MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2183dd8a07c328ff41cf8fedc06bdc9ec8166d6c11691cb6d379899318d8e555. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2183dd8a07c328ff41cf8fedc06bdc9ec8166d6c11691cb6d379899318d8e555
SHA3-384 hash: 04ebd5b12ed4f2dc9bc5f30f3cbb55bdc88d36126bb8b3aa0880e3afb0a24e92a8d51f1341162e2d0000d17241eec95b
SHA1 hash: 5aa1d0515cd9ca1802c872cd8a9354b65cef7463
MD5 hash: a6c09767f7b9b02156bd3e4f67764e79
humanhash: undress-angel-august-saturn
File name:1283YT348130Et-21 -10000,00-EUR-SWIFT MESAJI.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:944'128 bytes
First seen:2021-08-09 12:11:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:g831bHyqkkvaWB5DQaL+YFswDsd8U0Gdb:g83xjfa65DeYeCUr
Threatray 2'668 similar samples on MalwareBazaar
TLSH T19115121227DC9712F67E577A1460108207F7F50EEB73C94EBDC514AE0E6BB808A62B67
Reporter GovCERT_CH
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177562/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb6a6622-e28e-4eaa-a411-0356b45c4ef6
Result
Threat name:
a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829289
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected a310Logger
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461717 Sample: 1283YT348130Et-21 -10000,00... Startdate: 09/08/2021 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 4 other signatures 2->45 7 1283YT348130Et-21 -10000,00-EUR-SWIFT MESAJI.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\LEjGKtEzH.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmp7987.tmp, XML 7->29 dropped 31 1283YT348130Et-21 ...WIFT MESAJI.exe.log, ASCII 7->31 dropped 55 Injects a PE file into a foreign processes 7->55 11 1283YT348130Et-21 -10000,00-EUR-SWIFT MESAJI.exe 3 5 7->11         started        16 schtasks.exe 1 7->16         started        18 1283YT348130Et-21 -10000,00-EUR-SWIFT MESAJI.exe 7->18         started        20 1283YT348130Et-21 -10000,00-EUR-SWIFT MESAJI.exe 7->20         started        signatures5 process6 dnsIp7 35 masarprecast.com 162.253.126.144, 49746, 587 SAPIOTERRAUS United States 11->35 37 mail.masarprecast.com 11->37 33 C:\Users\user\AppData\Roaming\...\Fox.exe, PE32 11->33 dropped 57 Tries to steal Crypto Currency Wallets 11->57 22 Fox.exe 3 11->22         started        25 conhost.exe 16->25         started        file8 signatures9 process10 signatures11 47 Multi AV Scanner detection for dropped file 22->47 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->49 51 Tries to steal Instant Messenger accounts or passwords 22->51 53 3 other signatures 22->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2183dd8a07c328ff41cf8fedc06bdc9ec8166d6c11691cb6d379899318d8e555/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-09 08:16:49 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egb53cqhymup6qopr7w4a264t3ebm3lmcfurznwtpgezgggy4vkq._file
Verdict:
unknown
Similar samples:
0ad710da3c3e74e8562e4c6cc8f2d6d8fc0da38abbde279c4fa46b1ca485d4d2
a310Logger
12f108fd2c26d301f44ba20cc6857a5bfe0330e72d1a356051b2f8e968c8214d
a310Logger
5393a2f196ed1f87a0928a8fe9aa6bad007ef7bc6dad3542b3995920be907f7d
a310Logger
56514a9b670f4834c7f152c757a249c1f6295c9f51facd907aa8598d64554a8d
a310Logger
62bdf39d7109c7e7f16a675e23be3085efe10aef41cff698f83a18427a57c02d
a310Logger
6c6ea41e4d74d7251de9203cea6fe24ee847c64170bd87942200a0b08cf87b93
a310Logger
6cbef3935de6e3aa2f3b42bfe47b0ced92955f6635b14c617025068ebb45473a
a310Logger
7fe042e93ace8e9e3ac6c6b4f14847addc613c3c710a3e2bb63d36e4e188ec72
a310Logger
9a51a3cc373a659071b939aabb27ed28c324e0e5ee7eb68967de657158e3c09f
a310Logger
cfb0b7271966cbfe8ae5c270e63669e35a37e7711470d949c9305a1d92d750cf
a310Logger
+ 2'658 additional samples on MalwareBazaar
Result
Malware family:
a310logger
Create hunting rule
Score:
  10/10
Tags:
family:a310logger spyware stealer
Link:
https://tria.ge/reports/210809-xm82e33ad2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
A310logger Executable
A310logger
Unpacked files
SH256 hash:
4eb96755c8592e2e7d40f5bc116a9032f1cefca91d5a3b5db90889385ade9baf
MD5 hash:
526e77e19fb7a0fcacc2d8841dde897c
SHA1 hash:
d2cec5b54603ad2342cfe25e2a61faeb530537a4
Link:
https://www.unpac.me/results/e42a7242-9989-4677-b9ce-0f9779f8b9cb/
SH256 hash:
805271d9001e63a9559a50049a1b49a1262880bc988701aa3b4f8f31f96259d0
MD5 hash:
8a244650466a465d79db46a2ea3a1ad8
SHA1 hash:
3d5d0241a11fdad4de93562dc0c33e716cc3b751
Link:
https://www.unpac.me/results/e42a7242-9989-4677-b9ce-0f9779f8b9cb/
SH256 hash:
ed0dd1e2260da7b03c8b80e0b45e8fef44be722c1e8c41e078c1a25ed0d18ecc
MD5 hash:
6057ce35bd926dd6d49dedfa9cc18372
SHA1 hash:
1f4e44e1740ffbd91129ac3a37d22845bc52c158
Link:
https://www.unpac.me/results/e42a7242-9989-4677-b9ce-0f9779f8b9cb/
SH256 hash:
2183dd8a07c328ff41cf8fedc06bdc9ec8166d6c11691cb6d379899318d8e555
MD5 hash:
a6c09767f7b9b02156bd3e4f67764e79
SHA1 hash:
5aa1d0515cd9ca1802c872cd8a9354b65cef7463
Link:
https://www.unpac.me/results/e42a7242-9989-4677-b9ce-0f9779f8b9cb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2183dd8a07c3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Logger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2183dd8a07c328ff41cf8fedc06bdc9ec8166d6c11691cb6d379899318d8e555

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe 2183dd8a07c328ff41cf8fedc06bdc9ec8166d6c11691cb6d379899318d8e555

(this sample)

  
Dropped by
null
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177562/

Comments