MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397
SHA3-384 hash: 9ada2868e274421da3fd539a9e6efd91fdf56cc41990916e966f14913eb2c670f35c5951e4f2b4d29198071aefe5cac9
SHA1 hash: 6aa21ea3cbd05b2727c2f7cd5328532d617c0dd0
MD5 hash: 7ce622cc13886a55bfce9bcc088c8dc6
humanhash: social-sodium-emma-whiskey
File name:nyen2eabmfb.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'392'189 bytes
First seen:2024-08-19 16:40:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 53dbb427d4fc9e9527dfdd72661dae65 (1 x a310Logger)
ssdeep 24576:fF6kcnUDuwg5tW2l8Ye01R7E/k3vy8OKtlm0PDwVOt3PAThh9qAM:0Lnw69lLeOhbq+GOt3PO5dM
Threatray 13 similar samples on MalwareBazaar
TLSH T1B755231178D8C032EA4059384646DBE6D62AB4356B29A58BFFCD07BE3F34A61D731B43
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter aachum
Tags:44Caliber 44CaliberStealer a310logger exe


Avatar
iamaachum
YouTube Video => https://mega.nz/folder/hcRBGJIY#dF1LR5eY3lgicOntPFjHSA

44Caliber C2: https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_HouSEGlNyNzsrVH6EfQxrh8

Intelligence

File Origin
# of uploads :
1
# of downloads :
369
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
nyen2eabmfb.exe
Verdict:
Malicious activity
Analysis date:
2024-08-19 16:43:00 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/c70a399a-188b-4431-9526-c2719ec2d83d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Enigma-9973746-0
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c3759fe7ff3f5a063b911b
Tags:
Discovery Encryption Infostealer Static Stealth Trojan
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc obfuscated overlay packed packed sfx shell32
Link:
https://www.filescan.io/uploads/66c375a39a458267e53ef195/reports/c2b0aecb-e855-454e-b98d-df1a1544efba/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BlackGuard Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4af64040-41c3-400a-91a5-0387f7485b05
Result
Threat name:
44Caliber Stealer, BlackGuard, Rags Stea
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1495141
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected 44Caliber Stealer
Yara detected BlackGuard
Yara detected Generic Downloader
Yara detected Rags Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397/
Threat name:
Win32.Trojan.ProtectorEnigma
Create hunting rule
Status:
Malicious
First seen:
2024-08-19 16:41:05 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tfgxgr32lyvcfpyau6eyxqvyvv4e5scexqt5xrb4hksvo3j6yolq._file
Verdict:
malicious
Similar samples:
1a3a78f874d806d86e4a781aa267d1a03ec959635011dbedbe5be2adca46b9c5
a310Logger
209585215875802786fb17c99093138929aa6ecd9dfd64cf8970103ba8b50cf9
a310Logger
7de3e6b4df3625053a2fd949f577904c87f1b06f7aa9a8a08289b465b24d22f4
a310Logger
9194469fd47dc746711ff273309a7cbbbfb4649caf68b7a41edae1f98f6fd242
a310Logger
ab84998c1eabad9ce66fbf2c36fd3b5a9f41e4fa1682368526a278b9ecfc0ce1
a310Logger
ed32f2ebfc103f4c81e6e0bf07c269eba45692bb061b9cb28402a74f57871831
a310Logger
fb458da1b9dd47b713d2014fe052ed801c4c84a37f3c3daa0e9cf30ffbbb3e94
a310Logger
+ 3 additional samples on MalwareBazaar
Result
Malware family:
44caliber
Create hunting rule
Score:
  10/10
Tags:
family:44caliber credential_access discovery spyware stealer
Link:
https://tria.ge/reports/240819-t6321svdnh/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
44Caliber
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_HouSEGlNyNzsrVH6EfQxrh8
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/efbe0996-76f8-47a7-9fb2-3d0d5f05cc12
Unpacked files
SH256 hash:
994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397
MD5 hash:
7ce622cc13886a55bfce9bcc088c8dc6
SHA1 hash:
6aa21ea3cbd05b2727c2f7cd5328532d617c0dd0
Link:
https://www.unpac.me/results/e83e96dd-a339-4cd9-9ce0-9d32a56ee8c0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe 994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397

(this sample)

a310Logger

Executable exe d5a18b44a40e9bc1952bce6e187b81926ffd358aa5ebe95921cde2b9a72b172f

  
Link
https://tria.ge/240819-t13jasvbma
  
Delivery method
Distributed via web download
  
Dropping
SHA256 d5a18b44a40e9bc1952bce6e187b81926ffd358aa5ebe95921cde2b9a72b172f
  
Dropping
MD5 d9ccde3b728fba6d6e3f1b92c75a11a8

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowExW
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments