404keylogger | aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9

General

Target

aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe
Size

566KB
MD5

2e6a65be958f5ecda11b983c7f8767a5
SHA1

c3027e506cb1e0563a8229a5c64b0f51f68dc08e
SHA256

aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9
SHA512

309569b1250ea57d831f419dbd4f733ecc14f81d613f5b19e24dd598ae426d146696416645a09b652d80a375a220c0ba4f30d6e91ef3673a44441c23659c6e48

Score

10^/10

404keylogger collection keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
payment12345

Signatures

404 Keylogger
Information stealer and keylogger first seen in 2019.
stealer keylogger 404keylogger

404 Keylogger Main Executable 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1168-69-0x0000000000400000-0x000000000041E000-memory.dmp	family_404keylogger

Drops startup file 1 IoCs

Processes:

aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe

description	pid	process	target process
PID 912 set thread context of 1168	912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegAsm.exe

pid process

1168 RegAsm.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe

pid process

912 aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1168 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

1168 RegAsm.exe

pid	process
1168	RegAsm.exe

pid	process
912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe

description	pid	process
Token: SeDebugPrivilege	1168	RegAsm.exe

pid	process
1168	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.execsc.exe

description	pid	process	target process
PID 912 wrote to memory of 1768	912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	csc.exe
PID 912 wrote to memory of 1768	912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	csc.exe
PID 912 wrote to memory of 1768	912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	csc.exe
PID 912 wrote to memory of 1768	912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	csc.exe
PID 1768 wrote to memory of 1984	1768	csc.exe	cvtres.exe
PID 1768 wrote to memory of 1984	1768	csc.exe	cvtres.exe
PID 1768 wrote to memory of 1984	1768	csc.exe	cvtres.exe
PID 1768 wrote to memory of 1984	1768	csc.exe	cvtres.exe
PID 912 wrote to memory of 1168	912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	RegAsm.exe
PID 912 wrote to memory of 1168	912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	RegAsm.exe
PID 912 wrote to memory of 1168	912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	RegAsm.exe
PID 912 wrote to memory of 1168	912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	RegAsm.exe
PID 912 wrote to memory of 1168	912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	RegAsm.exe
PID 912 wrote to memory of 1168	912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	RegAsm.exe
PID 912 wrote to memory of 1168	912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	RegAsm.exe
PID 912 wrote to memory of 1168	912	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe
"C:\Users\Admin\AppData\Local\Temp\aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tv15qcyn\tv15qcyn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB70.tmp" "c:\Users\Admin\AppData\Local\Temp\tv15qcyn\CSCFE623A153662428BAFC2DF6A6F64E94D.TMP"
    3⤵
    PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFB70.tmp

Filesize
1KB

MD5
a2d45569548ba024f49b51eecc7a2064

SHA1
42b5c83e377b5bf19d789a902152a8b48913d13f

SHA256
6e4dfb090c91a3229d9a9d28c0d79b452c820b7abbd333eba29b3580d0dc96ff

SHA512
d45be64dab604a207626df774408153c6cc548cbea3a5ff59c5de4d702ecbbdfa316bfa13c4f88d7d42a4ef4172425e13deb896fe37dc6311056b9f8d8338580

Download Submit
C:\Users\Admin\AppData\Local\Temp\tv15qcyn\tv15qcyn.dll

Filesize
364KB

MD5
4d763fa516cc2d314541c3dba4e302db

SHA1
05b52f9f951d8fd9e959b130d514a1fd0089bef5

SHA256
ad01939b10041141df39cdca6623bdadbbc72749e4a571302986f024944348d2

SHA512
9e1d63ab5cbb13f56b692ea991483a9a26ae41c69677074b3f87525a16560d9728e802a8bda21377969b794d3ebcb732098160a67d4b2020a1b74e1dc15208c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tv15qcyn\CSCFE623A153662428BAFC2DF6A6F64E94D.TMP

Filesize
1KB

MD5
01f24c415d76496367bf021607ab8561

SHA1
f9a6fe1106644b4dfce7254646eed58c5f03b53c

SHA256
d711f7e926366b753aa7355f2b90d8ea476436935b2938204b153df9cdb281b2

SHA512
b86aa4f52c303f958ffa561d7b3cbc3563ee1e0cecbd2b8c868c5f772bafb7927d00dc0dd89e59645e53e8d200504007fc753a468a5946056366671c09b78a9c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tv15qcyn\tv15qcyn.0.cs

Filesize
540KB

MD5
e538de21aa1198640d93adf3cb341da5

SHA1
d04dd6104bcea8a871bd6ad538a9e9b760e471fe

SHA256
4fa2c7b3e0c24e351e82b72dab40cffd3eca76f7bd7e8c534e838a8809f2b829

SHA512
5fb937dc17311b534c29c1ca2a5d13a58330ad4d8ec0a14a121ae27e582186e7d8857e5a5756b51195819d08e754a1b3daed9fbf5e42291c35272c79772d8c52

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tv15qcyn\tv15qcyn.cmdline

Filesize
301B

MD5
afb6eb09890ea88dd4d085708d34985e

SHA1
1c2dbd242da130468c563aec60226fd5e1a8904f

SHA256
f780c6689c4d55b1c289ad22a18c95724b70714968e3e7b87dc20b7b75f0b606

SHA512
c39c69c565f826bdbf56c56d3ed2a973ef7867ff892d11dea0bf73d0aaec5aa6888661dcc88d9064c279140498f46064537afd115f7efc4e779510618fd43b4a

Download Submit
memory/912-54-0x0000000000220000-0x00000000002B4000-memory.dmp

Filesize
592KB

Download
memory/912-55-0x0000000074DB1000-0x0000000074DB3000-memory.dmp

Filesize
8KB

Download
memory/912-63-0x0000000000610000-0x0000000000672000-memory.dmp

Filesize
392KB

Download
memory/912-64-0x00000000004E0000-0x0000000000508000-memory.dmp

Filesize
160KB

Download
memory/912-65-0x00000000006B0000-0x00000000006B3000-memory.dmp

Filesize
12KB

Download
memory/912-67-0x00000000006C0000-0x00000000006C3000-memory.dmp

Filesize
12KB

Download
memory/1168-66-0x0000000000419CAE-mapping.dmp

Download
memory/1168-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1768-56-0x0000000000000000-mapping.dmp

Download
memory/1984-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads