MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ffdf7d60a9ea155e01520d12ebfadbdca8b62d99ff925245c184499b34a75f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 21


Intelligence 21 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ffdf7d60a9ea155e01520d12ebfadbdca8b62d99ff925245c184499b34a75f5
SHA3-384 hash: 124226737d6a1ee334135f013d19736c806566ad1916079c667413c87fca13014e551e83e68539d5d33992aa756b06b5
SHA1 hash: 1772f06feb32bc73d1e98f15174b4d89ee3c6c1c
MD5 hash: b3c2547d02fb49cb4d2b2a2ca101d938
humanhash: oklahoma-maryland-nitrogen-timing
File name:Halkbank,doc.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'206'272 bytes
First seen:2025-12-18 10:26:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:NVFd/s2tpDPkER/caE25J+42dQizOUsyt8BYXx0tDUKGXnS6KMSfWIn6rn5R606q:1h7DPcr2i5XzOU56ECqXNInKbdyHNxu
Threatray 54 similar samples on MalwareBazaar
TLSH T171459DB66A869F05CC3028B80B739BF99F6C0D17F510CA9359D6391BA9BC281345E377
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter cocaman
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/e3da007d-6948-4032-8f95-5848e0b841c4/
Malware family:
n/a
ID:
1
File name:
_1ffdf7d60a9ea155e01520d12ebfadbdca8b62d99ff925245c184499b34a75f5.exe
Verdict:
Malicious activity
Analysis date:
2025-12-18 10:27:56 UTC
Tags:
auto-sch-xml darkcloud upx
Link:
https://app.any.run/tasks/21222595-0301-4c1f-a1ae-e3abadeaabee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45417/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6943d6cbc97f4a807a3ba084
Tags:
spawn micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/6943d6c884afa5547b59a303/reports/e2b49e91-773c-4f06-b7e0-21f0cc314a68/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1ffdf7d60a9ea155e01520d12ebfadbdca8b62d99ff925245c184499b34a75f5
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-18T02:31:00Z UTC
Last seen:
2025-12-20T01:40:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.DarkCloud.sb HEUR:Trojan.MSIL.Taskun.sb PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.PureLogs.gen Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb not-a-virus:PDM:AdWare.Win32.Vopak.a HackTool.ReconScan.TCP.ServerRequest
Link:
https://opentip.kaspersky.com/1ffdf7d60a9ea155e01520d12ebfadbdca8b62d99ff925245c184499b34a75f5/results?tab=lookup
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b2332c0-8a19-46c3-b8b3-db30e4ca235b
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1835573
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1835573 Sample: Halkbank,doc.exe Startdate: 18/12/2025 Architecture: WINDOWS Score: 100 58 showip.net 2->58 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Sigma detected: Scheduled temp file as task from temp location 2->66 68 7 other signatures 2->68 8 Halkbank,doc.exe 7 2->8         started        12 QgXGFgNzOWabV.exe 5 2->12         started        14 fireplough.exe 2->14         started        16 fireplough.exe 2->16         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\QgXGFgNzOWabV.exe, PE32 8->50 dropped 52 C:\...\QgXGFgNzOWabV.exe:Zone.Identifier, ASCII 8->52 dropped 54 C:\Users\user\AppData\Local\Temp\tmpDE5.tmp, XML 8->54 dropped 56 C:\Users\user\...\Halkbank,doc.exe.log, ASCII 8->56 dropped 78 Uses schtasks.exe or at.exe to add and modify task schedules 8->78 80 Adds a directory exclusion to Windows Defender 8->80 82 Injects a PE file into a foreign processes 8->82 18 Halkbank,doc.exe 14 8->18         started        22 powershell.exe 23 8->22         started        24 schtasks.exe 1 8->24         started        84 Multi AV Scanner detection for dropped file 12->84 26 QgXGFgNzOWabV.exe 1 14 12->26         started        28 schtasks.exe 1 12->28         started        30 fireplough.exe 14->30         started        32 schtasks.exe 14->32         started        34 fireplough.exe 16->34         started        36 schtasks.exe 16->36         started        signatures6 process7 dnsIp8 60 showip.net 162.55.60.2, 49723, 49724, 49725 ACPCA United States 18->60 70 Loading BitLocker PowerShell Module 22->70 38 conhost.exe 22->38         started        40 WmiPrvSE.exe 22->40         started        42 conhost.exe 24->42         started        44 conhost.exe 28->44         started        46 conhost.exe 32->46         started        72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->72 74 Tries to steal Mail credentials (via file / registry access) 34->74 76 Tries to harvest and steal browser information (history, passwords, etc) 34->76 48 conhost.exe 36->48         started        signatures9 process10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1ffdf7d60a9ea155e01520d12ebfadbdca8b62d99ff925245c184499b34a75f5
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.30 Win 32 Exe x86
Link:
https://app.malva.re/file/b3c2547d02fb49cb4d2b2a2ca101d938
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ffdf7d60a9ea155e01520d12ebfadbdca8b62d99ff925245c184499b34a75f5/
Verdict:
Malicious
Threat:
Family.DARKCLOUD
Link:
https://tip.neiki.dev/file/1ffdf7d60a9ea155e01520d12ebfadbdca8b62d99ff925245c184499b34a75f5
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-12-18 05:27:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d767pvqkt2qvlyavedis5p5nxxfiwywzt74skjc4dbcjtm2kox2q._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
Similar samples:
34c4142c1ce499a86d75d293dc49bdbdc7f98f7d5dbe95a5947315e37a94a4c9
a310Logger
36a3c500ed0500d0d2c222504cdd3023a4f3b8dabe2a50f45f31908b3a4ddd74
a310Logger
c01020bddf0722615647d37dffb887e4110e7d20074ec1ac525ebe00a036c2e9
a310Logger
f239532b415d0769dea6827221c226555e1c4bda21ecd050041d829021c52d52
a310Logger
+ 44 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery execution persistence stealer
Link:
https://tria.ge/reports/251223-pyqphayqgs/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
DarkCloud
Darkcloud family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fe495ba5-8b8f-47c5-a490-6dc4f7b2f422
Unpacked files
SH256 hash:
1ffdf7d60a9ea155e01520d12ebfadbdca8b62d99ff925245c184499b34a75f5
MD5 hash:
b3c2547d02fb49cb4d2b2a2ca101d938
SHA1 hash:
1772f06feb32bc73d1e98f15174b4d89ee3c6c1c
Link:
https://www.unpac.me/results/f7d3281a-b6cc-479c-a798-8cb5b7131c7d/
SH256 hash:
1c622eec6729e145d2b7afc53d7a024167c6ddf8097c4287dafcdc13f6a16009
MD5 hash:
71ba6a478e15a655a01cebf595d43052
SHA1 hash:
01803a80321d334ba3b362540e34453706bfabcc
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f7d3281a-b6cc-479c-a798-8cb5b7131c7d/
SH256 hash:
a24ebc50c6ad99ae2efad2c0c05d4ae3657e21401334e68af512f6baf150c985
MD5 hash:
37af996ebdb1726cf6783e66580626a9
SHA1 hash:
08d3381f5d19b4730915eb616c468e804eb81a6c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f7d3281a-b6cc-479c-a798-8cb5b7131c7d/
Parent samples :
7da365ee6fe68f361e5c9186af3ff4a91901f409ea28dd72e20d192e6f7880ab
1ffdf7d60a9ea155e01520d12ebfadbdca8b62d99ff925245c184499b34a75f5
957ab5ff285cb072d03de9cb8438820bde79ce9dfb59400a5b98dd45f6baa50e
1e0df0b7ddd6821d54ecf37db6a67d267387bf56751a8dfc036896b266c2d1bd
89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4
ac9650718cb2712fb1a511c349fc2e5fb85092329d33c15f4d63fef310151aff
SH256 hash:
94dbdf63174b295fa36602acece8fbbf7ed81ba254551515e606b09d24ddeece
MD5 hash:
24fe9abf980a415c6474818d4d6fabe5
SHA1 hash:
27a296825b6fe69fa3277108e7ab6646b8e6b2ea
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/f7d3281a-b6cc-479c-a798-8cb5b7131c7d/
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/f7d3281a-b6cc-479c-a798-8cb5b7131c7d/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ffdf7d60a9e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ffdf7d60a9ea155e01520d12ebfadbdca8b62d99ff925245c184499b34a75f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

7z 791c8a3f64220eef4d4654c68fc89f61f29ebe18cbac0522cd13b77e21d7242b

a310Logger

Executable exe 1ffdf7d60a9ea155e01520d12ebfadbdca8b62d99ff925245c184499b34a75f5

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 791c8a3f64220eef4d4654c68fc89f61f29ebe18cbac0522cd13b77e21d7242b
Cape
Cape
https://www.capesandbox.com/analysis/45417/
  
Dropped by
MD5 32b165cc91f7b42a0b68d51a2061aa58

Comments