MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 003fd98ee31461ab7ec424f8180d4e18d9fb99927ec283f5940caa78bf0f5fac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 18


Intelligence 18 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 003fd98ee31461ab7ec424f8180d4e18d9fb99927ec283f5940caa78bf0f5fac
SHA3-384 hash: fa269f9a33b68f16a25bc549807c6b29c314cd04ee363c3b8ce866ba512b699d13a681c6964293bfa23bbba148f973dc
SHA1 hash: 3ef7e0fcfb47096f2b57b8685c42aa1b476f3404
MD5 hash: cb4a5ce658739a3a304dabe560573b1b
humanhash: golf-charlie-twenty-arkansas
File name:KR-Inquiry-XXXXX.scr
Download: download sample
Signature a310Logger
Create hunting rule
File size:931'840 bytes
First seen:2025-12-08 14:47:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:NrlBfc6Vj1Z0G7GzHhwgH8nmfMoop517nXkQ8vkZT7o2:9lB7tv7Ummf8p517nXX8vIo2
Threatray 27 similar samples on MalwareBazaar
TLSH T15C15F1E43B71B719CE654A30EA79DEB642E61D7CB0017AE669DC7B17349C210AE0CF06
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter cocaman
Tags:a310logger exe scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/240d0d93-18c8-4365-9578-d6294fab572b/
Malware family:
n/a
ID:
1
File name:
KR-Inquiry-XXXXX.scr
Verdict:
Malicious activity
Analysis date:
2025-12-08 17:48:07 UTC
Tags:
telegram auto-sch-xml darkcloud stealer upx ims-api generic
Link:
https://app.any.run/tasks/9a4d64fa-05c0-45df-b39f-b5444e52a75f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43173/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936e555881313558a2b8717
Tags:
infosteal shell virus sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed vbnet
Link:
https://www.filescan.io/uploads/6936e534bba50eaf042713c1/reports/2f0fe86e-d652-4881-be85-c7aee6b83c74/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/003fd98ee31461ab7ec424f8180d4e18d9fb99927ec283f5940caa78bf0f5fac
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-08T08:25:00Z UTC
Last seen:
2025-12-10T12:21:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/003fd98ee31461ab7ec424f8180d4e18d9fb99927ec283f5940caa78bf0f5fac/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/49da4ccc-1236-427f-bcf7-2f08d1e3a634
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1828870
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1828870 Sample: KR-Inquiry-XXXXX.scr.exe Startdate: 08/12/2025 Architecture: WINDOWS Score: 100 85 api.telegram.org 2->85 87 gdcrl.godaddy.com.akadns.net 2->87 89 crl.godaddy.com 2->89 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Antivirus detection for dropped file 2->101 105 10 other signatures 2->105 10 KR-Inquiry-XXXXX.scr.exe 7 2->10         started        14 VoAvfzKm.exe 5 2->14         started        16 svchost.exe 2->16         started        signatures3 103 Uses the Telegram API (likely for C&C communication) 85->103 process4 dnsIp5 75 C:\Users\user\AppData\Roaming\VoAvfzKm.exe, PE32 10->75 dropped 77 C:\Users\...\VoAvfzKm.exe:Zone.Identifier, ASCII 10->77 dropped 79 C:\Users\user\AppData\Local\...\tmp98F9.tmp, XML 10->79 dropped 81 C:\Users\...\KR-Inquiry-XXXXX.scr.exe.log, ASCII 10->81 dropped 111 Uses schtasks.exe or at.exe to add and modify task schedules 10->111 113 Adds a directory exclusion to Windows Defender 10->113 115 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 10->115 19 KR-Inquiry-XXXXX.scr.exe 2 17 10->19         started        23 powershell.exe 23 10->23         started        26 schtasks.exe 1 10->26         started        28 KR-Inquiry-XXXXX.scr.exe 10->28         started        117 Injects a PE file into a foreign processes 14->117 30 VoAvfzKm.exe 14->30         started        32 schtasks.exe 14->32         started        83 127.0.0.1 unknown unknown 16->83 file6 signatures7 process8 dnsIp9 91 api.telegram.org 149.154.167.220, 443, 49699, 49712 TELEGRAMRU United Kingdom 19->91 93 gdcrl.godaddy.com.akadns.net 192.124.249.31, 49701, 49713, 80 SUCURI-SECUS United States 19->93 95 192.124.249.41, 49727, 80 SUCURI-SECUS United States 19->95 71 C:\Users\user\AppData\...\chrome.exe (copy), PE32 19->71 dropped 73 C:\Users\user\AppData\...\Project1.exe, PE32 19->73 dropped 34 chrome.exe 19->34         started        37 taskkill.exe 1 19->37         started        107 Loading BitLocker PowerShell Module 23->107 39 conhost.exe 23->39         started        41 WmiPrvSE.exe 23->41         started        43 conhost.exe 26->43         started        109 Tries to harvest and steal browser information (history, passwords, etc) 30->109 45 Google-Chrome.exe 30->45         started        47 taskkill.exe 30->47         started        49 conhost.exe 32->49         started        file10 signatures11 process12 file13 69 C:\Program Filesbehaviorgraphoogle\...behaviorgraphoogle-Chrome.exe, PE32+ 34->69 dropped 51 Google-Chrome.exe 34->51         started        53 conhost.exe 37->53         started        55 WerFault.exe 43->55         started        57 WerFault.exe 43->57         started        59 conhost.exe 45->59         started        61 WerFault.exe 45->61         started        63 conhost.exe 47->63         started        process14 process15 65 conhost.exe 51->65         started        67 WerFault.exe 51->67         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/003fd98ee31461ab7ec424f8180d4e18d9fb99927ec283f5940caa78bf0f5fac
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.39 Win 32 Exe x86
Link:
https://app.malva.re/file/cb4a5ce658739a3a304dabe560573b1b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/003fd98ee31461ab7ec424f8180d4e18d9fb99927ec283f5940caa78bf0f5fac/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-12-08 15:21:17 UTC
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aa75tdxdcrq2w7weet4bqdkoddm7xgmsp3bih5mubsvhrpypl6wa._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
Similar samples:
34c4142c1ce499a86d75d293dc49bdbdc7f98f7d5dbe95a5947315e37a94a4c9
a310Logger
dec24a14f83ed2a0c6fdb82fc2e3e08ee48fc0b3c2d2ddef2cdb4450c9930202
a310Logger
e2b1a14ff6bd21b100d9ff3b769c14f0724f145561b30d1213a3e97773adf1de
a310Logger
error
a310Logger
f04f0792bf28699a4e0d410ae715730df6a1ea1b9feee7a025543a402cb81451
a310Logger
+ 17 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud defense_evasion discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/251208-r6mc6aez6b/
Behaviour
Kills process with taskkill
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
DarkCloud
Darkcloud family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e522089d-0011-45ee-8774-140b388af1d1
Unpacked files
SH256 hash:
003fd98ee31461ab7ec424f8180d4e18d9fb99927ec283f5940caa78bf0f5fac
MD5 hash:
cb4a5ce658739a3a304dabe560573b1b
SHA1 hash:
3ef7e0fcfb47096f2b57b8685c42aa1b476f3404
Link:
https://www.unpac.me/results/51a9c158-a602-4b67-a110-014cdbab44eb/
SH256 hash:
52da20914838128e19ddf897f34492d62828239ba817441f8a6eb5f9af88aa88
MD5 hash:
39ddd542047677c664ccea2f8b465e1c
SHA1 hash:
36cad76f5c3ed605ef62aedb4c6f4ea5dc75af19
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/51a9c158-a602-4b67-a110-014cdbab44eb/
SH256 hash:
efb6a13171efda5436a296f735066a438a281d0c38a63831d59c9bb86ed4e1cb
MD5 hash:
03be1634a292fb3b9dd147fc52404a43
SHA1 hash:
9b814356f9cf32900e28e1a3ba69018b7b31c471
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/51a9c158-a602-4b67-a110-014cdbab44eb/
Parent samples :
003fd98ee31461ab7ec424f8180d4e18d9fb99927ec283f5940caa78bf0f5fac
e2b1a14ff6bd21b100d9ff3b769c14f0724f145561b30d1213a3e97773adf1de
ec00fef0a4b089daaad9bf08c5d195cf291adb2330989d1045dfa12c23783301
d28d2788b9d5b476e71fb63b71e36b3eb36fed4ca0152f36fa6f00aab857543f
ec595bacfb1aede541f76c88ef83d2d43aab06d7379ab78841c2d8740358543a
3d26d15d45309e55871bd2bbfe808557995ad18a94fb08374afc6209710fe1ea
6712822d0051f3cf96949990caaf64dc9f9b0ed059d80fdfa040170dc2199cd5
36a3c500ed0500d0d2c222504cdd3023a4f3b8dabe2a50f45f31908b3a4ddd74
a6845ce1eab253282556ab7bed1ee055703ea0b3821f3afacdddf9b518c8ac62
b7f767683d6ba7f2a015deb244563b8ea8f3f690aac4dab8d7b12c7dfbd7bd51
f73d18e26ab65daf7d47eb8418fc31cf3251de98026fc8bab89fdfe162039412
d90e0f94e8df83ea22b969f61790f92e5439d0ce4eac48950e7c47aac0ada1b3
283447a47c7a5e90bdf94f7fe4ca0710bbc238d471509d17f56e584b1458d63e
90ee1e7a6193aa7c62de6fd466fc0ca1fe7b8aaec67fa98e96183079222593f4
aaa8bf0cd32ebc28b46c337e6d91a4202434f7bdbeb1ddb7c8bb84e2d69f3ddd
4f7eb929f88b07150a41fc45e4e4924448570d6fc84d6e10ef2119a4c7c3e2b3
2a326dcd2257005284073b14f534ba7a4a6e2ada8d9ec1d8df1f72789366d055
8a3fe2533d9c2036dd92b2b437b8d1ca237308d4383cdfb4cf13eadd9012060a
77d676adea7d98767c2412d2bec0298d9514b6eb3ca5ecfe1cd5d29b1ace1824
eb69376e8cbc70007583ae4283dfba5451d44047c8f95a2a9fd12d81cdfe6062
6f16060b9b2ed31c7f92adc048988ab883e39654643cde96ef767fddd2475915
b49f326c7a4f5156fc6033fe83b1129ebf9679947afb36ade578a656eac96c10
SH256 hash:
b084a4d9756a091c660802e982f8ff9cf3943730edbd13147ebb543e882cfc67
MD5 hash:
5fd1b7383bb8a01680629dffd6a02ed2
SHA1 hash:
c0065bc2744930233abdf59b0088216b68700243
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/51a9c158-a602-4b67-a110-014cdbab44eb/
Parent samples :
003fd98ee31461ab7ec424f8180d4e18d9fb99927ec283f5940caa78bf0f5fac
aaa8bf0cd32ebc28b46c337e6d91a4202434f7bdbeb1ddb7c8bb84e2d69f3ddd
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/51a9c158-a602-4b67-a110-014cdbab44eb/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/003fd98ee314/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/003fd98ee31461ab7ec424f8180d4e18d9fb99927ec283f5940caa78bf0f5fac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TelegramAPIMalware_PowerShell_EXE
Create hunting rule
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

rar fd38008dce01e7bfd06e85a3bb053582a6f8a24070b0176b0906932ddc827849

a310Logger

Executable exe 003fd98ee31461ab7ec424f8180d4e18d9fb99927ec283f5940caa78bf0f5fac

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 fd38008dce01e7bfd06e85a3bb053582a6f8a24070b0176b0906932ddc827849
Cape
Cape
https://www.capesandbox.com/analysis/43173/
  
Dropped by
MD5 62e3408f1937719bc5f8e6e02c3f0e26

Comments