MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c29ee414b011a411db774015a98a8970bf90c3475f91f7547a16a8946cd5a81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c29ee414b011a411db774015a98a8970bf90c3475f91f7547a16a8946cd5a81
SHA3-384 hash: 0128eaec32aed183e4a5ee573c3b31e0d7f439bf07c17ad3c49fc80cb99cf4ae10f6c7e684673a7d3ee135865b85a816
SHA1 hash: 4ae4c57faeab4e3b4cbf07f34c0cb12f542bc422
MD5 hash: 479de94fbadd83fce799ed3389da1ce5
humanhash: minnesota-carpet-connecticut-golf
File name:479de94fbadd83fce799ed3389da1ce5
Download: download sample
Signature a310Logger
Create hunting rule
File size:735'232 bytes
First seen:2021-08-04 07:36:52 UTC
Last seen:2021-08-04 11:10:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:qlALj79bDcDn7T9mWM+QirAsLyjgeUhDlhcfK56bKIy6Sa5iWK21lm2NRm05g6F:WAvhDcDVMGrAsLmbtfdbOl8R9/
Threatray 67 similar samples on MalwareBazaar
TLSH T16AF41205FA2DE621D2D8AC7BC4E0D7740712AE036F63C83A2DDD6E2170677DA2949703
dhash icon 888cba3c8c8aa088 (2 x a310Logger)
Reporter zbetcheckin
Tags:32 a310logger exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176259/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.48.23322.9686.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cad019af-1dc5-462b-995e-ba532a503d88
Result
Threat name:
StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826703
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 459134 Sample: mzwytAmFPD Startdate: 04/08/2021 Architecture: WINDOWS Score: 100 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for dropped file 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 7 other signatures 2->69 9 mzwytAmFPD.exe 1 8 2->9         started        13 paint.exe 2->13         started        15 paint.exe 2->15         started        17 2 other processes 2->17 process3 file4 45 C:\Users\user\AppData\Roaming\...\paint.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\...\mzwytAmFPD.exe, PE32 9->47 dropped 49 C:\Users\user\...\paint.exe:Zone.Identifier, ASCII 9->49 dropped 51 2 other malicious files 9->51 dropped 91 Creates multiple autostart registry keys 9->91 93 Writes to foreign memory regions 9->93 95 Injects a PE file into a foreign processes 9->95 19 mzwytAmFPD.exe 1 1 9->19         started        signatures5 process6 dnsIp7 53 netjul.club 68.65.123.120, 49735, 587 NAMECHEAP-NETUS United States 19->53 73 Antivirus detection for dropped file 19->73 75 Multi AV Scanner detection for dropped file 19->75 77 Detected unpacking (creates a PE file in dynamic memory) 19->77 79 7 other signatures 19->79 23 AppLaunch.exe 15 5 19->23         started        28 AppLaunch.exe 4 19->28         started        30 AppLaunch.exe 1 19->30         started        32 AppLaunch.exe 19->32         started        signatures8 process9 dnsIp10 55 icanhazip.com 104.18.7.156, 49733, 49734, 80 CLOUDFLARENETUS United States 23->55 57 192.168.2.1 unknown unknown 23->57 59 4.179.10.0.in-addr.arpa 23->59 41 C:\Users\user\AppData\...\xNazwckB.exe, PE32 23->41 dropped 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->81 83 May check the online IP address of the machine 23->83 85 Tries to steal Instant Messenger accounts or passwords 23->85 34 xNazwckB.exe 23->34         started        61 4.179.10.0.in-addr.arpa 28->61 43 C:\Users\user\AppData\...43ZyOMXaN.exe, PE32 28->43 dropped 87 Tries to steal Mail credentials (via file access) 28->87 89 Tries to harvest and steal browser information (history, passwords, etc) 28->89 37 NZyOMXaN.exe 28->37         started        file11 signatures12 process13 signatures14 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->71 39 WerFault.exe 37->39         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c29ee414b011a411db774015a98a8970bf90c3475f91f7547a16a8946cd5a81/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 05:41:39 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
19368f9d401db77bd90b14b17b435c319e7fefb557920323d5ed954057d53e76
a310Logger
19495c90691e8b6eef5d55d50b9d76ae6ceb5629d6c082899d789a841175f85c
a310Logger
1c6c8607e92b11d98f26540f84a922a74938bddbf5ab3c6f32619168963b4f50
a310Logger
365f029082236e51ab346d10388e952e52ca1d99e44fa40578b3497b737a10e2
a310Logger
657ae7746746041ce532244a0a5d25edd35844d4f35d7e85c7394fee553ec02a
a310Logger
85cb002af1499d7818e4b95b8d130c7edad206f88e514c44e3a3a677cfdf41e3
a310Logger
85e74e088eaf61b95d366932ff738a2c100eef6f07960860028af7d789063330
a310Logger
a608e12ae5bb4560a9ca9d4be49ddf2e04a3cb65ff3367b5bd8e4a8cc9325a48
a310Logger
c28d812d61b0fd0a86fce89b6ad22f29c8ad6c6b37bc88a944a968e35649d766
a310Logger
e19c08f599af43e73bb73b7183ce1b8a1e6712640d185d6f29ae0cf165bdfef5
a310Logger
+ 57 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210804-46p8fxvthn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
bd7a8b724a33536826e5fd3dcb15395fa6a4e07a2a1885901e29bcb6133ab362
MD5 hash:
70725fab727f77aa46764c618d4974d6
SHA1 hash:
08d5559cba3f1c029971b7a125ba65398fadc9c2
Link:
https://www.unpac.me/results/5dae48c3-442b-4734-a37b-3536f458eda9/
SH256 hash:
3b210c6650caadaa818272f39cb5caaa20832f25252d03cc3697d0a66f2bbef8
MD5 hash:
3bc923c1b3c801503849353eca77f67f
SHA1 hash:
5bf94db9954319b7d025b3a8415e6e316626e764
Link:
https://www.unpac.me/results/5dae48c3-442b-4734-a37b-3536f458eda9/
SH256 hash:
c731ac82dfe7b7e850c0d66fde73943e1afef3f639dc57629156d1f33509fdae
MD5 hash:
5b948420f044b1b05c267be7b9407974
SHA1 hash:
0e71c008bc5a3809bc7ebff1a4ec040d27898c67
Link:
https://www.unpac.me/results/5dae48c3-442b-4734-a37b-3536f458eda9/
SH256 hash:
1c29ee414b011a411db774015a98a8970bf90c3475f91f7547a16a8946cd5a81
MD5 hash:
479de94fbadd83fce799ed3389da1ce5
SHA1 hash:
4ae4c57faeab4e3b4cbf07f34c0cb12f542bc422
Link:
https://www.unpac.me/results/5dae48c3-442b-4734-a37b-3536f458eda9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1c29ee414b01/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c29ee414b011a411db774015a98a8970bf90c3475f91f7547a16a8946cd5a81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe 1c29ee414b011a411db774015a98a8970bf90c3475f91f7547a16a8946cd5a81

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1504604/
Cape
Cape
https://www.capesandbox.com/analysis/176259/

Comments


Avatar
zbet commented on 2021-08-04 07:36:53 UTC

url : hxxp://inter-trading-service.com/Di4/New_0228_02101111.exe