MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4a3e20e267b49025b0c602b0af5b19c57711fc07f5442c356d5c57e1ee7cd31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

404Keylogger

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	e4a3e20e267b49025b0c602b0af5b19c57711fc07f5442c356d5c57e1ee7cd31
SHA3-384 hash:	facc8796577cd085a8620659500ac0647029c1193e912011df7bb0ec6ee225336f97ba788f5d982bbd34a6271300f539
SHA1 hash:	a588abe74503eaa9043664d9dd9a3ee6d3e1d67a
MD5 hash:	c02c7e2e87758c7fd7cc72b157df668b
humanhash:	rugby-solar-georgia-eleven
File name:	Urgent (0998 R1) ST PO1805140.exe
Download:	download sample
Signature	404Keylogger Create hunting rule
File size:	730'112 bytes
First seen:	2020-10-19 07:26:32 UTC
Last seen:	2020-10-19 08:24:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:NEs7iMPerhytrNyI9QnkmXb57vCWiZtFo9jA88t:NEsPPerhypYI2kmXbIrFu8t
Threatray	130 similar samples on MalwareBazaar
TLSH	32F47D6517586F64E03D133394A4248097F6ED12E332C51E7CE93A8E6A71FE6D323B86
Reporter	abuse_ch
Tags:	404Keylogger exe

abuse_ch

Malspam distributing unidentified malware:

HELO: dunesindustries.com
Sending IP: 185.222.57.186
From: Sharath V Sasi <sharath@dunesindustries.com>
Subject: RE: Enquiry OF Flange (0998 R1) ST PO:1805140
Attachment: Urgent 0998 R1 ST PO1805140.7z (contains "Urgent (0998 R1) ST PO1805140.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Phoenix

Link:

https://www.capesandbox.com/analysis/72789/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.424.11445.23570.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Setting a keyboard event handler

Reading critical registry keys

Sending a custom TCP request

Enabling autorun by creating a file

Result

Threat name:

404Keylogger AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/495014

Signature

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected 404Keylogger

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e4a3e20e267b49025b0c602b0af5b19c57711fc07f5442c356d5c57e1ee7cd31/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-19 02:30:01 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4sr6edrgpneqewymmavqv5nrtrlxch6ap5kefq2w2xcx4hxhzuyq._file

Verdict:

malicious

404Keylogger

5c74fdaa63a6b210dd3ceed52b08c212d2e3d2ede23568e0c85370c9ad9052ce

404Keylogger

7891ae9d0d99198c2fa2e77bb5f937b22ffa4ffa83c6fbba6a012b7054b4b1b9

404Keylogger

8192d560e89e235f4734cf4ad8fa3a9a91abd7eb83b589c4d471efc5d6361f1d

404Keylogger

9592a9a5cc7e4200c0e6a9396197c148f87d36f1a16701934d7608feb0d0f36e

404Keylogger

a88d09e31b3d69e78b88c96f053a9afbe29daa59fc50e5ba269f4a24b3a04d88

404Keylogger

c1db0bc7089675799a66c321a0401a402b94e0d455037b0cbd76e54188de43c8

404Keylogger

c68e4b825434bac34abd9d5428ea2c30fc60c8b47db17de743782825687547d5

404Keylogger

ce1eacfadbf8ddc471b548902421228b2f9173bfde4d156ed1ec27fdbc187520

404Keylogger

e4c0a05633312d7511731bd4f16cf30be9789e037794d767de8e021bfd5b742c

404Keylogger

+ 120 additional samples on MalwareBazaar

Result

Malware family:

404keylogger

Score:

10/10

Tags:

spyware stealer keylogger family:404keylogger

Link:

https://tria.ge/reports/201019-3h8mp4rn2j/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

404 Keylogger

404 Keylogger Main Executable

Unpacked files

SH256 hash:

e4a3e20e267b49025b0c602b0af5b19c57711fc07f5442c356d5c57e1ee7cd31

MD5 hash:

c02c7e2e87758c7fd7cc72b157df668b

SHA1 hash:

a588abe74503eaa9043664d9dd9a3ee6d3e1d67a

Link:

https://www.unpac.me/results/21ed9e50-bba4-48ab-8880-e41d8948427a/

SH256 hash:

1ada18368f81e394e39a5c96ceca73d9fc7eb1cfa01478d1b49eaa28c72b6cba

MD5 hash:

73bd1fe662f1a80c67f747e05dcec4c9

SHA1 hash:

089a8058bb4122cd917e9fc0f52eed553614b1b4

Detections:

win_404keylogger_g0

Link:

https://www.unpac.me/results/21ed9e50-bba4-48ab-8880-e41d8948427a/

Parent samples :

2ac51bddbe245f1d8b6fd18e3e1c361445243006b9e8cdbfb9d5fcaa6cba2420
50bf9e38c817f386cbf2b43ce3766d898571a21e5bb690ad89f851d5bf017bb7
dc00e8e3f7021f242e16107ba976697d93616473833233e85fec9842dca480df
e4a3e20e267b49025b0c602b0af5b19c57711fc07f5442c356d5c57e1ee7cd31
2b289b1dc38fa9bbd5086bb53a41d36466f899df423df495ae8e7bfd9b06e846
5b4e102595fcfeb47ebf79618cd38e451c8543eb264d7faff586370023b3ccc0
825ed5beee88383c1efb87faad69a6e1650960e08418ce84252852acf1fe5a38
5f76f22bc543897362a09bd6d101583fa0fe5bcaa02b3fd5f67b7c193a1b7ee5

SH256 hash:

f8568197be83f1d847dd47474372237299c2a8897add2b958b4ffaefc347e8c8

MD5 hash:

00a8c87b97aa80274061c20892a61a40

SHA1 hash:

78eaf80ce9cf3895302106bfb0cfd51a9bfa270a

Link:

https://www.unpac.me/results/21ed9e50-bba4-48ab-8880-e41d8948427a/

SH256 hash:

bb3bb3c28084e107a8984e4e78100c71ee8f6fd72d53595b1f38738752bd4d1e

MD5 hash:

aa225dc2ff5c8bfb32159d48f40fbb1e

SHA1 hash:

ddc86fabbda52b976d99179d224cfe2626a4bd59

Link:

https://www.unpac.me/results/21ed9e50-bba4-48ab-8880-e41d8948427a/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/21ed9e50-bba4-48ab-8880-e41d8948427a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e4a3e20e267b49025b0c602b0af5b19c57711fc07f5442c356d5c57e1ee7cd31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	Telegram_bot_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

Rule name:	win_404keylogger_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT, Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

404Keylogger

7z d93b1da83fd119817ffe83ea57cf16b847ebd5e8ef177623f3c0c338732f69ed

404Keylogger

exe e4a3e20e267b49025b0c602b0af5b19c57711fc07f5442c356d5c57e1ee7cd31

(this sample)

Dropped by

MD5 ca405efc6e9d85174d5ab94099bfae0d

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/72789/

Dropped by

SHA256 d93b1da83fd119817ffe83ea57cf16b847ebd5e8ef177623f3c0c338732f69ed

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample