MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b1916e4af1ac2f840f64207d438de0b5c05620170bac3221a0b7ccd0800a646. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b1916e4af1ac2f840f64207d438de0b5c05620170bac3221a0b7ccd0800a646
SHA3-384 hash: b3a41e857d1fd249fdab47598fb7db0169d38c9146f63905acaca9c8df2bd57f8bd2ec50d1cd815a5cef687f23689be9
SHA1 hash: 9ede16712bc1265f90e1601ea9cf6d43d684c309
MD5 hash: bae6c2c464c340693ac56e61f4462a79
humanhash: enemy-skylark-bakerloo-fix
File name:bae6c2c464c340693ac56e61f4462a79
Download: download sample
Signature a310Logger
Create hunting rule
File size:362'865 bytes
First seen:2022-08-22 12:59:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (21 x SnakeKeylogger, 13 x MassLogger, 11 x CryptOne)
ssdeep 6144:UvEN2U+T6i5LirrllHy4HUcMQY62jJk+eUguNi:GENN+T5xYrllrU7QY6eJeUgN
TLSH T12074E93BFA04606ED5938AF09866655AB5267E321B90EC0B77D2BF093475683B0F131F
TrID 58.8% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
22.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 20047c7c60e0e002 (6 x MassLogger, 2 x Neshta, 1 x a310Logger)
Reporter zbetcheckin
Tags:32 a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bae6c2c464c340693ac56e61f4462a79
Verdict:
Malicious activity
Analysis date:
2022-08-22 13:01:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6d6220e3-350a-431a-85f1-7e6913da45d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300223/
Detection(s):
PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-6803865-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Sending a custom TCP request
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive greyware hacktool keylogger overlay shell32.dll
Link:
https://www.filescan.io/uploads/63037ddd3cbb13868a700e91/reports/a5fa910d-95ad-4575-aba2-8795f166bdb4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6319db8-6062-4a46-b975-eacb484a4733
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055522
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Potential malicious icon found
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 688039 Sample: S4qoSQ1Okl Startdate: 22/08/2022 Architecture: WINDOWS Score: 100 86 Potential malicious icon found 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for dropped file 2->90 92 5 other signatures 2->92 11 S4qoSQ1Okl.exe 1 4 2->11         started        15 explorer.exe 2->15         started        17 svchost.exe 2->17         started        19 5 other processes 2->19 process3 dnsIp4 68 C:\Users\user\Desktop\s4qosq1okl.exe, PE32 11->68 dropped 70 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 11->70 dropped 120 Installs a global keyboard hook 11->120 22 icsys.icn.exe 3 11->22         started        26 s4qosq1okl.exe 1 11->26         started        122 Changes security center settings (notifications, updates, antivirus, firewall) 17->122 76 127.0.0.1 unknown unknown 19->76 78 192.168.2.1 unknown unknown 19->78 file5 signatures6 process7 file8 66 C:\Windows\System\explorer.exe, PE32 22->66 dropped 110 Antivirus detection for dropped file 22->110 112 Machine Learning detection for dropped file 22->112 114 Drops executables to the windows directory (C:\Windows) and starts them 22->114 116 2 other signatures 22->116 28 explorer.exe 3 23 22->28         started        signatures9 process10 dnsIp11 80 vccmd01.zxq.net 51.81.194.202, 443, 49748, 49749 OVHFR United States 28->80 82 zxq.net 28->82 84 5 other IPs or domains 28->84 72 C:\Windows\System\spoolsv.exe, PE32 28->72 dropped 74 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 28->74 dropped 124 Antivirus detection for dropped file 28->124 126 System process connects to network (likely due to code injection or exploit) 28->126 128 Creates an undocumented autostart registry key 28->128 130 3 other signatures 28->130 33 spoolsv.exe 2 28->33         started        file12 signatures13 process14 file15 62 C:\Windows\System\svchost.exe, PE32 33->62 dropped 94 Antivirus detection for dropped file 33->94 96 Machine Learning detection for dropped file 33->96 98 Drops executables to the windows directory (C:\Windows) and starts them 33->98 100 2 other signatures 33->100 37 svchost.exe 3 4 33->37         started        signatures16 process17 file18 64 C:\Users\user\AppData\Local\stsys.exe, PE32 37->64 dropped 102 Antivirus detection for dropped file 37->102 104 Detected CryptOne packer 37->104 106 Machine Learning detection for dropped file 37->106 108 3 other signatures 37->108 41 spoolsv.exe 1 37->41         started        44 at.exe 1 37->44         started        46 at.exe 1 37->46         started        48 20 other processes 37->48 signatures19 process20 signatures21 118 Installs a global keyboard hook 41->118 50 conhost.exe 44->50         started        52 conhost.exe 46->52         started        54 conhost.exe 48->54         started        56 conhost.exe 48->56         started        58 conhost.exe 48->58         started        60 17 other processes 48->60 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b1916e4af1ac2f840f64207d438de0b5c05620170bac3221a0b7ccd0800a646/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2022-08-22 13:00:10 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmmrnzfpdlbpqqhwiid5iog6bnoakyqboc5mgiq2bn6m2caauzda._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/220822-p8m2csfhhn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
4372dc65539f63b310faf31f2ae75e8f4dea8a2e986dd141297679ef677874c2
MD5 hash:
611eae1af04fb87a893c27e320241ee5
SHA1 hash:
a90ee375fe07ff392ff8acd64664a056e7a7dcb0
Link:
https://www.unpac.me/results/1fb914f4-671b-4e54-9c9c-d1048d9c20a3/
SH256 hash:
5b1916e4af1ac2f840f64207d438de0b5c05620170bac3221a0b7ccd0800a646
MD5 hash:
bae6c2c464c340693ac56e61f4462a79
SHA1 hash:
9ede16712bc1265f90e1601ea9cf6d43d684c309
Detections:
win_mofksys_auto
Create hunting rule
Link:
https://www.unpac.me/results/1fb914f4-671b-4e54-9c9c-d1048d9c20a3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b1916e4af1a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b1916e4af1ac2f840f64207d438de0b5c05620170bac3221a0b7ccd0800a646

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:win_mofksys_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.mofksys.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe 5b1916e4af1ac2f840f64207d438de0b5c05620170bac3221a0b7ccd0800a646

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/300223/
  
URLhaus
https://urlhaus.abuse.ch/url/2275596/

Comments


Avatar
zbet commented on 2022-08-22 12:59:45 UTC

url : hxxp://37.139.129.142/htdocs/DtJSEniCZGoHFQf.exe