MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00f7ff43b4690c065497bdae404f265e1283d847b6e284408ae6ec73cc7dcd71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 17


Intelligence 17 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00f7ff43b4690c065497bdae404f265e1283d847b6e284408ae6ec73cc7dcd71
SHA3-384 hash: 20ccfd1efa018899c3413a6514d4b7757c105c97717cc6b76c0d3f12bd39851ac3ee96dbbd70b6b50cdf3c32d12804fb
SHA1 hash: 956d4fe861615d2fe29090741f72b73507f126b1
MD5 hash: 40c228cf18ee2653bc4ed1b488ab2df4
humanhash: nineteen-oregon-north-zebra
File name:BBVA PAGO.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:999'424 bytes
First seen:2025-06-19 06:59:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'628 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:kYC4b45PuQhtEv7eFHEARh1MsHb5T69GYjL6r9CBLbw2:MykmAtECFk4h1Z7XY6r9Ow
Threatray 2'038 similar samples on MalwareBazaar
TLSH T11525224AB796D622D9F817F05D12C37613365F8EA410C35BA8F9FDDB79207683868242
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:a310logger BBVA exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BBVA PAGO.exe
Verdict:
Malicious activity
Analysis date:
2025-06-19 07:52:19 UTC
Tags:
stealer evasion netreactor darkcloud upx
Link:
https://app.any.run/tasks/8983de74-ebb5-49c7-8545-935c7ef55e18

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10138/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.29598.13587.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6853e3c2e04cd8dcf13b20f0
Tags:
micro krypt msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/6853b5a968102d74cf37864a/reports/47813893-3a1f-4e05-94cb-ef06ff0e1026/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/00f7ff43b4690c065497bdae404f265e1283d847b6e284408ae6ec73cc7dcd71
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c08a5f7-dddb-4a7b-a1d2-03dcc299061b
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1718310
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1718310 Sample: BBVA PAGO.exe Startdate: 19/06/2025 Architecture: WINDOWS Score: 100 46 api.telegram.org 2->46 48 showip.net 2->48 54 Suricata IDS alerts for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 62 8 other signatures 2->62 8 BBVA PAGO.exe 7 2->8         started        12 YbonADF.exe 5 2->12         started        signatures3 60 Uses the Telegram API (likely for C&C communication) 46->60 process4 file5 38 C:\Users\user\AppData\Roaming\YbonADF.exe, PE32 8->38 dropped 40 C:\Users\user\...\YbonADF.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpD4F3.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\BBVA PAGO.exe.log, ASCII 8->44 dropped 64 Adds a directory exclusion to Windows Defender 8->64 66 Injects a PE file into a foreign processes 8->66 14 BBVA PAGO.exe 68 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 68 Multi AV Scanner detection for dropped file 12->68 22 YbonADF.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 50 api.telegram.org 149.154.167.220, 443, 49693, 49694 TELEGRAMRU United Kingdom 14->50 52 showip.net 162.55.60.2, 49687, 49691, 80 ACPCA United States 14->52 70 Loading BitLocker PowerShell Module 18->70 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->72 74 Tries to steal Mail credentials (via file / registry access) 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/00f7ff43b4690c065497bdae404f265e1283d847b6e284408ae6ec73cc7dcd71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00f7ff43b4690c065497bdae404f265e1283d847b6e284408ae6ec73cc7dcd71/
Threat name:
ByteCode-MSIL.Trojan.VIPKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-06-19 03:36:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ad376q5unegamvexxwxeatzglyjihwchw3riiqek43whhtd5zvyq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
darkcloudstealer
Create hunting rule
Similar samples:
216aa0125486b52ee78d537de24fb8b4fdcea3ff81b5b85f9bef070026a796cc
a310Logger
36308ae1801e78e307b824c9fe812b3ffb9161c6fb8bbcb4d25a7cd4104e8e41
a310Logger
4a6dcfe4dfe7d02d44962cb9e47d87d6d755d0a9481a8013b145eb674ba567a0
a310Logger
c396d4ff2505f5f79cb995e79aa69faeac8166ea0ad107f9872ff5c837ab915c
a310Logger
+ 2'028 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/250619-hs3csaar2w/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
darkcloud
YARA:
n/a
Link:
https://app.threat.zone/submission/3d3635bf-59cd-4d3a-8d10-09166bb6c25f
Unpacked files
SH256 hash:
00f7ff43b4690c065497bdae404f265e1283d847b6e284408ae6ec73cc7dcd71
MD5 hash:
40c228cf18ee2653bc4ed1b488ab2df4
SHA1 hash:
956d4fe861615d2fe29090741f72b73507f126b1
Link:
https://www.unpac.me/results/98888b23-5d5c-46a5-94b8-c2f7f44950c0/
SH256 hash:
6247951f92a0c7e6ee21bae6f748be3ebea899b10ae6672eb5a971918a0b68b0
MD5 hash:
e8e4a329c82bfa27b4cfbaa23d564ed1
SHA1 hash:
009a7775bba4a18564de97e86df093fe9cd844c7
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/98888b23-5d5c-46a5-94b8-c2f7f44950c0/
Parent samples :
00f7ff43b4690c065497bdae404f265e1283d847b6e284408ae6ec73cc7dcd71
e66777ee4d792b1c933b9bff5d2777df26e5da6e3a5f2ae6e9e38e4e662644e5
9b4e541549ce7327a7fa91c7707365dec04a060b4b63b97798410658847f8c1c
e80896f3ce016957ff20d7b18f546daaead13afd31d7c8c8f94d4039b01db118
d7a183fa0b8ba92d00e0a4c046a410270618f767315a86f4019bfe26d550194a
446ac5b2673ba02db508a71c3c821a4f5b2f6d9b0f8e4af62a7b747dceae33a9
f1afab33fee564c87a2130d066e941f4fa5e6cef5e9368834063e71f793a353d
e8b879b31a0509b447b0975ee255f07ba148c0a6a90cdba08bc7172b820d35ae
SH256 hash:
9eadcef000a8976d716fa6bfe946a3e4d6be9433bb3ffe0297d89f42bbfc5c0f
MD5 hash:
cca23ac9fe91ba147ead4179d942731e
SHA1 hash:
77a719c6c1650577da402f4ed78b2858aa25fc68
Detections:
MALWARE_Win_A310Logger
Create hunting rule
Link:
https://www.unpac.me/results/98888b23-5d5c-46a5-94b8-c2f7f44950c0/
Parent samples :
4bc3ba71f56e14ee1e7eb8f6fea0fbda1a9aa92545205097476853d0308ad623
00f7ff43b4690c065497bdae404f265e1283d847b6e284408ae6ec73cc7dcd71
SH256 hash:
72de5a058b457acb7588bd0800bb7776323ca043dc87679fc91e20bf4b9354b5
MD5 hash:
44f030c7761d48589e4401ee88378d03
SHA1 hash:
c0fa869d42442d9b76bf33bb060992a95a4cd201
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/98888b23-5d5c-46a5-94b8-c2f7f44950c0/
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/98888b23-5d5c-46a5-94b8-c2f7f44950c0/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/00f7ff43b469/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00f7ff43b4690c065497bdae404f265e1283d847b6e284408ae6ec73cc7dcd71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Runtime_Broker_Variant_1
Create hunting rule
Author:Sn0wFr0$t
Description:Detecting malicious Runtime Broker
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/10138/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (Unrestricted:true)high

Comments