MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19b0d58c3611ccc99f681997248a835ac4a49572a50278f4f7c732237183db6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19b0d58c3611ccc99f681997248a835ac4a49572a50278f4f7c732237183db6a
SHA3-384 hash: 56fe2b04fec855a1d15035802795b72a68007668736e2c984881828d93dd6ceb335424a9d7cc921659be488d5bb1050e
SHA1 hash: 1b9565b62bee0d29a4f21eb617a88e9682e09862
MD5 hash: 6a58925feb3fe5477f8c44595d2c36cd
humanhash: spring-autumn-paris-illinois
File name: 41570002689_20221001_05352297_HesapOzeti.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'126'400 bytes
First seen:2022-10-03 08:29:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:o/r9+ljmhNLbDYmcIZQWDA9aHZVIAodG21+sq+AJkZnfYHVKyGr3CQK4HTN2i8E6:EsljMLbDYquFY0o+A2ZwhGraJ
Threatray 1'638 similar samples on MalwareBazaar
TLSH T18F358C683291B98FC8138931CD90DE70AB506D66931BC20359D77DAFF97E5ABEF001A1
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 72ceaeaeb2968eaa (57 x AgentTesla, 9 x Formbook, 7 x RemcosRAT)
Reporter abuse_ch
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316025/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.22728.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/633a9d8fc9e2f34354325f9a/reports/96bfbb89-4073-4b26-964b-b78d6a1802e1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BluStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ccdf5886-e401-406f-b1e1-127771a90770
Result
Threat name:
BluStealer, DarkCloud, SpyEx, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082279
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected BluStealer
Yara detected DarkCloud
Yara detected Generic Downloader
Yara detected SpyEx stealer
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 714843 Sample: #U00a041570002689_20221001_... Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for dropped file 2->40 42 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->42 44 12 other signatures 2->44 7 #U00a041570002689_20221001_05352297_HesapOzeti.exe 7 2->7         started        process3 file4 26 C:\Users\user\AppData\Roaming\ZFkIYZK.exe, PE32 7->26 dropped 28 C:\Users\user\...\ZFkIYZK.exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\AppData\Local\...\tmpDD65.tmp, XML 7->30 dropped 32 #U00a041570002689_..._HesapOzeti.exe.log, ASCII 7->32 dropped 54 Detected unpacking (changes PE section rights) 7->54 56 Detected unpacking (overwrites its own PE header) 7->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 7->58 60 Adds a directory exclusion to Windows Defender 7->60 11 #U00a041570002689_20221001_05352297_HesapOzeti.exe 1 7->11         started        14 powershell.exe 17 7->14         started        16 schtasks.exe 1 7->16         started        signatures5 process6 signatures7 62 Writes to foreign memory regions 11->62 64 Allocates memory in foreign processes 11->64 66 Injects a PE file into a foreign processes 11->66 18 AppLaunch.exe 15 3 11->18         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        process8 dnsIp9 34 icanhazip.com 104.18.115.97, 49706, 80 CLOUDFLARENETUS United States 18->34 36 10.76.9.0.in-addr.arpa 18->36 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->46 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->48 50 May check the online IP address of the machine 18->50 52 2 other signatures 18->52 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19b0d58c3611ccc99f681997248a835ac4a49572a50278f4f7c732237183db6a/
Threat name:
Win32.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 07:13:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dgynldbwchgmth3idglsjcudllckjflsuubhr5hxy4zcg4md3nva._file
Verdict:
malicious
Similar samples:
006248ca6292f9ca72274fc84e5cea8fc72aa2df7079e849835c232bea1b1c47
a310Logger
22805984d67d2c9a896aca6d757a00e3adde2b538efd3b8a196fea685e9f9981
a310Logger
4c743eaedbc97613e8759c49e069f872bc786187cb2975a9564ab0aec2cd2205
a310Logger
6ac2c5094ab610f7fb38129fb5bc1e66e38ed0144cc19bd0dd85c4bb582a1d19
a310Logger
76e4e5a30868f044e472e3151bf5995cb972d9da5f510819c5f48a985c9b85bc
a310Logger
9cad0a5b9895504044ad8a18086d5ef9a5ad3d48d83cfbe7f216b596ed0a8716
a310Logger
d5863100cda763f0b62cb1713f18d6218336bc726ce0890136716d92dd432223
a310Logger
f5ab7866190abc14eddca1da11101e7f76ff08abce7c73350f15fd6f5ceda77a
a310Logger
f814f4fe8d450dc8cfc62cde57a5e4a2e72bb758f1c2d71f8483ab20315a571b
a310Logger
+ 1'628 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:blustealer family:stormkitty collection stealer
Link:
https://tria.ge/reports/221003-kd5wgagfdl/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
BluStealer
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/baf69cb5-f7c6-42dc-ad68-cc5b5bc597cd
Unpacked files
SH256 hash:
2b660a5d1ffcf54d87115c6a5321fdb41275a7c56e56c07c3d8470cf445312a5
MD5 hash:
05f8d5bb1a94a907207624b1f5c1ea17
SHA1 hash:
cc3050915638c7198595156ec395794afdbdab74
Link:
https://www.unpac.me/results/6e8257e1-57ca-495b-8198-9be953333808/
SH256 hash:
d12f31e32b81d27ba17c3d4bd978910fc06b16f17f6d7cd5e82f06e38c12f295
MD5 hash:
97afd62b9437598edd6ae62ec87520d3
SHA1 hash:
52a4a21663529fc836219730a3907c605dec1cd1
Detections:
win_agent_tesla_g2
Create hunting rule
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/6e8257e1-57ca-495b-8198-9be953333808/
Parent samples :
edc745edbc90dfb8a30e14e9049998bc3c707eadb7ac3ef8785f0c80efe306c4
67b1c9f9637d8c16e2966babd6b7a06c2396cbc918b31c0649adf61b7a2a7778
b287de3756df371e1046322a567e8d8394a85915a80838c1832388a88c9dd9cd
755de0017346d362f97a588336b88adc8d078bb699a2395c2957daa26207c16b
19b0d58c3611ccc99f681997248a835ac4a49572a50278f4f7c732237183db6a
SH256 hash:
a04c799fa302c78d04acc3b4be8ccbde2f7fa00fe515daf18a2fc7e65fad3b13
MD5 hash:
d76812ec4cbc45e1e26ed36691596f7e
SHA1 hash:
c854fe9792694fb464a0bed51c737ff61ccef736
Link:
https://www.unpac.me/results/6e8257e1-57ca-495b-8198-9be953333808/
SH256 hash:
89f642d2fdbc758d8a00d1b1457057ef2206be3761a7c2ab5f6e625b21cdd09e
MD5 hash:
4c44d055e73eade317a96c29d5515a84
SHA1 hash:
68ea68a7fc498870e64c4e03c3e0794a6d069f6a
Link:
https://www.unpac.me/results/6e8257e1-57ca-495b-8198-9be953333808/
SH256 hash:
edbeae0d9d2b87b5b7a5c36a82385ce62f796848c0b41c748328e6274cfdbfa8
MD5 hash:
a96d67b5ba57c5b62018dd7ef60cf5b8
SHA1 hash:
5e71d81407d07889e4e114ae4f38943493b9613c
Link:
https://www.unpac.me/results/6e8257e1-57ca-495b-8198-9be953333808/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/6e8257e1-57ca-495b-8198-9be953333808/
SH256 hash:
19b0d58c3611ccc99f681997248a835ac4a49572a50278f4f7c732237183db6a
MD5 hash:
6a58925feb3fe5477f8c44595d2c36cd
SHA1 hash:
1b9565b62bee0d29a4f21eb617a88e9682e09862
Link:
https://www.unpac.me/results/6e8257e1-57ca-495b-8198-9be953333808/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/19b0d58c3611/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19b0d58c3611ccc99f681997248a835ac4a49572a50278f4f7c732237183db6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe 19b0d58c3611ccc99f681997248a835ac4a49572a50278f4f7c732237183db6a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/316025/

Comments