MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5d3cde374721294f774229ce8fa3cbf3edd4d3b489448ea7449ee63bbdc2c31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


404Keylogger


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5d3cde374721294f774229ce8fa3cbf3edd4d3b489448ea7449ee63bbdc2c31
SHA3-384 hash: 6d2badc054c8095cc4b799300acbb51966f611638e35af2acfef5e473dba500dfb1fd02fefbfb2481a4630b8c95b2eda
SHA1 hash: f0ebc2c87dffcfff5a3ffc733d68ef2797876686
MD5 hash: b43907860bd2d731b378a703f9011488
humanhash: oscar-paris-venus-skylark
File name:USD Account Details-GCH.exe
Download: download sample
Signature 404Keylogger
Create hunting rule
File size:408'576 bytes
First seen:2020-05-05 10:06:54 UTC
Last seen:2020-05-05 11:10:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:TdPKE25nOu0QSNjaHEFBmCNAVDAkXa8uLO88qodagtgUF73zSiNb:hSEMOFAEF/NmHb
Threatray 91 similar samples on MalwareBazaar
TLSH B794189D762076EFC85BC472DEA81CA8EA5074BB931B8203942355EDDE4D987CF244F2
Reporter abuse_ch
Tags:404Keylogger exe


Avatar
abuse_ch
Malspam distributing 404Keylogger:

HELO: pipoman.com
Sending IP: 176.123.7.98
From: Jenny John Mathew <jenny@pipoman.com>,
Subject: Revised - Invoice # 253 PO No. F1902020
Attachment: USD Account Details-GCH.iso (contains "USD Account Details-GCH.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EJWW.14503.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 10:36:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2xj43y3uoijjj53uekoor6r4x47n2tj3jcker2tujhxgho64fqyq._file
Verdict:
malicious
Similar samples:
06ff593c0c848c19d9f138b5b5d37894c8defc8ef4ddd44a9d027cea28be869c
404Keylogger
0d2948ed8c5b18fec94625284e574525981d429737a02b8e8c899518f0977723
404Keylogger
39a4ccd3eee30490f4deac1fbd38280638e1d0ceb0c8ff809bafa047344781d8
404Keylogger
51d5ab8487876cbc9c82c7450affdab67de13f1ff8b126f82fefa4281698ad59
404Keylogger
537f499dd0028377360979ca7ae771d7acb31c451ef806b7d05541cf541f15cb
404Keylogger
946200f42fe267c47b2e0983a1d2e1249b78433412f4a0874eee89d985b76553
404Keylogger
97aab41cfb9f1ccd0515830ade206b2858e5e48a1194fe056577bd3ce1d06799
404Keylogger
dae557d5b57d32d21d88a3806fb3546da8c536bf0692c81ee928a954a0ce4fb2
404Keylogger
f06b23f31cd428634e38aaa481e099c1f4e3cd6f62caa67ef535264132a695f7
404Keylogger
f94835d0cfac325ba2187c8bec1f9e9cff185a087be4de42832731c3c7a51adc
404Keylogger
+ 81 additional samples on MalwareBazaar
Result
Malware family:
404keylogger
Create hunting rule
Score:
  10/10
Tags:
family:404keylogger keylogger rezer0 spyware stealer
Link:
https://tria.ge/reports/201109-ptz618w3ne/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
rezer0
404 Keylogger
404 Keylogger Main Executable
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

iso 662289f662aa404a82ff7a75e1e047047abd5c6460ca8567f90d32f573679a36

404Keylogger

Executable exe d5d3cde374721294f774229ce8fa3cbf3edd4d3b489448ea7449ee63bbdc2c31

(this sample)

  
Dropped by
MD5 305c150013190ee62c4e221dceb538d9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 662289f662aa404a82ff7a75e1e047047abd5c6460ca8567f90d32f573679a36

Comments