404keylogger | aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9

General

Target

aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe
Size

566KB
MD5

2e6a65be958f5ecda11b983c7f8767a5
SHA1

c3027e506cb1e0563a8229a5c64b0f51f68dc08e
SHA256

aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9
SHA512

309569b1250ea57d831f419dbd4f733ecc14f81d613f5b19e24dd598ae426d146696416645a09b652d80a375a220c0ba4f30d6e91ef3673a44441c23659c6e48

Score

10^/10

404keylogger collection keylogger spyware stealer

Malware Config

Signatures

404 Keylogger
Information stealer and keylogger first seen in 2019.
stealer keylogger 404keylogger

404 Keylogger Main Executable 1 IoCs

resource	yara_rule
behavioral2/memory/2548-141-0x0000000000400000-0x000000000041E000-memory.dmp	family_404keylogger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2312 set thread context of 2548	2312	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	87

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2548	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2312	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2548	RegAsm.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1632	2312	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	83
PID 2312 wrote to memory of 1632	2312	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	83
PID 2312 wrote to memory of 1632	2312	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	83
PID 1632 wrote to memory of 1876	1632	csc.exe	85
PID 1632 wrote to memory of 1876	1632	csc.exe	85
PID 1632 wrote to memory of 1876	1632	csc.exe	85
PID 2312 wrote to memory of 2548	2312	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	87
PID 2312 wrote to memory of 2548	2312	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	87
PID 2312 wrote to memory of 2548	2312	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	87
PID 2312 wrote to memory of 2548	2312	aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe	87

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe
"C:\Users\Admin\AppData\Local\Temp\aa589381220413a2f4ab55a90e40a24fd9dba83f037f764e86a8d1a939f043a9.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sahj5nai\sahj5nai.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F1C.tmp" "c:\Users\Admin\AppData\Local\Temp\sahj5nai\CSC5BB816FBDDAD43BDBEA859EC4381F13.TMP"
    3⤵
    PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:2548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3F1C.tmp

Filesize
1KB

MD5
eb6c413701702573bbe4ef6ce726418f

SHA1
301dc3359d1077637f4faeb81f80b218996f9890

SHA256
ff7901b0b103c2922faf8eee60cd640f48a829144d248a642a0c24ebff441ed2

SHA512
6790733fc225f4113a4fd0db06a0fa77b87582c6ee499b96329dcccdf6869b9921b8c635970905db25208cb8ae912725437008cded3877545199f906d8ce6a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sahj5nai\sahj5nai.dll

Filesize
364KB

MD5
58553fcb94893dc751ac76787bbaa730

SHA1
ebecd7ab9958cf2657d908d1df4ff79c13b5ba04

SHA256
39406f152b775257022aed46c5e3b83e9b4de3d1943f510092a7428ec918941c

SHA512
f48d2a343888644c3797bb670aecb1ae05edeb457329d94e960a7118aebc3fc6b7cf8a20b25792105195cf30a53e2431c82595eb9002a5a53dff5d6512437534

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sahj5nai\CSC5BB816FBDDAD43BDBEA859EC4381F13.TMP

Filesize
1KB

MD5
8ddb83b669483ca92bcb24ce6730ebfa

SHA1
c68a2a65126191f09690c1160b41b35d77bee6ed

SHA256
803d9bf6744b03bb55d601662e66241b2db240c2e5842e860cff1e607f942565

SHA512
ba4611f3b79f5d6c41f97fec45e4498d90d8dff49fb75c64de4810953b11f862ebcdda3a6ab7cd29898d53aa459cdba4ec90d55ce52f6d8599dfff187c65ac6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sahj5nai\sahj5nai.0.cs

Filesize
540KB

MD5
e538de21aa1198640d93adf3cb341da5

SHA1
d04dd6104bcea8a871bd6ad538a9e9b760e471fe

SHA256
4fa2c7b3e0c24e351e82b72dab40cffd3eca76f7bd7e8c534e838a8809f2b829

SHA512
5fb937dc17311b534c29c1ca2a5d13a58330ad4d8ec0a14a121ae27e582186e7d8857e5a5756b51195819d08e754a1b3daed9fbf5e42291c35272c79772d8c52

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sahj5nai\sahj5nai.cmdline

Filesize
301B

MD5
9032ccf598fa4bfc91e43258a48cbb83

SHA1
ad5192719455c941d7034303989c8801a565b411

SHA256
1d1d19a94c4cfa90181876c973e602917cb04fbc1630e7e9bb983e2fef1bf9f9

SHA512
7cbab6f1ae8a0bd00c3c64a8bfe67fb40d825af02f39554d4f54255ba2348991474754547f5429442aa1cf261f22580f5076d346c141c424d84d81da61759f5b

Download Submit
memory/2312-138-0x00000000055D0000-0x00000000055D3000-memory.dmp

Filesize
12KB

Download
memory/2312-130-0x0000000000C40000-0x0000000000CD4000-memory.dmp

Filesize
592KB

Download
memory/2312-140-0x0000000005C90000-0x0000000005C93000-memory.dmp

Filesize
12KB

Download
memory/2548-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2548-142-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/2548-143-0x00000000055F0000-0x000000000568C000-memory.dmp

Filesize
624KB

Download
memory/2548-144-0x0000000006420000-0x0000000006486000-memory.dmp

Filesize
408KB

Download
memory/2548-145-0x0000000006AA0000-0x0000000006C62000-memory.dmp

Filesize
1.8MB

Download
memory/2548-146-0x0000000006590000-0x0000000006622000-memory.dmp

Filesize
584KB

Download
memory/2548-147-0x0000000005320000-0x000000000532A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing