404keylogger | 6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e

General

Target

6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe
Size

291KB
MD5

471c1bfe49a45efdbd925956ef79b18a
SHA1

4891a1b912848c5990ceabd7cfb815df4d7ee6ab
SHA256

6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e
SHA512

58db68688cd70eb7d4646d6f31b618525b3c5bb282955d530ab023e18ebefd0d0f6be397f0c0866ae7d8c93e30c57a8ea6ffd7f60ccb94c470f13babae0100c3

Score

10^/10

404keylogger collection keylogger persistence stealer

Malware Config

Signatures

404 Keylogger
Information stealer and keylogger first seen in 2019.
stealer keylogger 404keylogger

404 Keylogger Main Executable 1 IoCs

resource	yara_rule
behavioral2/memory/4880-136-0x0000000000400000-0x0000000000422000-memory.dmp	family_404keylogger

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PPnQl = "C:\\Users\\Admin\\AppData\\Local\\PPnQlf\\PPnQlfntG.hta"	6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4832 set thread context of 4880	4832	6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe	81

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2740	4880	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4832	6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe
4832	6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe
4832	6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe
4832	6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe
4832	6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe
4880	InstallUtil.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4832	6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe
Token: SeDebugPrivilege	4880	InstallUtil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4880	InstallUtil.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 4880	4832	6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe	81
PID 4832 wrote to memory of 4880	4832	6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe	81
PID 4832 wrote to memory of 4880	4832	6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe	81
PID 4832 wrote to memory of 4880	4832	6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe	81

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe
"C:\Users\Admin\AppData\Local\Temp\6f114eb67f2957867f449185493502e761dac3bf42afec7fcea2a1f49135b83e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:4880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1940
    3⤵
    - Program crash
    PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4880 -ip 4880
1⤵
PID:4332

Network

DNS

checkip.dyndns.org

InstallUtil.exe

Remote address:

8.8.8.8:53

Request

checkip.dyndns.org

IN A

Response

checkip.dyndns.org

IN CNAME

checkip.dyndns.com

checkip.dyndns.com

IN A

193.122.6.168

checkip.dyndns.com

IN A

132.226.247.73

checkip.dyndns.com

IN A

132.226.8.169

checkip.dyndns.com

IN A

158.101.44.242

checkip.dyndns.com

IN A

193.122.130.0
GET

http://checkip.dyndns.org/

InstallUtil.exe

Remote address:

193.122.6.168:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 26 Jul 2022 06:58:33 GMT
Content-Type: text/html
Content-Length: 104
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
DNS

mail.villa-samnang.com

InstallUtil.exe

Remote address:

8.8.8.8:53

Request

mail.villa-samnang.com

IN A

Response

216.36.0.99:777

tls

92 B
2.1kB
2
2
46.4.78.148:9001

46 B
1.4kB
1
1
103.158.223.168:9001

tls

46 B
1.1kB
1
1
131.188.40.189:443

tls

46 B
583 B
1
1
193.23.244.244:443

tls

46 B
583 B
1
1
193.122.6.168:80

http://checkip.dyndns.org/

http

InstallUtil.exe

381 B
405 B
5
3

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

8.8.8.8:53

checkip.dyndns.org

dns

InstallUtil.exe

64 B
176 B
1
1

DNS Request

checkip.dyndns.org

DNS Response

193.122.6.168

132.226.247.73

132.226.8.169

158.101.44.242

193.122.130.0
8.8.8.8:53

mail.villa-samnang.com

dns

InstallUtil.exe

68 B
138 B
1
1

DNS Request

mail.villa-samnang.com

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4832-132-0x00000000000C0000-0x000000000010E000-memory.dmp

Filesize
312KB

Download
memory/4832-133-0x0000000004CA0000-0x0000000004D32000-memory.dmp

Filesize
584KB

Download
memory/4832-134-0x00000000055F0000-0x0000000005B94000-memory.dmp

Filesize
5.6MB

Download
memory/4880-136-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4880-137-0x0000000004FC0000-0x000000000505C000-memory.dmp

Filesize
624KB

Download
memory/4880-138-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/4880-139-0x0000000006570000-0x0000000006732000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.