MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23b5a7169d8ab03c941f751625eabe427cc22aa4e39253af3fb7e4fc8e35a207. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23b5a7169d8ab03c941f751625eabe427cc22aa4e39253af3fb7e4fc8e35a207
SHA3-384 hash: e150400d61e3de6ee4b33448325204b9104fa0aed3fc73ef8553f9fd15bafc7a3bc8000a46d7b12c0efeb43fee0fa897
SHA1 hash: b2dbbc4d06d197325efa9c780a881e5dc5055c8e
MD5 hash: 8d654f7f3951c4493f602eaeec06a66d
humanhash: romeo-tennessee-rugby-missouri
File name:SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'448'960 bytes
First seen:2022-10-23 08:05:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:NkU0xyXgeNY7E12oi4cWAlGmEFr0ulZlh6alRsn/ju1LNajXYo3aOtY:fXgeNYM3NVAAb0slh/sUBajD3
Threatray 3'714 similar samples on MalwareBazaar
TLSH T1C7657B7222E40217E02A337990A7D0B7A2FBAE106045D6CB55D71FAF7C922B7D61335B
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter SecuriteInfoCom
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121
Verdict:
Malicious activity
Analysis date:
2022-10-23 08:06:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/37abba53-0a3e-4956-91ac-eed7b1d15eb9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322895/
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6354f5ec66721ebd9b2f77f4/reports/cdf898f0-cb38-40b7-b71e-e57325a6f274/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b088a400-2754-4283-b701-1bc694c56fa8
Result
Threat name:
BluStealer, ThunderFox Stealer, a310Logg
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1095804
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected AntiVM3
Yara detected BluStealer
Yara detected Telegram RAT
Yara detected ThunderFox Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 728445 Sample: SecuriteInfo.com.MSIL.GenKr... Startdate: 23/10/2022 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 10 other signatures 2->57 7 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121.exe 7 2->7         started        11 onVgEhgtvkJAns.exe 5 2->11         started        process3 dnsIp4 39 C:\Users\user\AppData\...\onVgEhgtvkJAns.exe, PE32 7->39 dropped 41 C:\...\onVgEhgtvkJAns.exe:Zone.Identifier, ASCII 7->41 dropped 43 C:\Users\user\AppData\Local\...\tmp6E1B.tmp, XML 7->43 dropped 45 SecuriteInfo.com.M...23962.24121.exe.log, ASCII 7->45 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 63 Injects a PE file into a foreign processes 7->63 14 SecuriteInfo.com.MSIL.GenKryptik.FZUN.tr.23962.24121.exe 1 7 7->14         started        18 powershell.exe 21 7->18         started        20 schtasks.exe 1 7->20         started        26 3 other processes 7->26 47 192.168.2.1 unknown unknown 11->47 65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 22 onVgEhgtvkJAns.exe 11->22         started        24 schtasks.exe 11->24         started        file5 signatures6 process7 dnsIp8 49 api.telegram.org 149.154.167.220, 443, 49699, 49700 TELEGRAMRU United Kingdom 14->49 28 AppLaunch.exe 2 14->28         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        75 Writes to foreign memory regions 22->75 77 Allocates memory in foreign processes 22->77 79 Injects a PE file into a foreign processes 22->79 35 AppLaunch.exe 22->35         started        37 conhost.exe 24->37         started        signatures9 process10 signatures11 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->69 71 Tries to steal Mail credentials (via file / registry access) 35->71 73 Tries to harvest and steal browser information (history, passwords, etc) 35->73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23b5a7169d8ab03c941f751625eabe427cc22aa4e39253af3fb7e4fc8e35a207/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-10-23 08:16:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eo22ofu5rkydzfa7oulcl2v6ij6mekve4ojfhlz7w7spzdrvuidq._file
Verdict:
malicious
Similar samples:
13537e7d58eb6312b80c2abd796be6569ec2d99a41c20913629db6c1d5c12e0b
a310Logger
1c5bf7e3edbccd4fe44d97baba8529438169f346769e109b2b660d1b45b2a02b
a310Logger
5475992d3304669f1b85ae554b2b8d894410e92ec46642e1af9c1b6841ca6724
a310Logger
82b0930120afef192da8d6f7ae2275298986918eed55b4765a4ee665a23453d0
a310Logger
90cfa88b710e25a9a1219c67738a891f052a33085a5aca2797524612b016249e
a310Logger
9ee2d324d8076b2b924ebdfbc678165a46089b8e413b292da28f6e9724e657a2
a310Logger
aaf048e30d5f843407f59bff320b992295396dc39dfb7bc6ca1c71f80897fecd
a310Logger
c75c9aa6a59390063715c53c31d399ee5da8d2e03dd7abaae9e369d4b4e5354c
a310Logger
e26dd831623e50b2c73425319558645fdf0dd430dfc07b4d564c3d1d10852ebf
a310Logger
+ 3'704 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer collection stealer
Link:
https://tria.ge/reports/221023-jzd47shca3/
Behaviour
Creates scheduled task(s)
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
BluStealer
Malware Config
C2 Extraction:
https://api.telegram.org/bot5755930650:AAElY45_nxTVkERZWnAInWKh0Sygx_xge0E/sendMessage?chat_id=1293496579
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/935c1734-3e26-408a-bcd6-052b85326bf8
Unpacked files
SH256 hash:
fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c
MD5 hash:
d2ec533f8b40a8224d79c87c2291f943
SHA1 hash:
f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2
Link:
https://www.unpac.me/results/ea3f9a0a-f4e5-4a5f-bb34-94c3c4062892/
SH256 hash:
61f75f21b8539add2cb489f6135557b3539df84b8d79025f208ec44d3be4493b
MD5 hash:
e7eae587c7ef6d1b8feed44afc7fc535
SHA1 hash:
9e9bba3e73dee1c9f4f8b03db70f4f198791d665
Link:
https://www.unpac.me/results/ea3f9a0a-f4e5-4a5f-bb34-94c3c4062892/
SH256 hash:
8b8ee711210bcf96b0257f5956bf40b05d6615feb6f19842861e8b0ba8a776bc
MD5 hash:
c466b32ae2cfed0a81174978c9f2eac2
SHA1 hash:
2714767e6ceb2a6280d0412a1f3f7b7eaa0b2af1
Link:
https://www.unpac.me/results/ea3f9a0a-f4e5-4a5f-bb34-94c3c4062892/
SH256 hash:
678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5
MD5 hash:
2da433d67db4775d8f02a8fed4b31bf3
SHA1 hash:
235fe8f2076f3b5cfffacc574825550cee8e61e9
Link:
https://www.unpac.me/results/ea3f9a0a-f4e5-4a5f-bb34-94c3c4062892/
SH256 hash:
16c224f4c368895ba845e6ded982fda46615cd43ed8e1e2f2d4e5fbf8f82f007
MD5 hash:
1d89446355bc2226081dfdc04d8ab43f
SHA1 hash:
0d0441dda8a8831229ef5f5054a4c4348992acf3
Link:
https://www.unpac.me/results/ea3f9a0a-f4e5-4a5f-bb34-94c3c4062892/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/ea3f9a0a-f4e5-4a5f-bb34-94c3c4062892/
SH256 hash:
9870dbb37050b9de21aa65dec30e7094bb34775e2b8a2ee5d37481ce924ecd5c
MD5 hash:
53cd50750accb95e275c7a00c43712e9
SHA1 hash:
b45c7fbb26bb2a25c746764b9ea2272b8227f8bc
Link:
https://www.unpac.me/results/ea3f9a0a-f4e5-4a5f-bb34-94c3c4062892/
SH256 hash:
23b5a7169d8ab03c941f751625eabe427cc22aa4e39253af3fb7e4fc8e35a207
MD5 hash:
8d654f7f3951c4493f602eaeec06a66d
SHA1 hash:
b2dbbc4d06d197325efa9c780a881e5dc5055c8e
Link:
https://www.unpac.me/results/ea3f9a0a-f4e5-4a5f-bb34-94c3c4062892/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/23b5a7169d8a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23b5a7169d8ab03c941f751625eabe427cc22aa4e39253af3fb7e4fc8e35a207

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/322895/

Comments