MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0
SHA3-384 hash: 06ccb87870febee7479851b196a9528a78ddf6ce1d39e4c0f3a865574e12728c3d5ef1ac0aab697fcb53c5f4ff288e97
SHA1 hash: a300b7be64343ce6ab88edb0c71f3052663674d4
MD5 hash: 6f8bb2ff11646a8e47c1b2a27d475010
humanhash: nuts-yankee-alpha-steak
File name:6f8bb2ff11646a8e47c1b2a27d475010
Download: download sample
Signature a310Logger
Create hunting rule
File size:744'960 bytes
First seen:2021-09-07 14:56:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:csyxZCYQneRW88If1cmRBPA0nV2sb+xUVWcyN:cjZCr7gf1cIA0nos6Cn
Threatray 4'862 similar samples on MalwareBazaar
TLSH T1E0F4AEB368AB0C08E5564EF04551B370D1752D5E3ACE8CC6E88CBA1ED0377E7B09A56B
dhash icon b032cc442c8cd290 (6 x a310Logger, 2 x Formbook, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6f8bb2ff11646a8e47c1b2a27d475010
Verdict:
Malicious activity
Analysis date:
2021-09-07 14:59:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9fd1748f-46a2-46d2-9b1c-62daca1982c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186075/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1021.20697.27759.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
DNS request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74dea5fd-a33a-419a-8cca-59f40c84dcbb
Result
Threat name:
StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846712
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 479143 Sample: 3RQvR8bIfa Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 61 time.google.com 2->61 79 Malicious sample detected (through community Yara rule) 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 3 other signatures 2->85 9 3RQvR8bIfa.exe 9 2->9         started        signatures3 process4 file5 53 C:\Users\user\AppData\Roaming\...\pade.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\...\3RQvR8bIfa.exe, PE32 9->55 dropped 57 C:\Users\...\3RQvR8bIfa.exe:Zone.Identifier, ASCII 9->57 dropped 59 C:\Users\user\AppData\...\3RQvR8bIfa.exe.log, ASCII 9->59 dropped 97 Creates an undocumented autostart registry key 9->97 13 3RQvR8bIfa.exe 9->13         started        17 powershell.exe 18 9->17         started        19 powershell.exe 18 9->19         started        21 3 other processes 9->21 signatures6 process7 dnsIp8 65 budgetn.shop 68.65.123.43, 49719, 49722, 49723 NAMECHEAP-NETUS United States 13->65 103 Multi AV Scanner detection for dropped file 13->103 105 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->105 107 Writes to foreign memory regions 13->107 109 3 other signatures 13->109 23 AppLaunch.exe 13->23         started        28 AppLaunch.exe 13->28         started        30 AppLaunch.exe 13->30         started        32 AppLaunch.exe 13->32         started        73 4 other IPs or domains 17->73 34 conhost.exe 17->34         started        67 8.8.4.4 GOOGLEUS United States 19->67 69 192.168.2.1 unknown unknown 19->69 75 4 other IPs or domains 19->75 36 conhost.exe 19->36         started        71 time.google.com 21->71 77 11 other IPs or domains 21->77 38 conhost.exe 21->38         started        40 conhost.exe 21->40         started        42 conhost.exe 21->42         started        signatures9 process10 dnsIp11 63 icanhazip.com 104.18.7.156, 49717, 49718, 80 CLOUDFLARENETUS United States 23->63 49 C:\Users\user\AppData\...\ktJlwzpM.exe, PE32 23->49 dropped 87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->87 89 May check the online IP address of the machine 23->89 91 Tries to steal Instant Messenger accounts or passwords 23->91 44 ktJlwzpM.exe 23->44         started        51 C:\Users\user\AppData\...51qwXneph.exe, PE32 28->51 dropped 93 Tries to steal Mail credentials (via file access) 28->93 95 Tries to harvest and steal browser information (history, passwords, etc) 28->95 47 NqwXneph.exe 28->47         started        file12 signatures13 process14 signatures15 99 Multi AV Scanner detection for dropped file 44->99 101 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 44->101
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 10:25:29 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxkegv4ld2yhbdjtju7beuhwqviklw2nmmhrqe763drpywfcy3ia._file
Verdict:
malicious
Similar samples:
4a0b8f4dbb3acd1bbab1527d90921061bef21f3422250dcc41b8046b77edbd9b
a310Logger
6f0cba180dbf4115883c20ad4f8279c765d449033146d2588069f7f20a2db61e
a310Logger
aa8e727a0957fac665a28efd220b9593c43d15e3a87dff0e4be6c830c0034b48
a310Logger
b281be38a190ca97b700202096f56b29ff68740c0d40273f286e03d52685321e
a310Logger
b301185f13c9f20441ebbbcf360bdd06174cff01b5da49cee874347206a5cdcb
a310Logger
d6390558e6f860877f95e6cf83ebc2fa028da6f469d75f73b27afe92900fbc7f
a310Logger
f4b224dc05210c0020c5e2f736c3132de81057918783ed65e56add163f92d552
a310Logger
+ 4'852 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210907-sbk3aacge8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
14d9dbf7550145634e84374c2ef4a9f7d931928d26e873c9373493e27bf3fa36
MD5 hash:
293d11bedb4691566ffcae80bc9fdb48
SHA1 hash:
b8c41164c468a09d4fe40f29014e8a64a3e41bb5
Link:
https://www.unpac.me/results/ff726232-7c38-45a6-bf7d-b154011df6e3/
SH256 hash:
ebc0faa366bf751aa297bb5c57bdc34be623615d7024f0ab388447b522f6cfd6
MD5 hash:
f1138afef4bf615430c982a8f1a88f9f
SHA1 hash:
a1af7cda48d12972db1c39e0569a2f71ab694281
Link:
https://www.unpac.me/results/ff726232-7c38-45a6-bf7d-b154011df6e3/
SH256 hash:
35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0
MD5 hash:
6f8bb2ff11646a8e47c1b2a27d475010
SHA1 hash:
a300b7be64343ce6ab88edb0c71f3052663674d4
Link:
https://www.unpac.me/results/ff726232-7c38-45a6-bf7d-b154011df6e3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/35d443578b1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe 35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1599920/
Cape
Cape
https://www.capesandbox.com/analysis/186075/

Comments


Avatar
zbet commented on 2021-09-07 14:57:03 UTC

url : hxxp://wingsteck.com/3/P/TLH_110503078801.exe