MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a0b8f4dbb3acd1bbab1527d90921061bef21f3422250dcc41b8046b77edbd9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a0b8f4dbb3acd1bbab1527d90921061bef21f3422250dcc41b8046b77edbd9b
SHA3-384 hash: 013b8e489a746801cc21c525e44b34becc67fd66a0811e26f1f65b161c6b8fa76e926033de819e1173d2a66a9f9ad3ee
SHA1 hash: fc892954c47237abfc7956450aa13e5ad2d97488
MD5 hash: 941ffbcc54a5826dde6e2d35f2fc761d
humanhash: steak-grey-october-colorado
File name:941ffbcc54a5826dde6e2d35f2fc761d
Download: download sample
Signature a310Logger
Create hunting rule
File size:501'186 bytes
First seen:2021-08-24 17:24:06 UTC
Last seen:2021-08-24 19:39:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 439ff53323e9506db8654c0d8af9cf37 (5 x Formbook, 4 x NanoCore, 4 x Loki)
ssdeep 12288:+pxLkSqnEa1yg6PbvF1yC62hkh2pf05T70sZ0XNfM:jaZ1yQC5gXtM
Threatray 1'080 similar samples on MalwareBazaar
TLSH T147B4129A2508724AED3F993F15B3C09AE22A0D75CBE4605BD257F748817867C3D2B0F9
Reporter zbetcheckin
Tags:32 a310logger exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://198.12.84.100/can/can.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-24 16:53:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3b29851-657b-43e2-bc70-b0b1130d4d52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181978/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.24602.28836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Launching a process
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Deleting a recently created file
Searching for the window
Sending a custom TCP request
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ca4b485-8288-450e-86c0-f1940d024138
Result
Threat name:
StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838478
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected Generic Dropper
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 470909 Sample: 2RDp8CKby7 Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected a310Logger 2->44 46 4 other signatures 2->46 8 2RDp8CKby7.exe 1 2->8         started        process3 signatures4 56 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->56 58 Maps a DLL or memory area into another process 8->58 11 2RDp8CKby7.exe 1 8->11         started        14 conhost.exe 8->14         started        process5 signatures6 60 Writes to foreign memory regions 11->60 62 Allocates memory in foreign processes 11->62 64 Tries to steal Crypto Currency Wallets 11->64 66 Injects a PE file into a foreign processes 11->66 16 AppLaunch.exe 15 5 11->16         started        21 AppLaunch.exe 11->21         started        23 AppLaunch.exe 11->23         started        25 AppLaunch.exe 1 11->25         started        process7 dnsIp8 36 90.168.9.0.in-addr.arpa 16->36 38 icanhazip.com 104.18.7.156, 49701, 80 CLOUDFLARENETUS United States 16->38 34 C:\Users\user\AppData\...\TtmvuOuk.exe, PE32 16->34 dropped 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->48 50 May check the online IP address of the machine 16->50 52 Tries to steal Instant Messenger accounts or passwords 16->52 54 2 other signatures 16->54 27 TtmvuOuk.exe 1 16->27         started        30 WerFault.exe 21->30         started        32 WerFault.exe 23->32         started        file9 signatures10 process11 signatures12 68 Multi AV Scanner detection for dropped file 27->68 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a0b8f4dbb3acd1bbab1527d90921061bef21f3422250dcc41b8046b77edbd9b/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 17:20:59 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
30e102e2061e351f30da3194a9453d2ef1c9af7f1dd453235555c7e6a21c20e0
a310Logger
3e36150936202506d3d8f59cf9ac7810dc1b3b0f7383e9dd9706cecb3fdaf060
a310Logger
4938b1c8ca1745b33ea6adc31b39e2003646370ec7f52fe1e89af6903a69aaca
a310Logger
738a485429af982afe764c392327ad1940bc0e2c53e46ccebc7e7528abaa9c9d
a310Logger
8b4049ea3937e355ad9a551795afcb621fb56991ffc6f1db746861acfd7d6a46
a310Logger
a2cb792dd78926a29fa257675d5cc63d5bb5cd6490592cf7e18a00d6b7b67401
a310Logger
acfd67e70a3b73fa1c66207594fd2afb565fd437470c61f7c2de922d855e71ea
a310Logger
d509a80423a90cce1f81e452bc9fdd3cac58696c8607aa45ab2e41d3de199ce6
a310Logger
f4abecbd1a56abc36103d0595086bfd31c50f33236b9431b53860e5c1e20c2a7
a310Logger
+ 1'070 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210824-tavjkk121x/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
06086963dc4c7dd6e0368abb7408fca82c5f08677fb71692c9b1317c51fa7e65
MD5 hash:
e38c508d7179cb85d5a18472ed144adc
SHA1 hash:
2a4a12d66ef7f68e753ef37614db4ed772cf7700
Link:
https://www.unpac.me/results/6d323155-7fa5-4229-810c-c7a9fc18c93d/
SH256 hash:
4a0b8f4dbb3acd1bbab1527d90921061bef21f3422250dcc41b8046b77edbd9b
MD5 hash:
941ffbcc54a5826dde6e2d35f2fc761d
SHA1 hash:
fc892954c47237abfc7956450aa13e5ad2d97488
Link:
https://www.unpac.me/results/6d323155-7fa5-4229-810c-c7a9fc18c93d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4a0b8f4dbb3a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a0b8f4dbb3acd1bbab1527d90921061bef21f3422250dcc41b8046b77edbd9b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe 4a0b8f4dbb3acd1bbab1527d90921061bef21f3422250dcc41b8046b77edbd9b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181978/
  
URLhaus
https://urlhaus.abuse.ch/url/1560712/

Comments


Avatar
zbet commented on 2021-08-24 17:24:08 UTC

url : hxxp://198.12.84.100/can/can.exe