MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bb31625967f178fe19619375912c6f805c8882d1bb4a5c2dbfed7a657f58eca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

a310Logger

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	1bb31625967f178fe19619375912c6f805c8882d1bb4a5c2dbfed7a657f58eca
SHA3-384 hash:	736dbeea10f105653c69cfca19e76d9bc7da088287de9840f09f777e2d34370a7f16313a824f11ac03ed53b2f92d3d6b
SHA1 hash:	1518de4f8746f6f975eb995d79ec60b261845895
MD5 hash:	011ede3136753edc4b1982a990c10caa
humanhash:	vegan-connecticut-nuts-potato
File name:	BluStealer.bin
Download:	download sample
Signature	a310Logger Create hunting rule
File size:	290'816 bytes
First seen:	2022-10-18 08:45:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d5f5b9b3dfcb4ba917a1d6a55cc68a98 (1 x a310Logger)
ssdeep	6144:PwKQfltdH33IzUOr5O0RAmTb7s8Iq0GUKz9K1PO:Rol3IVO0Rq7Kz9
Threatray	28 similar samples on MalwareBazaar
TLSH	T16C54B53BA661202EE252C8B1E6D4515758256D372248FC7BBBC25B4A32315D3F8F932F
TrID	78.7% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	64e4d364e4d3e464 (1 x a310Logger)
Reporter	plebourhis
Tags:	a310logger BluStealer DarkCloud exe

plebourhis

Phishing campaign distributing link to PureCrypter that downloads as final payload a sample of BluStealer

Intelligence

File Origin

# of uploads :

# of downloads :

278

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/321283/

Detection(s):

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm evasive fingerprint greyware hacktool packed shell32.dll

Link:

https://www.filescan.io/uploads/634e67cb66721ebd9b2ef8a1/reports/ce3dcc2f-53df-4aa5-a479-7c031b4f26d4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d3aeda29-cd14-4a10-b72e-9752ac0590ed

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1092574

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes or reads registry keys via WMI

Yara detected DarkCloud

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1bb31625967f178fe19619375912c6f805c8882d1bb4a5c2dbfed7a657f58eca/

Threat name:

Win32.Trojan.SpywareX

Status:

Malicious

First seen:

2022-10-06 15:48:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dozrmjmwp4ly7ymwde3vsewg7ac4rcbndo2klqw373l2mv7vr3fa._file

Verdict:

malicious

a310Logger

2a85650070bb8a38e31bd9fe5fd4626364bdb6cef093025e4fe814fc18391685

a310Logger

709d1d9f1e0485cca2cdad3fe16fa9992a2dd07b2310a98dc65066530d4033fe

a310Logger

74bd97b0541929ff9ea8715d55fc375a91376bc9868ac1b551acdfa871e0e765

a310Logger

8662c5563163a4bfd38e68eee91831b3c07e30c022ec54bc58c381c53bb1f679

a310Logger

8f458a7e77b48b60467dc6338ea5854db2afa53754fb2098edd8caf415ca6e64

a310Logger

a6db7e8c70adc90b74c0f08503f49cf041d79afed3b916676892725ce2dbcce0

a310Logger

c512faa4840c22633e33fa04de7c23ff972c97147ce9599de5c9d2326f01a589

a310Logger

+ 18 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/221018-kpajpsfdem/

Behaviour

Suspicious use of SetWindowsHookEx

Gathering data

Unpacked files

SH256 hash:

1bb31625967f178fe19619375912c6f805c8882d1bb4a5c2dbfed7a657f58eca

MD5 hash:

011ede3136753edc4b1982a990c10caa

SHA1 hash:

1518de4f8746f6f975eb995d79ec60b261845895

Link:

https://www.unpac.me/results/fda14bf5-f050-44f7-8f1d-87e3862303ca/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.20

Link:

https://yomi.yoroi.company/submissions/1bb31625967f178fe19619375912c6f805c8882d1bb4a5c2dbfed7a657f58eca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_A310Logger Create hunting rule
Author:	ditekSHen
Description:	Detects A310Logger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/321283/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample