MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65eeb38ef21735b46b448ba2359cdf12a9f5041e8f0df7385f63be59760bc645. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65eeb38ef21735b46b448ba2359cdf12a9f5041e8f0df7385f63be59760bc645
SHA3-384 hash: 6d06e8029141469c1add1bc16a1bb481d3636d61367ecec7ba309051ddedfc301cbada4e51c542a8f9bd5de2103b6360
SHA1 hash: 42252dafdea79b21ff6385715b66fe23ef82680f
MD5 hash: 67e35ba1e64e085fe1226951b88517dc
humanhash: spring-illinois-asparagus-charlie
File name:New_Request_800454000.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:666'624 bytes
First seen:2021-08-17 14:12:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:1gTXomEQUwTNl1v3iWo6GPU5WJg7MPW/hrJAmNZ5DD1ovdmKNxQVvnKb0u:1KE2pzXo6GJw9/h1AmNzRoEKnQBKw
Threatray 24 similar samples on MalwareBazaar
TLSH T1A9E4232453A25E3BD5EEDB72795D00CBD6603E53D407BA8A3C2533CB2DBB34987A4A00
dhash icon 4730d8d4d0d83087 (1 x a310Logger)
Reporter abuse_ch
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New_Request_800454000.exe
Verdict:
Malicious activity
Analysis date:
2021-08-17 14:17:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8e4be123-d778-4bba-82d5-284d8e240984

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180098/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.16298.18112.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f6bb725-c88d-4231-9af8-2efb82ba4c20
Result
Threat name:
SpyEx StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834425
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected SpyEx stealer
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466885 Sample: New_Request_800454000.exe Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 6 other signatures 2->68 8 New_Request_800454000.exe 1 8 2->8         started        12 chrom.exe 2 2->12         started        14 chrom.exe 2->14         started        process3 file4 38 C:\Users\user\AppData\Roaming\...\chrom.exe, PE32 8->38 dropped 40 C:\Users\user\...40ew_Request_800454000.exe, PE32 8->40 dropped 42 C:\Users\user\...\chrom.exe:Zone.Identifier, ASCII 8->42 dropped 44 2 other malicious files 8->44 dropped 78 Writes to foreign memory regions 8->78 80 Injects a PE file into a foreign processes 8->80 16 New_Request_800454000.exe 1 8->16         started        signatures5 process6 dnsIp7 46 bojtai.xyz 199.188.200.110, 49727, 587 NAMECHEAP-NETUS United States 16->46 54 Multi AV Scanner detection for dropped file 16->54 56 Performs DNS queries to domains with low reputation 16->56 58 Machine Learning detection for dropped file 16->58 60 5 other signatures 16->60 20 AppLaunch.exe 15 5 16->20         started        25 AppLaunch.exe 16->25         started        27 AppLaunch.exe 1 16->27         started        29 AppLaunch.exe 16->29         started        signatures8 process9 dnsIp10 48 icanhazip.com 104.18.6.156, 49724, 80 CLOUDFLARENETUS United States 20->48 50 192.168.2.1 unknown unknown 20->50 52 10.76.9.0.in-addr.arpa 20->52 36 C:\Users\user\AppData\...\Cwcxklxc.exe, PE32 20->36 dropped 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->70 72 May check the online IP address of the machine 20->72 74 Tries to steal Instant Messenger accounts or passwords 20->74 76 2 other signatures 20->76 31 Cwcxklxc.exe 1 20->31         started        34 WerFault.exe 25->34         started        file11 signatures12 process13 signatures14 82 Multi AV Scanner detection for dropped file 31->82 84 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->84
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65eeb38ef21735b46b448ba2359cdf12a9f5041e8f0df7385f63be59760bc645/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 14:12:43 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxxlhdxsc423i22erordlhg7cku7kba6r4g7ooc7mo7fs5qlyzcq._file
Verdict:
unknown
Similar samples:
1273a548df057bfaafa975b34de3551362e91faaaa78b0bcf764c67f225b423d
a310Logger
128030bd65a0160f4b879fa29b9bc70c926413ae8451a1943e8a2af08969b47a
a310Logger
1fa08d9326a1d7f294124f69dda88c2cb0422025658c0ddc5664ce3e3dc7cb86
a310Logger
2d01db532167eebf691872391503f9a78db139e34310814e25498ae0637f93c2
a310Logger
3a5be6f5c48b666b9af57bc9705f4493bceb0b574fe2e31a748ef58e1fac0beb
a310Logger
48059f16b5f8c0594033ed72312c84667870344edcda6b35c0a5bc49d4839098
a310Logger
99c692171116b52ea724b6f740a825c680db973e3ff744e9a1b7bb5c34a0c962
a310Logger
b6ea5174aebc1fac4f32eda07c6b161321744aeb7332dac284e21ad550e68a36
a310Logger
d6bbb80e9b3eeb6f8460547ec1bba91b9a4641a264f85d7211dcd1649c23fc85
a310Logger
dce5a0add465419579be0fdfd03155af233f462840033ddbd5a5843d7984707d
a310Logger
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210817-xewz9rjv8e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
0fdfa6d13ec8f554bbb3f3f891c50623efea65796ea4bfef9c3c0327c1681518
MD5 hash:
2b51fbab568fad6b146dc89dcabba703
SHA1 hash:
7b4233d1cef7dbad366434e1538ddda4e8b12f0e
Link:
https://www.unpac.me/results/72f72f43-73b1-4383-b1bb-b1c4e8458e5e/
SH256 hash:
c94546903391ae02a882a35edc76b789f621b3d762a1942bec7e4991d303ad3f
MD5 hash:
1850e334467cb3d48e155786a262f267
SHA1 hash:
542343e8f7d5590d8bc48ac90f8b55faf4ef8632
Link:
https://www.unpac.me/results/72f72f43-73b1-4383-b1bb-b1c4e8458e5e/
SH256 hash:
3af866571039c0de6c76644a179a9f7aa59222dae2f62c295f3caae02839ee21
MD5 hash:
0778bf13dd28358c8da54e38bb72c984
SHA1 hash:
1249ea1a26232be9c29dccd92fac48c9ea172c02
Link:
https://www.unpac.me/results/72f72f43-73b1-4383-b1bb-b1c4e8458e5e/
SH256 hash:
65eeb38ef21735b46b448ba2359cdf12a9f5041e8f0df7385f63be59760bc645
MD5 hash:
67e35ba1e64e085fe1226951b88517dc
SHA1 hash:
42252dafdea79b21ff6385715b66fe23ef82680f
Link:
https://www.unpac.me/results/72f72f43-73b1-4383-b1bb-b1c4e8458e5e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/65eeb38ef217/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65eeb38ef21735b46b448ba2359cdf12a9f5041e8f0df7385f63be59760bc645

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180098/

Comments