MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30d69e71fbd77dcb2a96dd6915ab7f45445431b76b1e739186d9847b7a0ceaf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30d69e71fbd77dcb2a96dd6915ab7f45445431b76b1e739186d9847b7a0ceaf0
SHA3-384 hash: a00e2f1eb96f00bdbc660311ae5467a56f1359bc48dfc7bf66951876bb412903afa146e026b73fdc464fe6251a336cb5
SHA1 hash: e1a6476f981d779849a55fe33d5a56ae5387b952
MD5 hash: 4660dca1c3905ea903c4cb3bd9f73733
humanhash: moon-mirror-alabama-social
File name:4660dca1c3905ea903c4cb3bd9f73733
Download: download sample
Signature a310Logger
Create hunting rule
File size:189'440 bytes
First seen:2021-09-23 14:05:26 UTC
Last seen:2021-09-23 16:59:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'659 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 1536:9ubVQdFMPrs3rDLpXDpRoQ5d6n3l78NZPm5Xo:YQdFqqLpTpR/5QFo
Threatray 4'378 similar samples on MalwareBazaar
TLSH T1C204AB78FDFF6A84C250DE3A666DB05A52E19D18CE8B433BE0D472A47E30CC81A4651F
File icon (PE):PE icon
dhash icon 10808c9c8c869810 (3 x a310Logger, 2 x Formbook, 2 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 a310logger exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4660dca1c3905ea903c4cb3bd9f73733
Verdict:
Malicious activity
Analysis date:
2021-09-23 14:07:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f955f185-8fca-45f6-a7e0-4ff6ed7653ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190784/
Detection(s):
SecuriteInfo.com.W32.MSIL_Agent.BCR.genEldorado.23921.12996.UNOFFICIAL
Create hunting rule

Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/803e5ce3-ed05-4165-b1b4-f023ba18a3d0
Result
Threat name:
SpyEx a310Logger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856585
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected SpyEx stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489028 Sample: XmedyuT2UA Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected SpyEx stealer 2->50 52 4 other signatures 2->52 7 XmedyuT2UA.exe 16 8 2->7         started        12 ner.exe 14 2 2->12         started        14 ner.exe 2 2->14         started        process3 dnsIp4 32 cdn.discordapp.com 162.159.129.233, 443, 49741 CLOUDFLARENETUS United States 7->32 24 C:\Users\user\AppData\Roaming\clea\ner.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\...\XmedyuT2UA.exe, PE32 7->26 dropped 28 C:\Users\user\...\ner.exe:Zone.Identifier, ASCII 7->28 dropped 30 2 other malicious files 7->30 dropped 60 Writes to foreign memory regions 7->60 62 Allocates memory in foreign processes 7->62 64 Injects a PE file into a foreign processes 7->64 16 XmedyuT2UA.exe 3 1 7->16         started        34 162.159.133.233, 443, 49775 CLOUDFLARENETUS United States 12->34 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 36 162.159.134.233, 443, 49784 CLOUDFLARENETUS United States 14->36 file5 signatures6 process7 signatures8 38 Multi AV Scanner detection for dropped file 16->38 40 Detected unpacking (creates a PE file in dynamic memory) 16->40 42 Machine Learning detection for dropped file 16->42 44 5 other signatures 16->44 19 AppLaunch.exe 16->19         started        22 AppLaunch.exe 2 16->22         started        process9 signatures10 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->54 56 Tries to steal Mail credentials (via file access) 19->56 58 Tries to harvest and steal browser information (history, passwords, etc) 19->58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30d69e71fbd77dcb2a96dd6915ab7f45445431b76b1e739186d9847b7a0ceaf0/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 14:06:08 UTC
AV detection:
16 of 27 (59.26%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
3ece92463dcf24cb48108755946de3060883611669b3f54217e5600f06044883
a310Logger
674a7b749bea309b2f9157e187a92fc0da9ce79b3a9ee4f3c85e6b58dd961789
a310Logger
a530f2e672f2804e0e69d6296ec30ece0d702eef72f38fef01f0005f789c38ab
a310Logger
b11cb95a4f8665db55cc8a9f54cc0107d37c224adca1f3dfe9bcc50074a23cb2
a310Logger
c4dbc81e8e003295ddf39d7cb73d7fc61ed7287793146b48191352e73a5c8c92
a310Logger
d785b16f811cb9c93968e0e03c88859aac76643ec2b2d2b4cec7a11ed41a6844
a310Logger
dafada11163e9ed5459a4759f6f18561db820214a5ce6f0752083af1faf70369
a310Logger
+ 4'368 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210923-refraseean/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
30d69e71fbd77dcb2a96dd6915ab7f45445431b76b1e739186d9847b7a0ceaf0
MD5 hash:
4660dca1c3905ea903c4cb3bd9f73733
SHA1 hash:
e1a6476f981d779849a55fe33d5a56ae5387b952
Link:
https://www.unpac.me/results/0379c1ff-2531-4902-b533-2a1adf988744/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/30d69e71fbd7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/30d69e71fbd77dcb2a96dd6915ab7f45445431b76b1e739186d9847b7a0ceaf0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe 30d69e71fbd77dcb2a96dd6915ab7f45445431b76b1e739186d9847b7a0ceaf0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1640873/
Cape
Cape
https://www.capesandbox.com/analysis/190784/

Comments


Avatar
zbet commented on 2021-09-23 14:05:27 UTC

url : hxxp://52.58.97.51/T67/F2/BRL_2451020032016.exe