MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a85650070bb8a38e31bd9fe5fd4626364bdb6cef093025e4fe814fc18391685. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a85650070bb8a38e31bd9fe5fd4626364bdb6cef093025e4fe814fc18391685
SHA3-384 hash: d46290bc9ff0372dde5268e63309bd0b44faa3778f97e8951dfc67700050219096991ac3938a84e4f2e03654ea49b162
SHA1 hash: 689e8bd702311644918167ab49b62ca8f66ae05c
MD5 hash: d0c330c120200b22d5764fd824280783
humanhash: princess-golf-north-yellow
File name:sales. list.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'519'104 bytes
First seen:2022-10-08 10:29:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:E0lE26w0RKCex4ZJZFvSEb6KeRq+q+jrkEx:6/UeFqEbHezdc
Threatray 221 similar samples on MalwareBazaar
TLSH T12E653D9871D135DEE427CA728FAA6C94EA42FD76432F9147502F32498A3F843DE534B2
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1f1c4bca1b2d1f1b (3 x SnakeKeylogger, 2 x Formbook, 1 x RemcosRAT)
Reporter 0xToxin
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2a85650070bb8a38e31bd9fe5fd4626364bdb6cef093025e4fe814fc18391685.zip
Verdict:
Malicious activity
Analysis date:
2022-10-08 13:11:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1848a326-3f25-469e-9a99-2bc5366f411c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317870/
Detection(s):
Win.Trojan.Ag-18
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6341512bd089a0c15dd5daa6/reports/bcb91dfb-3a13-4148-8150-cf0431824872/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2d1edf64-2b62-44bf-9acf-b300c3fcdc05
Result
Threat name:
BluStealer, DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086253
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected BluStealer
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a85650070bb8a38e31bd9fe5fd4626364bdb6cef093025e4fe814fc18391685/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2022-10-07 07:35:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
38
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fkcwkadqxofdryy33h7f7vdcmnsl3nwo6cjqexsp5akpygbzc2cq._file
Verdict:
malicious
Similar samples:
1d54c7f11bb2f8ac095bf334f0d8025ae7b8299c483c62ad9604f22b92204814
a310Logger
34ff7d92c1c335d251ad12780ccc8fb3a10430fc20cfbb0ff55c40128ffe9a81
a310Logger
4fdbb565cacf8d38c63c42c2afeaaf59e6b5bf226709cde754219c96fee3aff9
a310Logger
87ce6467d71023d696315cd06d578f2a17218012beba5502744779614fc67f08
a310Logger
8f458a7e77b48b60467dc6338ea5854db2afa53754fb2098edd8caf415ca6e64
a310Logger
c71f3405fcb67d0f2c1bea7cb7a1a681f653712b9d92f95fbae726f5b7a78d41
a310Logger
f01dd589bf6eee71da5d8f1dd99471c0ff2b2e4071147bfcad07d75727258425
a310Logger
ffc51f2ef0542e31be26668f49bf65a719ea827188707a83ca5421d2ad8b6fbc
a310Logger
+ 211 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/221008-mjtfqsefhn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/162f729d-0b47-4e58-9ce2-770885c94f11
Unpacked files
SH256 hash:
9f7baee5060ba35bd8ddae7c6b72c4ee46e4f0324a028b3dc78136b86d6ac233
MD5 hash:
5b92047f36a10ae6eda3624436414c3c
SHA1 hash:
f77ff57c6426df48cdf8793cd97551b6b303efef
Link:
https://www.unpac.me/results/f31e1833-b7b1-42d8-87db-d2ad2066fac5/
SH256 hash:
4f80ddfe49b270f801ab44aa899153bbe2a0fb93abed0f9fc992f74ff6ab4fde
MD5 hash:
f4ba8570299eabf8fe2d02cc1dc0606a
SHA1 hash:
5d7add32313074f5a1e9b4ab379298dee8b6217e
Link:
https://www.unpac.me/results/f31e1833-b7b1-42d8-87db-d2ad2066fac5/
SH256 hash:
ec43b08ef9bd0d2beca829727a888c58483cbea92fe47b2c884b39df55455911
MD5 hash:
758b4026ef3f9fe97081e33e2d3c74b9
SHA1 hash:
3787fa0049e2b21a16367a4505a97d7926cbf55c
Link:
https://www.unpac.me/results/f31e1833-b7b1-42d8-87db-d2ad2066fac5/
SH256 hash:
2a85650070bb8a38e31bd9fe5fd4626364bdb6cef093025e4fe814fc18391685
MD5 hash:
d0c330c120200b22d5764fd824280783
SHA1 hash:
689e8bd702311644918167ab49b62ca8f66ae05c
Link:
https://www.unpac.me/results/f31e1833-b7b1-42d8-87db-d2ad2066fac5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/2a85650070bb8a38e31bd9fe5fd4626364bdb6cef093025e4fe814fc18391685

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe 2a85650070bb8a38e31bd9fe5fd4626364bdb6cef093025e4fe814fc18391685

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/317870/

Comments