MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06671aa1c0e3f5552f64c537c302ccb4d94dc24a6e3a5f99d7ba31bc4b94b6c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06671aa1c0e3f5552f64c537c302ccb4d94dc24a6e3a5f99d7ba31bc4b94b6c7
SHA3-384 hash: 279d79cbebe199e62d20e85286f0e42b94d2e170567cbde9ee50897a0896aceabe933689a01d67beacbdfe26718fa787
SHA1 hash: 7370ae9e991a25d974a1d7ae95ca0b8ed455fdd2
MD5 hash: 64fb0e3f18d12255ef34ea1c227e3a75
humanhash: happy-ack-missouri-foxtrot
File name:dark.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'144'105 bytes
First seen:2021-07-23 15:36:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b89f3af6e8726c625cba8a18b46cbaf3 (2 x AgentTesla, 2 x Formbook, 1 x OskiStealer)
ssdeep 24576:buWEbFgJ+dp/eVhBjqyO6WIC0K1cZskx9rQLj:aWS6colqy/L9xdW
TLSH T17F351215759CB3A4E4A947302012D2AE19943E327E5FB01F3659B71E4BB72F91E22F0B
dhash icon f8f4a6647199b1e0 (1 x a310Logger)
Reporter abuse_ch
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dark.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-23 16:09:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4956f1fd-8476-4026-8994-91ff65133de6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173690/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.45929.30170.16451.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab337dde-a617-4f96-8e64-6a7b68ab4a42
Result
Threat name:
a310Logger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820915
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected a310Logger
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453325 Sample: dark.exe Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected a310Logger 2->48 50 4 other signatures 2->50 8 dark.exe 1 2->8         started        process3 signatures4 60 Detected unpacking (changes PE section rights) 8->60 62 Detected unpacking (creates a PE file in dynamic memory) 8->62 64 Detected unpacking (overwrites its own PE header) 8->64 66 3 other signatures 8->66 11 dark.exe 3 20 8->11         started        16 conhost.exe 8->16         started        process5 dnsIp6 40 smtp.privateemail.com 199.193.7.228, 465, 49717 NAMECHEAP-NETUS United States 11->40 36 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 11->36 dropped 38 C:\Users\user\AppData\...\SQLite3_StdCall.dll, PE32 11->38 dropped 74 Writes to foreign memory regions 11->74 76 Allocates memory in foreign processes 11->76 78 Sample uses process hollowing technique 11->78 80 2 other signatures 11->80 18 InstallUtil.exe 8 11->18         started        22 InstallUtil.exe 4 11->22         started        24 InstallUtil.exe 11->24         started        26 3 other processes 11->26 file7 signatures8 process9 file10 34 C:\Users\user\AppData\...\pGrPhezL.exe, PE32 18->34 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->52 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->54 56 Tries to steal Mail credentials (via file access) 18->56 28 pGrPhezL.exe 3 18->28         started        58 Tries to harvest and steal browser information (history, passwords, etc) 22->58 31 WerFault.exe 23 11 26->31         started        signatures11 process12 dnsIp13 68 Antivirus detection for dropped file 28->68 70 Multi AV Scanner detection for dropped file 28->70 72 Machine Learning detection for dropped file 28->72 42 192.168.2.1 unknown unknown 31->42 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06671aa1c0e3f5552f64c537c302ccb4d94dc24a6e3a5f99d7ba31bc4b94b6c7/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-23 04:29:46 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aztrvioa4p2vkl3eyu34gawmwtmu3qskny5f7goxxiy3ys4uw3dq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210723-vj8sqs5v8j/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
c67325a01420def1d40222812e1be22430b3ad4e9ee0f786916dc91143d52c5d
MD5 hash:
b31c9a09ca6c1a27b68b7d1519ab0aa7
SHA1 hash:
ba27c7df0f9f5e7883bd3eca624761b31a5cd3e7
Link:
https://www.unpac.me/results/039d82d4-5cfd-4177-aad1-c279263e0fc4/
SH256 hash:
06671aa1c0e3f5552f64c537c302ccb4d94dc24a6e3a5f99d7ba31bc4b94b6c7
MD5 hash:
64fb0e3f18d12255ef34ea1c227e3a75
SHA1 hash:
7370ae9e991a25d974a1d7ae95ca0b8ed455fdd2
Link:
https://www.unpac.me/results/039d82d4-5cfd-4177-aad1-c279263e0fc4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06671aa1c0e3f5552f64c537c302ccb4d94dc24a6e3a5f99d7ba31bc4b94b6c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe 06671aa1c0e3f5552f64c537c302ccb4d94dc24a6e3a5f99d7ba31bc4b94b6c7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/173690/

Comments