MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 393835ae5e1ef7e86a74b0b349df029a3d594ea351fc039b28142da85ea6c17e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

a310Logger

Vendor detections: 19

Intelligence 19 IOCs YARA 19 File information Comments

SHA256 hash:	393835ae5e1ef7e86a74b0b349df029a3d594ea351fc039b28142da85ea6c17e
SHA3-384 hash:	93f9458c7b3d0710f1178b7324b1e43f334637bd7cf0d9547adb389cfa3f3d4f707d90927d76335d1f0c62d6cdc3f5f1
SHA1 hash:	2d1ffeaf256f1c5dc357fef46f40f35abf65f4ec
MD5 hash:	1a12c63a2564acc9c9df6e5c83adaa5c
humanhash:	sierra-beer-romeo-zebra
File name:	factura-0987655678909876.exe
Download:	download sample
Signature	a310Logger Create hunting rule
File size:	670'208 bytes
First seen:	2025-10-02 15:37:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	21371b611d91188d602926b15db6bd48 (61 x Formbook, 23 x AgentTesla, 20 x RemcosRAT)
ssdeep	12288:Lz7hU5I5yuNHIgzSFKxWltRohBfSTso93U6c5EbNCXz5ZpCd4c5:Lf+iN57Gtene3lLNCD5Zgd4A
Threatray	22 similar samples on MalwareBazaar
TLSH	T113E422955980AC90C2546330C435CD9149B439729E11A3BE873DF6FB7D707E3ABABA0B
TrID	39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	threatcat_ch
Tags:	a310logger exe

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

factura-0987655678909876.exe

Verdict:

Malicious activity

Analysis date:

2025-10-02 15:38:49 UTC

Tags:

auto-startup

Link:

https://app.any.run/tasks/70260a2c-f567-453c-84ca-9d59948a225e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

A310Logger

Link:

https://www.capesandbox.com/analysis/29935/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68de9c46b54520161ad471b4

Tags:

autorun emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Creating a process from a recently created file

Launching a process

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Forced shutdown of a system process

Stealing user critical data

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit compiled-script evasive fingerprint masquerade microsoft_visual_cc overlay packed packed packed upx

Link:

https://www.filescan.io/uploads/68de9c48674d5fd6aa13d523/reports/a100d2bf-afdc-4850-9b4a-712a53afb457/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/393835ae5e1ef7e86a74b0b349df029a3d594ea351fc039b28142da85ea6c17e

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-02T09:34:00Z UTC

Last seen:

2025-10-04T12:41:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/393835ae5e1ef7e86a74b0b349df029a3d594ea351fc039b28142da85ea6c17e/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/be8c5a1e-baeb-466c-b881-613b202cf548

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1788230

Signature

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected DarkCloud

Yara detected Generic Dropper

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/393835ae5e1ef7e86a74b0b349df029a3d594ea351fc039b28142da85ea6c17e

Verdict:

Malware

YARA:

5 match(es)

Tags:

AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/1a12c63a2564acc9c9df6e5c83adaa5c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/393835ae5e1ef7e86a74b0b349df029a3d594ea351fc039b28142da85ea6c17e/

Verdict:

Malicious

Threat:

Trojan-PSW.Win32.FTP

Link:

https://tip.neiki.dev/file/393835ae5e1ef7e86a74b0b349df029a3d594ea351fc039b28142da85ea6c17e

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-10-02 12:04:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 36 (77.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=he4dlls6d336q2tuwczutxycti6vstvdkh6ahgzicqw2qxvgyf7a._file

Verdict:

malicious

Label(s):

darkcloudstealer

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery upx

Link:

https://tria.ge/reports/251002-s2r9aayjv7/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Drops startup file

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2d3bdbb9-fb9f-4f36-b9dc-09c4eba90bf8

Unpacked files

SH256 hash:

393835ae5e1ef7e86a74b0b349df029a3d594ea351fc039b28142da85ea6c17e

MD5 hash:

1a12c63a2564acc9c9df6e5c83adaa5c

SHA1 hash:

2d1ffeaf256f1c5dc357fef46f40f35abf65f4ec

Link:

https://www.unpac.me/results/15afdd90-3469-45b2-ae8d-2dfcaee84850/

SH256 hash:

dd066b23ad25fe2258b2779e72c762ea4b56b9422f77e7e6ef0d3f41c27fe6f1

MD5 hash:

09bf6dd4d1ffc80845572913938e6fd9

SHA1 hash:

42d184d0c4a3a8cf3ea47ad5093c2a32cca9d512

Detections:

darkcloudstealer

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

MALWARE_Win_A310Logger

MALWARE_Win_DarkCloud

Link:

https://www.unpac.me/results/15afdd90-3469-45b2-ae8d-2dfcaee84850/

Parent samples :

9a8fb5b27922f3d93f26b0592c7ca6f399097314c79388aeeba9c23b379ee868
6e009cb2ccbc1f7ab7595a488cee196394fbd771fac77ce393a8e3cbddd108b3
393835ae5e1ef7e86a74b0b349df029a3d594ea351fc039b28142da85ea6c17e
4fc2a9d3f623f77758a0f5a9667b837c2cbe89a7a582ca123eb49c42c8b10035
3f01c5eff9c2161bbbc7c795185932ad8916aeb0fccbec90fdf55de9d55e533a

SH256 hash:

fda9c4b875289cbb110fa982c6d7ac7325aeabeb58ffeec3185515b9e0de99f6

MD5 hash:

67c4a5623c85f7c52f4c0ce40dcc7117

SHA1 hash:

4fe9fa87af57474cc233bdcbf8b5fa6ed45864dc

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/15afdd90-3469-45b2-ae8d-2dfcaee84850/

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/393835ae5e1e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/393835ae5e1ef7e86a74b0b349df029a3d594ea351fc039b28142da85ea6c17e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_A310Logger Create hunting rule
Author:	ditekSHen
Description:	Detects A310Logger

Rule name:	MALWARE_Win_DarkCloud Create hunting rule
Author:	ditekSHen
Description:	Detects DarkCloud infostealer

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProtectSharewareV11eCompservCMS Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_3 Create hunting rule
Author:	Kevin Falcoz
Description:	UPX 3.X

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	Windows_Trojan_DarkCloud_9905abce Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

exe 393835ae5e1ef7e86a74b0b349df029a3d594ea351fc039b28142da85ea6c17e

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/29935/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample