MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13537e7d58eb6312b80c2abd796be6569ec2d99a41c20913629db6c1d5c12e0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13537e7d58eb6312b80c2abd796be6569ec2d99a41c20913629db6c1d5c12e0b
SHA3-384 hash: c3c6c704f45fb55cfcad6a689b871d7de5dbb0a1f293b21b26692974641ebbf2bd7b51129263683a6ce55b5b3d20a523
SHA1 hash: d482d3e05dadf33a8cfc41ed3d33b700c9c5afe3
MD5 hash: 9b9068806d229820ef4977c37b9ece31
humanhash: maine-maine-massachusetts-river
File name:RFQ 10102022.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'285'120 bytes
First seen:2022-10-18 07:26:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:h11jcQRG1e/zhH2b7Kc41/r8bAVx8+c8j7P36vg7dR:h1OQSgzhRc41/gqBc8j7eg7d
Threatray 2'212 similar samples on MalwareBazaar
TLSH T134557BBA21868417E4253131D487D1B32BFBAD606562D6CB6AD73F2FBC412BF9503386
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ 10102022.gz
Verdict:
Suspicious activity
Analysis date:
2022-10-17 18:19:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/849655dc-7358-415a-a6c0-47cd1ee1e314

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321263/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634e555a66721ebd9b2ef5ed/reports/ffdbac07-7df9-4505-86ee-acf1c26a0945/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0ed230e-9d76-48e1-93fd-fde1e9b4191a
Result
Threat name:
BluStealer, ThunderFox Stealer, a310Logg
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1092525
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected AntiVM3
Yara detected BluStealer
Yara detected Telegram RAT
Yara detected ThunderFox Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13537e7d58eb6312b80c2abd796be6569ec2d99a41c20913629db6c1d5c12e0b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 10:59:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnjx47ky5nrrfoamfk6xs27gk2pmfwm2ihbase3ctw3mdvobfyfq._file
Verdict:
malicious
Similar samples:
068a5a6741c0bf5326cdce7e406c5273340ad1c9f4371fadeb88bf794f1d91e6
a310Logger
06fae3abb10a6b3cbd8bd6864110093b43d9a50e14e874fac48109cc895ab65b
a310Logger
3402c28f8bb37b47cf2868b16ca9fd851f7004458a93c17802c04cf2064909eb
a310Logger
90cfa88b710e25a9a1219c67738a891f052a33085a5aca2797524612b016249e
a310Logger
aaf048e30d5f843407f59bff320b992295396dc39dfb7bc6ca1c71f80897fecd
a310Logger
cd101d3d19d5e797d9a151c9c4dd1db497f8e4ec680a7fb99a69b6af36634445
a310Logger
f9da2b0b4faa792adade4a1bb0557486073ff2ac52c6c4271439d99419ac5f28
a310Logger
+ 2'202 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer collection stealer
Link:
https://tria.ge/reports/221018-h94beaehf8/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
BluStealer
Malware Config
C2 Extraction:
https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e2a01e7a-b3e4-452a-87f3-e1b3beb3689e
Unpacked files
SH256 hash:
fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c
MD5 hash:
d2ec533f8b40a8224d79c87c2291f943
SHA1 hash:
f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2
Link:
https://www.unpac.me/results/8f4765ea-6036-49ff-a7d8-3e59b8c619f1/
SH256 hash:
161903f7d5633a0cdc5d416c229e1af16ad3f5a6d11dbe8d500aa9151a273f62
MD5 hash:
b460e7cd67e88a80f0b65f65d28b1c4c
SHA1 hash:
fef017687483cf2b5b9d5f8061b6f0645fdcf779
Link:
https://www.unpac.me/results/8f4765ea-6036-49ff-a7d8-3e59b8c619f1/
SH256 hash:
a28d2e63b09f39bbb8c10b5f3d5822bb4766f41051c9a3994eb34390b9e8622a
MD5 hash:
01b2943dbcbdf1e1acd323cca6a5498a
SHA1 hash:
ead525d7bdb4c8c315e4c5d3b0f2580e0648aa96
Link:
https://www.unpac.me/results/8f4765ea-6036-49ff-a7d8-3e59b8c619f1/
SH256 hash:
1c4a530d82c558b4cb857fe9939af2b1ffe465fbee9dd10bcfe4deee6e122db5
MD5 hash:
7f29e9e5a8924858b283651c9bed98c5
SHA1 hash:
b705fbb56da277f77f84639dee3dcc61eb6cd34a
Link:
https://www.unpac.me/results/8f4765ea-6036-49ff-a7d8-3e59b8c619f1/
SH256 hash:
df4c453a4fe2626653a4cbadf19195288cc5d06f84cab77661fde5c781bdabbb
MD5 hash:
0b481325c2399e836f2a50cde76d873f
SHA1 hash:
8a7a7ae11d348bfa1b14ebd32fd19760bfa7a474
Link:
https://www.unpac.me/results/8f4765ea-6036-49ff-a7d8-3e59b8c619f1/
SH256 hash:
1383999cb3682a0a0a54fad8a8e3f0fda2d4ce6422fa35286cece258aa1844a1
MD5 hash:
d891ee2f90e3392ee593067a038f3335
SHA1 hash:
347e96ac60f38938b0061ce5c21bec28c87f71f9
Link:
https://www.unpac.me/results/8f4765ea-6036-49ff-a7d8-3e59b8c619f1/
SH256 hash:
9870dbb37050b9de21aa65dec30e7094bb34775e2b8a2ee5d37481ce924ecd5c
MD5 hash:
53cd50750accb95e275c7a00c43712e9
SHA1 hash:
b45c7fbb26bb2a25c746764b9ea2272b8227f8bc
Link:
https://www.unpac.me/results/8f4765ea-6036-49ff-a7d8-3e59b8c619f1/
SH256 hash:
13537e7d58eb6312b80c2abd796be6569ec2d99a41c20913629db6c1d5c12e0b
MD5 hash:
9b9068806d229820ef4977c37b9ece31
SHA1 hash:
d482d3e05dadf33a8cfc41ed3d33b700c9c5afe3
Link:
https://www.unpac.me/results/8f4765ea-6036-49ff-a7d8-3e59b8c619f1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/13537e7d58eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/13537e7d58eb6312b80c2abd796be6569ec2d99a41c20913629db6c1d5c12e0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe 13537e7d58eb6312b80c2abd796be6569ec2d99a41c20913629db6c1d5c12e0b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/321263/

Comments