d3a268983747939a9345ccdd32e2614133e362803cc992e0aaf6897
404Keylogger
108de1bd47a6c60e2ba5ec4d5b1e47f42bd4e6048fc09d940c441e26f8ee45dc
404Keylogger
121cba7566201217f8725044bc4e51283b873305c5e84b9e1623313cefa5fe4b
404Keylogger
482c86b2e6323b9d41b0692af170ac5241998c15bbb486ed2bab2e60a6841c10
404Keylogger
7cef313bae579b3735126139266cd34225fc71e2a38b83ad6e69ba703b71d85e
404Keylogger
8243c8a72e7a2021b4d956f5dafc19ded0162e9eb99f158f8da83660ea9368b5
404Keylogger
b371bd339b7bb8fdab7ad80e9a563ebb17d6722c7d08dca5cfc19dad62d00e87
404Keylogger
d438b1aeeca792f5e1a704a232b6f261a78ce95bfec3a7907d4066944b8a9030
404Keylogger
eacb842bfb2638dad0dfc194ecf323a019780a3ab3be7f2f21e2a0d5726156f2
404Keylogger
+ 1'883 additional samples on MalwareBazaar
Result
Malware family:
404keylogger
Create hunting rule
Score:
  10/10
Tags:
upx stealer keylogger family:404keylogger spyware
Link:
https://tria.ge/reports/201008-rl8kqk4nf2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
404 Keylogger
404 Keylogger Main Executable
Unpacked files
SH256 hash:
d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d
MD5 hash:
1f3b160cc2fe493a66f24e1213eb4297
SHA1 hash:
52327953d0dc8f5271cf216929074537b37b70dd
Link:
https://www.unpac.me/results/11fbc568-f584-4f95-9c7b-94cc21b04dae/
SH256 hash:
28e223acfacbcfab86fe8ccc529ca08b9c7980bef29773801030595580a879b7
MD5 hash:
b369c5f529ecb562585c4612d8eac936
SHA1 hash:
3328c756f8b4bcf0d2ac5f679ce0cf988cf03501
Detections:
win_404keylogger_g0
Create hunting rule
Link:
https://www.unpac.me/results/11fbc568-f584-4f95-9c7b-94cc21b04dae/
Parent samples :
2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9
d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d
3ad31e065d9ef9cd13549f44d2d1a7ec02c0776eacd140faa32d81ae63c35b54
16732dd83907bd9e881729cca144a2008193830f9db8686030216091a380d9d0
2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7
ab0cffef6a335af8549441d2e2003a45a1cf2c8c022f2c7e9578979737cdaf26
SH256 hash:
083310a4b513c1c322b3874ca44ecf384ae00d3547d0c00bb8b6b30a9d9a13bd
MD5 hash:
4bf0d2e1c521afb64f08abc35f424630
SHA1 hash:
13ad952f236ba0d8acc50c0cb0f0be50e16b5222
Detections:
win_404keylogger_g0
Create hunting rule
Link:
https://www.unpac.me/results/11fbc568-f584-4f95-9c7b-94cc21b04dae/
Parent samples :
2ea762f225aa95bb3f31d08871b3e84358f48b1cbc4b67bf47b3d1c939a335b9
d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d
3ad31e065d9ef9cd13549f44d2d1a7ec02c0776eacd140faa32d81ae63c35b54
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d35bf493850ef852fd9b4d06e713c3500a2905cf1028bb80ee4ab1fd3cdede5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_404keylogger_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT, Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69215/

Comments