MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a832cd21b3928ae8d055c8169f619d137852fc891e20944bdef225d6a20b387. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a832cd21b3928ae8d055c8169f619d137852fc891e20944bdef225d6a20b387
SHA3-384 hash: 4863154bc7cc5f34dc5dca22f0844112580ee5315b2351aee784526e62b0078e22167a8affbc37682ad52c07214a24f9
SHA1 hash: 7bc618e49dd0a9f2c1b42b2ae038613192236dce
MD5 hash: e086ad18ab27a7a39c5261987dd8ea7d
humanhash: whiskey-alanine-johnny-georgia
File name:SecuriteInfo.com.W32.AIDetectNet.01.18679.11775
Download: download sample
Signature a310Logger
Create hunting rule
File size:747'008 bytes
First seen:2022-07-19 03:32:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:tP2hM7Hdqsr1PYXM8sF2hczE+jgW2iztuygRpKIoCrgweBnE/rP4Uai0xbgEpudL:tP1p98sFO8E7W2ctudpKIohwSE/rVFYQ
Threatray 1'909 similar samples on MalwareBazaar
TLSH T138F4CDFA32EB014CD856BD35ADF46E27F926DC72608D167DEF3C760A10E617A0990B42
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0800e2eeece2e468 (10 x AgentTesla, 4 x NanoCore, 2 x QuasarRAT)
Reporter SecuriteInfoCom
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/291747/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.18679.11775.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d626368fbcdde3605c0cd2/reports/a47da8a1-eaad-4eba-896a-53b40f3ae48c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ffc48e4-84cd-4002-b0bd-3fd78303bb29
Result
Threat name:
BluStealer, SpyEx
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036227
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
DLL side loading technique detected
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected BluStealer
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Generic Dropper
Yara detected SpyEx stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 668721 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 19/07/2022 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 9 other signatures 2->59 7 SecuriteInfo.com.W32.AIDetectNet.01.18679.exe 1 7 2->7         started        11 Alxtsaxxv.exe 3 2->11         started        13 Alxtsaxxv.exe 4 2->13         started        15 2 other processes 2->15 process3 file4 47 C:\Users\user\AppData\...\Alxtsaxxv.exe, PE32 7->47 dropped 49 C:\Users\...\Alxtsaxxv.exe:Zone.Identifier, ASCII 7->49 dropped 51 SecuriteInfo.com.W...et.01.18679.exe.log, ASCII 7->51 dropped 69 Encrypted powershell cmdline option found 7->69 71 Creates multiple autostart registry keys 7->71 73 Writes to foreign memory regions 7->73 17 InstallUtil.exe 4 12 7->17         started        21 powershell.exe 15 7->21         started        75 Allocates memory in foreign processes 11->75 77 Injects a PE file into a foreign processes 11->77 23 powershell.exe 11->23         started        25 InstallUtil.exe 11->25         started        79 Antivirus detection for dropped file 13->79 81 Machine Learning detection for dropped file 13->81 27 powershell.exe 13->27         started        29 InstallUtil.exe 13->29         started        31 conhost.exe 15->31         started        33 conhost.exe 15->33         started        signatures5 process6 file7 41 C:\Users\Public\...\sqlite3.dll, PE32 17->41 dropped 43 C:\Users\Public\...\SQLite3_StdCall.dll, PE32 17->43 dropped 45 C:\Users\Public\...\firebases.exe, PE32 17->45 dropped 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->61 63 Creates multiple autostart registry keys 17->63 65 Tries to harvest and steal browser information (history, passwords, etc) 17->65 67 4 other signatures 17->67 35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 27->39         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a832cd21b3928ae8d055c8169f619d137852fc891e20944bdef225d6a20b387/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 03:33:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fkbszuq3heuk5diflsawt5qz2e3ykl6ishrasrf554rf22rawodq._file
Verdict:
malicious
Similar samples:
03626471a65baf211f2110cd91e52b9e44524780e042a473cd09d864d9af20a0
a310Logger
39e1f965a16e606ca303c99faf3f0c3cd1ba0d0eee46df35c8cc79449e434def
a310Logger
61126f74e12b1f13c1f000a90bbcb919979d5d53ac8b20114077986a2fb01495
a310Logger
85a6bd81bf0a73e1a8c4ed1f6642e41d80adf486518d3b4b1553242694eb0933
a310Logger
9c069b3043b757ab5e67889b9f2820758ddb92823bf91678182d6386a16fd5ea
a310Logger
b1fa69e98d91d174851b755a68c214073833e5ac20fdd64f45a61ff0c4a47ad8
a310Logger
c664b0caca95e6a5abc0c2f3a4e5db449f331a4ef9b04a2cc1305a767a9ffb5b
a310Logger
cd8096c2e2a3539c662ab68ca5a4067e58e053d345f5f040123efb0ef9ed5eb5
a310Logger
ce442fab80f616645429e47bededf88f2104476899a35952f70e1e31a21e734a
a310Logger
e1f0b80e829512170cf479a745a34334108357d4cda701e8be7c10190cb14618
a310Logger
+ 1'899 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer persistence stealer
Link:
https://tria.ge/reports/220719-d37m2ahah2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
BluStealer
Unpacked files
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/f2bb1c93-8169-4b61-aab8-bf983576b36f/
SH256 hash:
8c1e321f3988c93d5097efe1aa25b0ff001c5be02cc8118a1cc2331ceb00099e
MD5 hash:
0232b2f55b5a16ff5facee13dadfe5b6
SHA1 hash:
7ab7696dbad2f4c98c465d3b1643ece05f716dac
Link:
https://www.unpac.me/results/f2bb1c93-8169-4b61-aab8-bf983576b36f/
SH256 hash:
13a8998bc8eb8392d980d5978de7554235bae0e37d3b45da56dc86c620749498
MD5 hash:
4c0b5e06a15515bc054793a15191f568
SHA1 hash:
66a318312bca82811eb92fdfb35364ede26e2b7e
Link:
https://www.unpac.me/results/f2bb1c93-8169-4b61-aab8-bf983576b36f/
SH256 hash:
ec3eecfca5ac1348b339d995661b2a4983a70596582d053c31123545edca1038
MD5 hash:
43de365b9589f08d5928194273b802c8
SHA1 hash:
58cbd553789bde9fbae30beb36e402b4c28fab95
Link:
https://www.unpac.me/results/f2bb1c93-8169-4b61-aab8-bf983576b36f/
SH256 hash:
dfc6e39843a05d7c7182c763ba13102f620453a5b007c8ea84ec6c5fbfc75575
MD5 hash:
aa10db9151825b5226ae62d6da2f28b3
SHA1 hash:
5088c7eaf8622c3838ec41d93564e9edc7921406
Link:
https://www.unpac.me/results/f2bb1c93-8169-4b61-aab8-bf983576b36f/
SH256 hash:
2a832cd21b3928ae8d055c8169f619d137852fc891e20944bdef225d6a20b387
MD5 hash:
e086ad18ab27a7a39c5261987dd8ea7d
SHA1 hash:
7bc618e49dd0a9f2c1b42b2ae038613192236dce
Link:
https://www.unpac.me/results/f2bb1c93-8169-4b61-aab8-bf983576b36f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2a832cd21b39/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a832cd21b3928ae8d055c8169f619d137852fc891e20944bdef225d6a20b387

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291747/

Comments