MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bd85ed9bcbbe87a69f4c4764438e0df0cba8d5799d05a7bed911b5c57c33e4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bd85ed9bcbbe87a69f4c4764438e0df0cba8d5799d05a7bed911b5c57c33e4e
SHA3-384 hash: 000bb834309e9bad028d2f459fea9093c99da99ba0e402ca40b30660c5d44a24b3af88a28e136af67dcf6b57d24f5cc4
SHA1 hash: fd836463b0b23ae3ff6617b3180093ffffa156c8
MD5 hash: 334a47ca828db802167c63cd913c4ce7
humanhash: speaker-juliet-alpha-three
File name:334a47ca828db802167c63cd913c4ce7
Download: download sample
Signature a310Logger
Create hunting rule
File size:762'368 bytes
First seen:2021-09-16 04:46:41 UTC
Last seen:2022-01-24 09:44:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:hAAxccrk5U/etiw/bqAqeAh/3UmbArD//lb/iJmgi7usuM63EBnM:5XknAOqAu2t7/R/iJSS/MeE5M
Threatray 4'234 similar samples on MalwareBazaar
TLSH T162F4F65DFA452672EE8E81704C490AD5BFDE0B0F2A40AE93539B15CB8F0F5E59CC5C89
dhash icon d48a9a9ab2f4a1a2 (3 x a310Logger, 2 x SpyEx, 1 x FormBook)
Reporter zbetcheckin
Tags:32 a310logger exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
334a47ca828db802167c63cd913c4ce7
Verdict:
Suspicious activity
Analysis date:
2021-09-16 04:47:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c9dd8b66-190d-49ca-a445-25e3d247cd51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188307/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37588470.31130.7986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/61751f0da9d585e6d537101f/reports/57eb0e7d-b934-4ae5-8eea-7e04c3b16ffe/overview
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b86d7531-634c-4bc9-8964-65e5f05c492e
Result
Threat name:
BluStealer SpyEx StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/851842
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary or sample is protected by dotNetProtector
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected a310Logger
Yara detected BluStealer
Yara detected SpyEx stealer
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 484273 Sample: TtkRZtP1Jq Startdate: 16/09/2021 Architecture: WINDOWS Score: 100 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 8 other signatures 2->79 8 TtkRZtP1Jq.exe 4 2->8         started        11 browse.exe 2 2->11         started        process3 dnsIp4 81 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->81 83 Tries to delay execution (extensive OutputDebugStringW loop) 8->83 14 TtkRZtP1Jq.exe 1 8->14         started        18 cmd.exe 1 8->18         started        20 cmd.exe 3 8->20         started        59 192.168.2.1 unknown unknown 11->59 85 Multi AV Scanner detection for dropped file 11->85 87 Machine Learning detection for dropped file 11->87 89 Injects a PE file into a foreign processes 11->89 23 browse.exe 11->23         started        25 cmd.exe 11->25         started        signatures5 process6 dnsIp7 61 budgetn.shop 68.65.123.43, 49765, 49774, 49777 NAMECHEAP-NETUS United States 14->61 97 Writes to foreign memory regions 14->97 99 Allocates memory in foreign processes 14->99 101 Tries to steal Crypto Currency Wallets 14->101 103 Injects a PE file into a foreign processes 14->103 27 AppLaunch.exe 14->27         started        30 AppLaunch.exe 14->30         started        32 AppLaunch.exe 1 14->32         started        34 AppLaunch.exe 14->34         started        105 Uses schtasks.exe or at.exe to add and modify task schedules 18->105 36 conhost.exe 18->36         started        38 schtasks.exe 1 18->38         started        53 C:\Users\user\AppData\Roaming\...\browse.exe, PE32 20->53 dropped 55 C:\Users\user\...\browse.exe:Zone.Identifier, ASCII 20->55 dropped 40 conhost.exe 20->40         started        file8 signatures9 process10 signatures11 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->91 93 May check the online IP address of the machine 27->93 42 WerFault.exe 27->42         started        44 WerFault.exe 30->44         started        95 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 36->95 46 AppLaunch.exe 36->46         started        51 AppLaunch.exe 36->51         started        process12 dnsIp13 63 icanhazip.com 104.18.7.156, 49781, 80 CLOUDFLARENETUS United States 46->63 65 90.168.9.0.in-addr.arpa 46->65 57 C:\Users\user\AppData\...\aeiDGhFv.exe, PE32 46->57 dropped 67 Tries to steal Instant Messenger accounts or passwords 46->67 69 Tries to steal Mail credentials (via file access) 46->69 71 Tries to harvest and steal browser information (history, passwords, etc) 46->71 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1bd85ed9bcbbe87a69f4c4764438e0df0cba8d5799d05a7bed911b5c57c33e4e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-15 20:07:47 UTC
AV detection:
20 of 44 (45.45%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dpmf5wn4xpuhu2puyr3eioha34glvdkxthifu67nsenvyv6dhzha._file
Verdict:
malicious
Similar samples:
26bec6114e67239a103b0c33fef33c802a77703a71ef3a204222454b994dbcf4
a310Logger
4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7
a310Logger
c15017d56ac6e02cf607d7188d5b4bb5485d9463031ba4effcb29ca84eb83dea
a310Logger
cb5bc89cd1ed26277efef096f0db68a21d74e301e866e7bb14fb0c1207cd64eb
a310Logger
cba897dc82a468040a082fd6135edecb8dcdcd0f0fe1375adeaeff3262cc6504
a310Logger
de7e8838d1448ac79810b71d637b62165d32cb1932c211e1ea571bd4770b0cea
a310Logger
f20d2b9da240b7cadb6045a4152636c7cb71b13204aaae35e4a927aaeab23520
a310Logger
f5cb1fde3016b1c8c6927d64cca4a84f81987b50382c19b42c4e1b5f137360f2
a310Logger
+ 4'224 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210916-fejbmscaa9/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
1e41442f28a2328a8cec90459483ae5da9b21484b2bdd2b2e206e34a8f5672bc
MD5 hash:
75cd3d2c8c439e9e7bb66b3b102bfda0
SHA1 hash:
d2a2717f22f5ce326a3e8f8e7efd852e5b5c68f7
Link:
https://www.unpac.me/results/2129ef75-00f4-4781-b1e2-163248091da8/
SH256 hash:
1bd85ed9bcbbe87a69f4c4764438e0df0cba8d5799d05a7bed911b5c57c33e4e
MD5 hash:
334a47ca828db802167c63cd913c4ce7
SHA1 hash:
fd836463b0b23ae3ff6617b3180093ffffa156c8
Link:
https://www.unpac.me/results/2129ef75-00f4-4781-b1e2-163248091da8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1bd85ed9bcbb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1bd85ed9bcbbe87a69f4c4764438e0df0cba8d5799d05a7bed911b5c57c33e4e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe 1bd85ed9bcbbe87a69f4c4764438e0df0cba8d5799d05a7bed911b5c57c33e4e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1623903/
Cape
Cape
https://www.capesandbox.com/analysis/188307/

Comments


Avatar
zbet commented on 2021-09-16 04:46:42 UTC

url : hxxp://52.58.97.51/i3/U/Enquiry_101352001209png.exe