MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2599bf7bd7160508c8d401676db0a84699b2aaf87472e55bd1352f79fadd904b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 19


Intelligence 19 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2599bf7bd7160508c8d401676db0a84699b2aaf87472e55bd1352f79fadd904b
SHA3-384 hash: f419e640f78d84785db8a9b1b28d836889550f90e8272fc7e0956541589c93c62fe67fa6d6348902168babaea22971f5
SHA1 hash: 2b87037463e7173071bb011f24366bc3a7ee406d
MD5 hash: e1ab49b244803279385b4457d648c830
humanhash: purple-floor-september-foxtrot
File name:Order#0001471.scr
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'060'864 bytes
First seen:2025-08-02 11:54:26 UTC
Last seen:2025-08-02 11:59:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:R00nyZ0snKBWEHdaHVSOtKwD1xqwtryqZu6s+FF44DRFL5gyiEqgWeyWlN4sn3i1:ReH6w1Sqfl1/L5htLn3i1
Threatray 120 similar samples on MalwareBazaar
TLSH T12C35F04CBB35BA66D41E4FB6C413516843E04A2BE63AF19B4CD525D21E2EBD8C18EF07
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon d8d8dadad9d999d8 (8 x Formbook, 4 x AgentTesla, 3 x SnakeKeylogger)
Reporter cocaman
Tags:a310logger exe scr

Intelligence

File Origin
# of uploads :
5
# of downloads :
73
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order#0001471.7z
Verdict:
Malicious activity
Analysis date:
2025-08-02 11:56:41 UTC
Tags:
arch-exec stealer evasion auto-sch-xml darkcloud ims-api generic upx
Link:
https://app.any.run/tasks/1c5a6419-525f-4305-a529-beeb2d0e7d33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18439/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688dfc750b4775fb21351f45
Tags:
spawn shell virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Searching for the window
Searching for synchronization primitives
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 fingerprint lolbin masquerade msbuild obfuscated obfuscated overlay packed packed reconnaissance regsvcs rezer0 roboski schtasks telegram vbc
Link:
https://www.filescan.io/uploads/688dfcb3dc44c87d077aa902/reports/f08571c1-e91c-440b-bc47-539acb0eba36/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2599bf7bd7160508c8d401676db0a84699b2aaf87472e55bd1352f79fadd904b
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b10a51b-4164-4f5f-bc67-8cdcfb049202
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
86 / 100
Link:
https://www.joesandbox.com/analysis/1749032
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1749032 Sample: Order#0001471.scr.exe Startdate: 02/08/2025 Architecture: WINDOWS Score: 86 50 showip.net 2->50 52 s-0005.dual-s-msedge.net 2->52 54 ecs-office.s-0005.dual-s-msedge.net 2->54 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 10 other signatures 2->64 8 Order#0001471.scr.exe 7 2->8         started        12 GZRsANftxiwKwS.exe 5 2->12         started        14 OUTLOOK.EXE 2->14         started        16 OUTLOOK.EXE 2->16         started        signatures3 process4 file5 42 C:\Users\user\AppData\...behaviorgraphZRsANftxiwKwS.exe, PE32 8->42 dropped 44 C:\...behaviorgraphZRsANftxiwKwS.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmp6B7C.tmp, XML 8->46 dropped 48 C:\Users\user\...\Order#0001471.scr.exe.log, ASCII 8->48 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 8->74 76 Adds a directory exclusion to Windows Defender 8->76 78 Injects a PE file into a foreign processes 8->78 18 Order#0001471.scr.exe 16 8->18         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 schtasks.exe 1 8->26         started        80 Antivirus detection for dropped file 12->80 82 Multi AV Scanner detection for dropped file 12->82 84 Writes or reads registry keys via WMI 12->84 28 GZRsANftxiwKwS.exe 12->28         started        30 schtasks.exe 12->30         started        signatures6 process7 dnsIp8 56 showip.net 162.55.60.2, 49721, 49729, 80 ACPCA United States 18->56 66 Loading BitLocker PowerShell Module 22->66 32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->68 70 Tries to steal Mail credentials (via file / registry access) 28->70 72 Tries to harvest and steal browser information (history, passwords, etc) 28->72 38 WmiPrvSE.exe 28->38         started        40 conhost.exe 30->40         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2599bf7bd7160508c8d401676db0a84699b2aaf87472e55bd1352f79fadd904b
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.41 Win 32 Exe x86
Link:
https://app.malva.re/file/e1ab49b244803279385b4457d648c830
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2599bf7bd7160508c8d401676db0a84699b2aaf87472e55bd1352f79fadd904b/
Verdict:
Malicious
Threat:
Family.DARKCLOUD
Link:
https://tip.neiki.dev/file/2599bf7bd7160508c8d401676db0a84699b2aaf87472e55bd1352f79fadd904b
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-08-01 06:13:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ewm3666xcycqrsguaftw3mfii2m3fkxyorzokw6rguxxt6w5sbfq._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
142a7242e18f3d827d84908b9dc9bec3ed7c5de36e5c73e0954b5058ec44490c
a310Logger
8e70ded796554c6b4cacde8469bfc6cfc13b4adecdaf0e0e22b8fcfab89c8f19
a310Logger
ad35c23788b2e0f57f4a57326290de01f0680c567122ff11fa0eefe5443e522e
a310Logger
f8bb9aecb12614029fc43d6866dafd4de9a703887da83b8efb4bd8a1aac8c2ff
a310Logger
+ 110 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250802-n3pgkazsdw/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
DarkCloud
Darkcloud family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8156904986:AAFHD6zZR5tltKFd6tXgdFhdZu4aQHMgI0w/sendMessage?chat_id=5858365728
Verdict:
Malicious
Tags:
DarkCloud
YARA:
n/a
Link:
https://app.threat.zone/submission/dd03a7e3-5d66-413d-bfe4-df8119658771
Unpacked files
SH256 hash:
2599bf7bd7160508c8d401676db0a84699b2aaf87472e55bd1352f79fadd904b
MD5 hash:
e1ab49b244803279385b4457d648c830
SHA1 hash:
2b87037463e7173071bb011f24366bc3a7ee406d
Link:
https://www.unpac.me/results/0d358d8e-3d9f-4fe5-a00c-58218acca78d/
SH256 hash:
c6f3a080a3c107e8f084d09c898c6e92bdc684a309748f35b74ecc2d622dca89
MD5 hash:
84edfab1408af1a941f95cb6bbe9d145
SHA1 hash:
24632aa61841fc3771c3fa4aa31395c3a4bd8756
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0d358d8e-3d9f-4fe5-a00c-58218acca78d/
SH256 hash:
1d959d003c1e823f9f5f3b8c6d09b37a8919e5cb0d9c7afc127b633d173843a0
MD5 hash:
73723cf6983c52b5a9b570cffb838417
SHA1 hash:
52ef6a899853412aeaa32d62ddb6293cc159863b
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/0d358d8e-3d9f-4fe5-a00c-58218acca78d/
Parent samples :
2599bf7bd7160508c8d401676db0a84699b2aaf87472e55bd1352f79fadd904b
0003d1bbcd46384a9d77cf57d944c59587acb1bdea0dd0306d87a422748de5e7
37f4c5e75ad2232303971fc700edc714e87e3b097399d12942929da2c93994b0
14bedcf25ba0fa354fc7b8adf059130db692b7ccb54276bd43930f02aed4d9b6
SH256 hash:
9a996dad1ac44e98da2dd4d5880b28f8dec4f9fa4e69883f926923b7f26d5a06
MD5 hash:
737de67409047e2ea2f24efaa6eb49ee
SHA1 hash:
9517e9c12735c52a18c1e74f5abb7fabcd92a8f2
Link:
https://www.unpac.me/results/0d358d8e-3d9f-4fe5-a00c-58218acca78d/
SH256 hash:
6005f0e4563fef5e8abfdb88cacd5b3d8fd4cff04b1af93e8e01a9990f46d5c0
MD5 hash:
3f17ed370489371093c2a3d768cb6b07
SHA1 hash:
fb4f0ddcaf872e4c7850e4cefad59a2c62f54424
Link:
https://www.unpac.me/results/0d358d8e-3d9f-4fe5-a00c-58218acca78d/
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/0d358d8e-3d9f-4fe5-a00c-58218acca78d/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2599bf7bd716/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2599bf7bd7160508c8d401676db0a84699b2aaf87472e55bd1352f79fadd904b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

7z 3973d9a25219c4309390f89034945f10437ce572223ad54719dfe965f3547ffb

a310Logger

Executable exe 2599bf7bd7160508c8d401676db0a84699b2aaf87472e55bd1352f79fadd904b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 3973d9a25219c4309390f89034945f10437ce572223ad54719dfe965f3547ffb
Cape
Cape
https://www.capesandbox.com/analysis/18439/
  
Dropped by
MD5 e6b17b9f3c9c1927b00b0ba876c49a91

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments