404keylogger | f6cfa0f73d0631c0523d5f26ae6a808f50c8966158f462f62e0f6c0dccf82ce8

General

Target

f6cfa0f73d0631c0523d5f26ae6a808f50c8966158f462f62e0f6c0dccf82ce8
Size

130KB
Sample

220724-z63zxahack
MD5

57ba94b8b52a58444b8d371cfa0949f9
SHA1

30e862404054d63fefc03916b0fd0c5155b817f2
SHA256

f6cfa0f73d0631c0523d5f26ae6a808f50c8966158f462f62e0f6c0dccf82ce8
SHA512

6eeb2fda44ee0e6aacd1686538bd1920f160fbfc6694f637024dfe4c478d750fce48fb3fc8698b223f6a0c8687c1ecb614539fe710dd6fc2d8052caa8c8c64aa

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
]WqfQ8cSP2)6O

Targets

- Target
  
  f6cfa0f73d0631c0523d5f26ae6a808f50c8966158f462f62e0f6c0dccf82ce8
- Size
  
  130KB
- MD5
  
  57ba94b8b52a58444b8d371cfa0949f9
- SHA1
  
  30e862404054d63fefc03916b0fd0c5155b817f2
- SHA256
  
  f6cfa0f73d0631c0523d5f26ae6a808f50c8966158f462f62e0f6c0dccf82ce8
- SHA512
  
  6eeb2fda44ee0e6aacd1686538bd1920f160fbfc6694f637024dfe4c478d750fce48fb3fc8698b223f6a0c8687c1ecb614539fe710dd6fc2d8052caa8c8c64aa
Score

10^/10

persistence 404keylogger collection keylogger stealer
- 404 Keylogger
  Information stealer and keylogger first seen in 2019.
  stealer keylogger 404keylogger
- 404 Keylogger Main Executable
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

404 Keylogger

404 Keylogger Main Executable

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2