404keylogger | 3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

General

Target

3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
Size

747KB
MD5

3cd2595e3d20f8200d3ddf84b81932de
SHA1

c05f5a5fd2e0da7be16621a5482541f3d492891c
SHA256

3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c
SHA512

fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670
SSDEEP

12288:H7nYP1+rSlwFON6zXeEt+f2VtTwfyfyp4P7r9r/+ppppppppppppppppppppppp0:HDYP1+rDOkKderNqS1qU

Score

10^/10

404keylogger formbook cix keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

cix

Decoy

stephaniperold.com

sorairo12.com

palumasteknik.com

marketing4proptech.com

iwanttoheargod.com

structured-waters.com

sunvalleyvacations.net

sanketweb.com

tmasco.com

d-valentine.com

engmousavi.com

lithiumtolashes.com

texastramper.com

shoemall.store

beginningguitarbook.com

wonderlustnfairytales.com

bizinabox.store

kmacg.net

cashgold4cash.com

smtpguide.com

Signatures

404 Keylogger
Information stealer and keylogger first seen in 2019.
stealer keylogger 404keylogger

404 Keylogger Main Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001ac2b-21.dat	family_404keylogger
behavioral1/memory/1888-24-0x00000000001A0000-0x00000000001BE000-memory.dmp	family_404keylogger

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/3592-34-0x0000000000400000-0x00000000004BE000-memory.dmp	formbook
behavioral1/memory/3592-41-0x0000000000400000-0x00000000004BE000-memory.dmp	formbook

Executes dropped EXE 3 IoCs

pid	Process
4668	Coseismic.scr
1888	Payment receipt.exe
3592	Coseismic.scr

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\plymouthism = "wscript \"C:\\Users\\Admin\\Pinatype\\Coseismic.vbs\""	Coseismic.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VJCHB60PCNYP = "C:\\Program Files (x86)\\X6ljxobb\\uxl0rdypxt6tcx.exe"	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	checkip.dyndns.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3592 set thread context of 3412	3592	Coseismic.scr	55
PID 5080 set thread context of 3412	5080	svchost.exe	55

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\X6ljxobb\uxl0rdypxt6tcx.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
File opened for modification	C:\Windows\win.ini	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
File opened for modification	C:\Windows\win.ini	Coseismic.scr
File opened for modification	C:\Windows\win.ini	Coseismic.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4020	1888	WerFault.exe	77

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-4106386276-4127174233-3637007343-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3592	Coseismic.scr
3592	Coseismic.scr
3592	Coseismic.scr
3592	Coseismic.scr
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe
5080	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3592	Coseismic.scr
3592	Coseismic.scr
3592	Coseismic.scr
5080	svchost.exe
5080	svchost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	Payment receipt.exe
Token: SeDebugPrivilege	3592	Coseismic.scr
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeDebugPrivilege	5080	svchost.exe
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
404	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
1236	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
4668	Coseismic.scr
3592	Coseismic.scr

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 1236	404	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	75
PID 404 wrote to memory of 1236	404	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	75
PID 404 wrote to memory of 1236	404	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	75
PID 1236 wrote to memory of 4668	1236	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	76
PID 1236 wrote to memory of 4668	1236	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	76
PID 1236 wrote to memory of 4668	1236	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	76
PID 1236 wrote to memory of 1888	1236	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	77
PID 1236 wrote to memory of 1888	1236	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	77
PID 1236 wrote to memory of 1888	1236	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	77
PID 4668 wrote to memory of 3592	4668	Coseismic.scr	78
PID 4668 wrote to memory of 3592	4668	Coseismic.scr	78
PID 4668 wrote to memory of 3592	4668	Coseismic.scr	78
PID 3412 wrote to memory of 5080	3412	Explorer.EXE	79
PID 3412 wrote to memory of 5080	3412	Explorer.EXE	79
PID 3412 wrote to memory of 5080	3412	Explorer.EXE	79
PID 5080 wrote to memory of 644	5080	svchost.exe	82
PID 5080 wrote to memory of 644	5080	svchost.exe	82
PID 5080 wrote to memory of 644	5080	svchost.exe	82
PID 5080 wrote to memory of 4556	5080	svchost.exe	84
PID 5080 wrote to memory of 4556	5080	svchost.exe	84
PID 5080 wrote to memory of 4556	5080	svchost.exe	84

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
  "C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
    "C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Users\Admin\Pinatype\Coseismic.scr
      "C:\Users\Admin\Pinatype\Coseismic.scr" /S
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Users\Admin\Pinatype\Coseismic.scr
        
        "C:\Users\Admin\Pinatype\Coseismic.scr" /S
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3592
  - - C:\Users\Admin\Payment receipt.exe
      "C:\Users\Admin\Payment receipt.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1888
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 1496
        5⤵
        Program crash
        
        PID:4020
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\Pinatype\Coseismic.scr"
    3⤵
    PID:644
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\Payment receipt.exe

Filesize
98KB

MD5
f064015d967ac5fbedbe21c01689f388

SHA1
4f2044ea34938b045c5e62c389f3c62c44cb5392

SHA256
980563afc8a4af6029ef7266392765e4ed9cf23eb242078701b65f5d9078b0af

SHA512
2bf694bbada5bc84ec2e68b4b8e4a6c3b747c14e5e4f5aae0d25c5c94a44ed3df16b2384a966da9ce1d405441eb2727af22868204cca0a2b157a7ae0efedd67f

Download Submit
C:\Users\Admin\Pinatype\Coseismic.scr

Filesize
747KB

MD5
3cd2595e3d20f8200d3ddf84b81932de

SHA1
c05f5a5fd2e0da7be16621a5482541f3d492891c

SHA256
3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

SHA512
fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/404-3-0x00000000024C0000-0x00000000024CA000-memory.dmp

Filesize
40KB

Download
memory/404-4-0x00007FFE93CA1000-0x00007FFE93DAF000-memory.dmp

Filesize
1.1MB

Download
memory/404-5-0x00007FFE93CA0000-0x00007FFE93E7B000-memory.dmp

Filesize
1.9MB

Download
memory/1236-10-0x00007FFE93CA0000-0x00007FFE93E7B000-memory.dmp

Filesize
1.9MB

Download
memory/1888-25-0x00000000050C0000-0x00000000055BE000-memory.dmp

Filesize
5.0MB

Download
memory/1888-26-0x0000000004AA0000-0x0000000004B3C000-memory.dmp

Filesize
624KB

Download
memory/1888-24-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/3412-44-0x00000000053E0000-0x000000000552C000-memory.dmp

Filesize
1.3MB

Download
memory/3592-35-0x0000000002230000-0x000000000223A000-memory.dmp

Filesize
40KB

Download
memory/3592-34-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3592-41-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5080-37-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/5080-38-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/5080-39-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads