MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01dccd80e7c6948853bacb394d25995d5886f84c05bfbb506b4c5862d8221901. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01dccd80e7c6948853bacb394d25995d5886f84c05bfbb506b4c5862d8221901
SHA3-384 hash: bff4318d569e6d61ec24f5a4dd3d8bf23f0f6f6cc27697eda2a5bec7e52eff5deefe03abc3cf9cf6668948a8807d43e1
SHA1 hash: 83b1cdaa08b1e5c32b5baed55c22608ce9d01944
MD5 hash: f6ca0052f508770f499eaddb5dfdefa5
humanhash: pasta-quiet-eight-zulu
File name:f6ca0052f508770f499eaddb5dfdefa5.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:732'656 bytes
First seen:2021-08-10 15:12:34 UTC
Last seen:2021-08-10 17:45:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:8AIfVYIdFMXgcisxVmXldFPaNGhC5VMgSxLH49TWwp8u911p0ziyMtSUPaTfrgKy:2V5zMbiMVAlbPaNG2egFTW+8AsiAUPa6
Threatray 1'147 similar samples on MalwareBazaar
TLSH T1E3F41210BA1BA561D5E80677C2D3AD7C27A0FE13B621D61B10EC7F0936377A6B9D120E
dhash icon 27f0d8d4d4d8f027 (16 x AgentTesla, 6 x NanoCore, 5 x DarkCloud)
Reporter abuse_ch
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f6ca0052f508770f499eaddb5dfdefa5.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-10 15:15:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8d28abeb-4ce9-4e96-8b4a-4c270394ebbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178005/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37372726.10751.16472.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6fc2e141-613c-4706-ac7e-4d3c85486832
Result
Threat name:
StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830330
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 462757 Sample: rFlQEfNOHz.exe Startdate: 10/08/2021 Architecture: WINDOWS Score: 100 57 104.18.6.156, 49749, 80 CLOUDFLARENETUS United States 2->57 59 restd.club 2->59 61 2 other IPs or domains 2->61 81 Malicious sample detected (through community Yara rule) 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 3 other signatures 2->87 9 rFlQEfNOHz.exe 1 8 2->9         started        13 paint.exe 5 2->13         started        15 paint.exe 2->15         started        signatures3 process4 file5 43 C:\Users\user\AppData\Roaming\...\paint.exe, PE32 9->43 dropped 45 C:\Users\user\AppData\...\rFlQEfNOHz.exe, PE32 9->45 dropped 47 C:\Users\user\...\paint.exe:Zone.Identifier, ASCII 9->47 dropped 53 2 other malicious files 9->53 dropped 97 Writes to foreign memory regions 9->97 99 Injects a PE file into a foreign processes 9->99 17 rFlQEfNOHz.exe 1 9->17         started        49 C:\Users\user\AppData\Local\Temp\paint.exe, PE32 13->49 dropped 51 C:\Users\user\...\paint.exe:Zone.Identifier, ASCII 13->51 dropped 21 paint.exe 13->21         started        signatures6 process7 dnsIp8 55 restd.club 198.54.114.236, 49742, 49750, 587 NAMECHEAP-NETUS United States 17->55 67 Multi AV Scanner detection for dropped file 17->67 69 Detected unpacking (creates a PE file in dynamic memory) 17->69 71 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->71 75 3 other signatures 17->75 23 AppLaunch.exe 15 5 17->23         started        28 AppLaunch.exe 17->28         started        30 AppLaunch.exe 17->30         started        32 AppLaunch.exe 1 17->32         started        73 Tries to steal Crypto Currency Wallets 21->73 signatures9 process10 dnsIp11 63 icanhazip.com 104.18.7.156, 49740, 80 CLOUDFLARENETUS United States 23->63 65 205.12.2.0.in-addr.arpa 23->65 41 C:\Users\user\AppData\...\oizQrPOc.exe, PE32 23->41 dropped 89 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->89 91 May check the online IP address of the machine 23->91 93 Tries to steal Instant Messenger accounts or passwords 23->93 95 2 other signatures 23->95 34 oizQrPOc.exe 1 23->34         started        37 WerFault.exe 28->37         started        39 WerFault.exe 30->39         started        file12 signatures13 process14 signatures15 77 Multi AV Scanner detection for dropped file 34->77 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->79
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01dccd80e7c6948853bacb394d25995d5886f84c05bfbb506b4c5862d8221901/
Threat name:
ByteCode-MSIL.Backdoor.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 19:47:41 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
06671aa1c0e3f5552f64c537c302ccb4d94dc24a6e3a5f99d7ba31bc4b94b6c7
a310Logger
1c29ee414b011a411db774015a98a8970bf90c3475f91f7547a16a8946cd5a81
a310Logger
3abd941389c4d76a2e36c0c4468aab3b891925225f63bd5e280dd1c986311099
a310Logger
3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b
a310Logger
413cdd0ae3d9ba60b132796a63dad08bea31d309157f5497380ad72cb3b0ae27
a310Logger
60ac6dfe6cbf92960e313300091e733c0b4a2bca9f8de41f3543bc2d06ba4328
a310Logger
7257e33f527df5f7820d5dfd9022d923b5fb6cdef21d402c54fc9d3f3106f3a3
a310Logger
8940eb56fcbcf0b9e9f1ca34b9e2671bf9f0494eed2b00254cc916378337c0bd
a310Logger
ab7e2f3d96941792e0be9139f29d555c350123f8be701c6cd0f132c98f351407
a310Logger
+ 1'137 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210810-ds2mxy81ss/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
b96e8f5c44a33c31d7b63e1e7eba534305b1ba3af393e4a76671801785f91485
MD5 hash:
ac2486ec743e2b1824079dd7def10f6e
SHA1 hash:
49e5b0d4417a544a04c04dbe34b1c30d2762b07d
Link:
https://www.unpac.me/results/eae5db8c-3a5f-451c-821f-58bfdf1695b5/
SH256 hash:
efdcfad9ec7fc9255f6e45383b5dfe8c82d6fbddcbbbb9d4a1979b5102b4bffc
MD5 hash:
81d10841d204eef686a2960f99388d1e
SHA1 hash:
8a807c2bd55dd600689f536f4f3f2145d5851d8c
Link:
https://www.unpac.me/results/eae5db8c-3a5f-451c-821f-58bfdf1695b5/
SH256 hash:
e9d50632568e9d996f0ae874545aeaf568a1a70377a0603da09d3ed2820a42f8
MD5 hash:
d97d1a9843a1de644d6397a67c926177
SHA1 hash:
1614c2412cdf4387da2d44c4e9ab015cfb4f7dae
Link:
https://www.unpac.me/results/eae5db8c-3a5f-451c-821f-58bfdf1695b5/
SH256 hash:
01dccd80e7c6948853bacb394d25995d5886f84c05bfbb506b4c5862d8221901
MD5 hash:
f6ca0052f508770f499eaddb5dfdefa5
SHA1 hash:
83b1cdaa08b1e5c32b5baed55c22608ce9d01944
Link:
https://www.unpac.me/results/eae5db8c-3a5f-451c-821f-58bfdf1695b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.03
Link:
https://yomi.yoroi.company/submissions/01dccd80e7c6948853bacb394d25995d5886f84c05bfbb506b4c5862d8221901

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe 01dccd80e7c6948853bacb394d25995d5886f84c05bfbb506b4c5862d8221901

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1522262/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/178005/

Comments