MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

a310Logger

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52
SHA3-384 hash:	e9015e49a67764a38575c7e798ee367c53c494fcc62e5780ffa1c4e2ddb503fdd28bc27ae6c119f33b3d155c245dc387
SHA1 hash:	92269b2ad71e7cac4eff7dc810f2989b93ac74b0
MD5 hash:	671f6fa2476117ebabadfbbabe5a4009
humanhash:	zebra-cup-green-monkey
File name:	Quotation required.exe
Download:	download sample
Signature	a310Logger Create hunting rule
File size:	581'270 bytes
First seen:	2022-12-08 18:53:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep	12288:VYIFRHhMwBPAsS6l6y1HcjhgEbXFRcEHvhI52:VzFRBosSSFNaXFRc0hQ2
TLSH	T171C4236EF0E2C1B7E62359720053133EEDF25704426451DF53686B4B9EB35E2D12AEE1
TrID	92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	Anonymous
Tags:	a310logger exe

Intelligence

File Origin

# of uploads :

# of downloads :

181

Origin country :

n/a

Vendor Threat Intelligence

Detection:

A310Logger

Link:

https://www.capesandbox.com/analysis/344453/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.28274.7288.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Creating a window

Launching a process

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Creating a file

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook lokibot overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6392329404e0e79bdf41904d/reports/98db0ed5-273c-4dd2-a6a2-4c6d6db62140/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LockBit Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f0252de4-c583-4407-bef0-796c9eb272b1

Result

Threat name:

BluStealer, ThunderFox Stealer, a310Logg

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1130971

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus detection for dropped file

Contains functionality to inject code into remote processes

Detected unpacking (creates a PE file in dynamic memory)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected a310Logger

Yara detected BluStealer

Yara detected Generic Dropper

Yara detected ThunderFox Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-12-08 08:57:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jqjineqob65q4qtj6s3e5rwkauqhmqkkesxxf4xbvaxvc2rbx5ja._file

Result

Malware family:

blustealer

Score:

10/10

Tags:

family:blustealer collection stealer

Link:

https://tria.ge/reports/221208-xjnkladh7x/

Behaviour

Modifies system certificate store

Script User-Agent

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Executes dropped EXE

BluStealer

Malware Config

C2 Extraction:

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/79ebf6b6-f2a6-42c9-8c44-63de6218301e

Unpacked files

SH256 hash:

fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c

MD5 hash:

d2ec533f8b40a8224d79c87c2291f943

SHA1 hash:

f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2

Link:

https://www.unpac.me/results/8c951372-1995-4ba2-99bb-4d890dbc3c8e/

SH256 hash:

a4b55247b3e10d05aad24505daa475ce6ec27682337857a6cf0031aacf2a155c

MD5 hash:

494a605ec14a0bd14ad3db0eed037454

SHA1 hash:

fe244e37cb29ba0c6b6a1744d91ec05a6194f726

Link:

https://www.unpac.me/results/8c951372-1995-4ba2-99bb-4d890dbc3c8e/

SH256 hash:

9dc7c5f5d889aebb2e0f63d5b5a7887c37a2cf002bd1aa66229bffbc5fcb4717

MD5 hash:

3a24c7f9a1246d99f52edc9251227a1e

SHA1 hash:

47a0072ffc1daa0b7537a0fbc99d67ca880560c3

Link:

https://www.unpac.me/results/8c951372-1995-4ba2-99bb-4d890dbc3c8e/

SH256 hash:

17674b7b5d32739b31cc7f21640e0ba4e1e57dc0ff9af1c685f1f0d83383d5cf

MD5 hash:

cc1037b43a17a264092166c1121fe50d

SHA1 hash:

0dc7a6bee7ccc4156e35c80272bbe99418454ca1

Link:

https://www.unpac.me/results/8c951372-1995-4ba2-99bb-4d890dbc3c8e/

SH256 hash:

4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52

MD5 hash:

671f6fa2476117ebabadfbbabe5a4009

SHA1 hash:

92269b2ad71e7cac4eff7dc810f2989b93ac74b0

Link:

https://www.unpac.me/results/8c951372-1995-4ba2-99bb-4d890dbc3c8e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4c1286920e0f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

exe 4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52

(this sample)

Dropped by

a310Logger

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/344453/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample