404keylogger | 80ffd81d3515ad6c242ee9c7a89570b3dc64554c7374a618194f97f4ead977a0

General

Target

80ffd81d3515ad6c242ee9c7a89570b3dc64554c7374a618194f97f4ead977a0
Size

277KB
Sample

220625-lfwk9aegen
MD5

42c46a822f403a6be70133ba356b917a
SHA1

0e49ed7754d124cdea0986a1034c5ec7ba1b7696
SHA256

80ffd81d3515ad6c242ee9c7a89570b3dc64554c7374a618194f97f4ead977a0
SHA512

3f4683cda00973e6f97daecd54a558f36edc893c35b2bf7ca3df5d5090a8f942ae717ef80d17530137883151fbc88cb75cda9ec3d27621929ed885a6edd3dd1b

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
!td!$yHM4DMKS

Targets

- Target
  
  80ffd81d3515ad6c242ee9c7a89570b3dc64554c7374a618194f97f4ead977a0
- Size
  
  277KB
- MD5
  
  42c46a822f403a6be70133ba356b917a
- SHA1
  
  0e49ed7754d124cdea0986a1034c5ec7ba1b7696
- SHA256
  
  80ffd81d3515ad6c242ee9c7a89570b3dc64554c7374a618194f97f4ead977a0
- SHA512
  
  3f4683cda00973e6f97daecd54a558f36edc893c35b2bf7ca3df5d5090a8f942ae717ef80d17530137883151fbc88cb75cda9ec3d27621929ed885a6edd3dd1b
Score

10^/10

404keylogger collection keylogger persistence stealer
- 404 Keylogger
  Information stealer and keylogger first seen in 2019.
  stealer keylogger 404keylogger
- 404 Keylogger Main Executable
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

404 Keylogger

404 Keylogger Main Executable

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2